[vox-tech] Omsoft transparent HTTP proxy
Samuel Merritt
vox-tech@lists.lugod.org
Sun, 17 Nov 2002 00:43:20 -0800
--lEGEL1/lMxI0MVQ2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Nov 16, 2002 at 10:48:22PM -0800, Ken Bloom wrote:
> > ---ORIGINAL MESSAGE---=20
> > Date: Thu, 14 Nov 2002 17:40:45 -0800
> > To: vox-tech@lists.lugod.org
> > Subject: Re: [vox-tech] Omsoft transparent HTTP proxy
> > From: Henry House <hajhouse@houseag.com>
> > Reply-To: vox-tech@lists.lugod.org
> >=20
> >=20
> > --liOOAslEiF7prFVr
> > Content-Type: text/plain; charset=3Dus-ascii
> > Content-Disposition: inline
> > Content-Transfer-Encoding: quoted-printable
> >=20
> > On Thu, Nov 14, 2002 at 12:56:37PM -0800, Rod Roark wrote:
> > > Well I know the web browser transmits the hostname that you
> > > requested along with the rest of the URL. This is required
> > > in order for name-based virtual hosting to work.
> > >=3D20
> > > So it appears your browser does not fill in a missing domain
> > > in the passed hostname. Whether it should, I'm not sure.
> > > You might try some different browsers and see if they do it.
> >=20
> > If it does, that behavior is broken and non-standard. The URL http://my=
(yo=3D
> > ur
> > example) should resolve to the machine 'my' in the local network. This =
might
> > be 'my.internal' if you have a private network called internal, or
> > 'my.ucdavis.edu' if your search domain (configured in /etc/resolv.conf)=
is
> > ucdavis.edu.
> >=20
> > I have often been