1

I've set up a transparent proxy with squid listening on 8080(http) 8443(https), and it works.

In addition, I set the iptables to redirect the request.

iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

If I set up an explicit proxy to replace squid, http still works, but https doesn't work (https proxy performs a MITM, and I trust the certificate).

I want to know the difference between using iptables REDIRECT and setting browser's proxy explicitly. Does the proxy process it somehow differently?

kubanczyk
  • 13,812
  • 5
  • 41
  • 55
Totti
  • 21
  • 3

2 Answers2

5

How proxies work

How a transparent proxy works

The browser thinks it is talking to the web server, and the proxy intercepts this traffic, and performs whatever tasks it needs to.

How an explicit proxy works

The browser knows it is talking to a proxy, and asks the proxy to load up the site that it wants to load instead.

Benefits of each type

Transparent

  • No need to configure on each client
  • Can be used by software that has no proxy settings

Explicit

  • More obvious that traffic is being monitored
  • Can work in places that a transparent proxy would break stuff
  • More likely to give useful error messages if the proxy fails
jrtapsell
  • 1,176
  • 1
  • 10
  • 15
1

The browser talks differently. With explicit proxy, it will issue a special CONNECT verb whenever it needs anything over https. With transparent proxy, it will issue normal GET or POST, but never CONNECT.

This particular difference doesn't happen with insecure http.

kubanczyk
  • 13,812
  • 5
  • 41
  • 55