handle initial requests to http proxy

Ivano Cristofolini Ivano.Cristofolini at ing.unitn.it
Wed May 21 11:37:47 UTC 2008


Actually, I'm using a proxy.pac that returns DIRECT for servers inside
my domain, registered uamserver/chilli in DNS and trivially modified
hotspotlogin.cgi so that inside prelogin/logoff/... URLs a FQHN appears
instead of an IP number.

To handle de-proxying, I think that a separate optional service would be
nicer than adding complexity to existing code. Initial requests to
proxies should be NATted to this service, which should rewrite the
requests as "normal" http connections starting from the client. Being
modular this way, it could possibly work with any captive portal.

Ivano

On Wed, 2008-05-21 at 10:29 +0200, wlan at mac.com wrote:
> So, in your browser, you have it configured to use a proxy for all  
> sites except the explicitly configured uam and chilli server? Yeah,  
> that wouldn't be very useful generally, I would think. I suppose it  
> is also possible to have chilli support the proxy URL format in  
> redir_getreq() which might help. Seeing your use of 'http_port' makes  
> me think it could be an option to have chilli 'redirect' on a list of  
> ports. It has also been brewing in the back of my head to try out  
> some minimal content filtering for http traffic which could "de- 
> proxy" a request pre-authentication and perhaps do a "captive-frame"  
> without the need of an external privoxy. Oh, so little time..
> 
> 
> On May 21, 2008, at 10:10 AM, Ivano Cristofolini wrote:
> 
> > OK, here it is quick'n'dirty (port number is hard-coded, etc.). It's
> > important to note that browsers must not use a proxy for uamserver and
> > authentication server; otherwise login will not work.
> > It is probably not terribly useful in general: I needed it to keep
> > previous browser settings for a wired network still working on the  
> > wifi.
> >
> > Ivano
> >
> > --- old_dhcp.h	2008-05-19 09:21:33.000000000 +0200
> > +++ dhcp.h	2008-05-19 10:16:04.000000000 +0200
> > @@ -56,6 +56,7 @@
> >  /* TCP Ports */
> >  #define DHCP_HTTP   80
> >  #define DHCP_HTTPS 443
> > +#define DHCP_HTTPPROXY 3128
> >
> >
> >  #define DHCP_ARP_REQUEST 1
> > @@ -99,6 +100,7 @@
> >    int nextdnat;                /* Next location to use for DNAT */
> >    uint32_t dnatip[DHCP_DNAT_MAX]; /* Destination NAT destination IP
> > address */
> >    uint16_t dnatport[DHCP_DNAT_MAX]; /* Destination NAT source port */
> > +  uint16_t http_port;               /* Original (pre-NAT) destination
> > port */
> >    uint8_t dnatmac[DHCP_DNAT_MAX][PKT_ETH_ALEN]; /* Destination NAT
> > source mac */
> >  /*  uint16_t mtu;                 Maximum transfer unit */
> >  };
> > --- old_dhcp.c	2008-05-19 09:21:40.000000000 +0200
> > +++ dhcp.c	2008-05-19 09:32:42.000000000 +0200
> > @@ -1245,7 +1245,8 @@
> >    /* Was it a http request for another server? */
> >    /* We are changing dest IP and dest port to local UAM server */
> >    if ((pack->iph.protocol == PKT_IP_PROTO_TCP) &&
> > -      (tcph->dst == htons(DHCP_HTTP))) {
> > +      ((tcph->dst == htons(DHCP_HTTP)) ||
> > +       (tcph->dst == htons(DHCP_HTTPPROXY)))) {
> >      int n;
> >      int pos=-1;
> >      for (n=0; n<DHCP_DNAT_MAX; n++) {
> > @@ -1260,6 +1261,7 @@
> >  	memcpy(conn->dnatmac[conn->nextdnat], pack->ethh.dst, PKT_ETH_ALEN);
> >        conn->dnatip[conn->nextdnat] = pack->iph.daddr;
> >        conn->dnatport[conn->nextdnat] = tcph->src;
> > +      conn->http_port = tcph->dst;
> >        conn->nextdnat = (conn->nextdnat + 1) % DHCP_DNAT_MAX;
> >      }
> >
> > @@ -1420,7 +1422,7 @@
> >  	if (options.usetap)
> >  	  memcpy(pack->ethh.src, conn->dnatmac[n], PKT_ETH_ALEN);
> >  	pack->iph.saddr = conn->dnatip[n];
> > -	tcph->src = htons(DHCP_HTTP);
> > +	tcph->src = conn->http_port;
> >
> >  	dhcp_tcp_check(pack, len);
> >  	dhcp_ip_check(pack);
> > --- old_redir.c	2008-05-19 09:22:03.000000000 +0200
> > +++ redir.c	2008-05-19 14:52:03.000000000 +0200
> > @@ -1124,7 +1124,6 @@
> >
> >  	while (*p1 == ' ') p1++; /* Advance through additional white  
> > space */
> >  	if (*p1 == '/') p1++;
> > -	else return -1;
> >  	
> >  	/* The path ends with a ? or a space */
> >  	p2 = strchr(p1, '?');
> > @@ -1321,9 +1320,16 @@
> >    default:
> >      {
> >        /* some basic checks for urls we don't care about */
> > -
> > -      snprintf(conn->state.redir.userurl,
> > sizeof(conn->state.redir.userurl), "http://%s/%s%s%s",
> > -	       host, path, qs[0] ? "?" : "", qs[0] ? qs : "");
> > +
> > +      /* if GET was for an http proxy then the path starts with
> > http://host */
> > +      if (!strncmp(path, "http://", 7)) {
> > +          snprintf(conn->state.redir.userurl,
> > sizeof(conn->state.redir.userurl), "%s%s%s",
> > +               path, qs[0] ? "?" : "", qs[0] ? qs : "");
> > +      }
> > +      else {
> > +          snprintf(conn->state.redir.userurl,
> > sizeof(conn->state.redir.userurl), "http://%s/%s%s%s",
> > +               host, path, qs[0] ? "?" : "", qs[0] ? qs : "");
> > +      }
> >
> >        if (optionsdebug)
> >  	log_dbg("-->> Setting userurl=[%s]",conn->state.redir.userurl);
> >
> >
> > On Sat, 2008-05-17 at 09:21 +0200, wlan at mac.com wrote:
> >> Working contributions are welcome!
> >>
> >> On May 16, 2008, at 4:26 PM, Ivano Cristofolini wrote:
> >>
> >>> just solved it by myself, sorry for the bother.
> >>>
> >>> Ivano
> >>>
> >>> On Fri, 2008-05-16 at 13:54 +0200, Ivano Cristofolini wrote:
> >>>> Hello,
> >>>>
> >>>> I need to modify coova-chilli to capture http requests directed  
> >>>> to a
> >>>> (NON transparent) http proxy running on port 3128 (keeping current
> >>>> functionality as well).
> >>>>
> >>>> I have successfully modified the http parsing functions in redir.c
> >>>> (very
> >>>> simple: only redirurl changes).
> >>>>
> >>>> I'm trying to modify the DNAT routines in dhcp.c so that  
> >>>> requests to
> >>>> port 3128 are handled in the same way as regular requests to http
> >>>> servers (i.e. they are NATted to uamserver).
> >>>>
> >>>> This is easy for dhcp_doDNAT() (I added the last line):
> >>>>
> >>>> ...
> >>>>   /* Was it a http request for another server? */
> >>>>   /* We are changing dest IP and dest port to local UAM server */
> >>>>   if ((pack->iph.protocol == PKT_IP_PROTO_TCP) &&
> >>>>       ((tcph->dst == htons(DHCP_HTTP)) ||
> >>>>        (tcph->dst == htons(3128)))) {
> >>>> ...
> >>>>
> >>>> I don't know how to do it for dhcp_undoDNAT().
> >>>>
> >>>> ...
> >>>> /* Was it a reply from redir server? */
> >>>> ...
> >>>> if (something???) {
> >>>>   tcph->src = htons(DHCP_HTTP);
> >>>> else
> >>>>   tcph->src = htons(3128);
> >>>> ...
> >>>>
> >>>> Any suggestions?
> >>>>
> >>> -- 
> >>> Ivano Cristofolini
> >>> Presidio Informatico Ingegneria
> >>> Direzione Informatica e Telecomunicazioni
> >>> Universita' degli Studi di Trento
> >>> Via Mesiano 77,
> >>> 38050 Povo(TN), Italy
> >>> Tel: +39 0461/881940
> >>> Fax: +39 0461/882628
> >>>
> >>>
> >>> -------------------------------------------------------------------- 
> >>> -
> >>> To unsubscribe, e-mail: chilli-unsubscribe at coova.org
> >>> For additional commands, e-mail: chilli-help at coova.org
> >>> Wiki: http://coova.org/wiki/index.php/CoovaChilli
> >>> Forum: http://coova.org/phpBB3/viewforum.php?f=4
> >>>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: chilli-unsubscribe at coova.org
> >> For additional commands, e-mail: chilli-help at coova.org
> >> Wiki: http://coova.org/wiki/index.php/CoovaChilli
> >> Forum: http://coova.org/phpBB3/viewforum.php?f=4
> >>
> > -- 
> > Ivano Cristofolini
> > Presidio Informatico Ingegneria
> > Direzione Informatica e Telecomunicazioni
> > Universita' degli Studi di Trento
> > Via Mesiano 77,
> > 38050 Povo(TN), Italy
> > Tel: +39 0461/881940
> > Fax: +39 0461/882628<httpproxy.patch>
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: chilli-unsubscribe at coova.org
> > For additional commands, e-mail: chilli-help at coova.org
> > Wiki: http://coova.org/wiki/index.php/CoovaChilli
> > Forum: http://coova.org/phpBB3/viewforum.php?f=4
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: chilli-unsubscribe at coova.org
> For additional commands, e-mail: chilli-help at coova.org
> Wiki: http://coova.org/wiki/index.php/CoovaChilli
> Forum: http://coova.org/phpBB3/viewforum.php?f=4
> 
-- 
Ivano Cristofolini
Presidio Informatico Ingegneria
Direzione Informatica e Telecomunicazioni
Universita' degli Studi di Trento
Via Mesiano 77,
38050 Povo(TN), Italy
Tel: +39 0461/881940
Fax: +39 0461/882628




More information about the Chilli mailing list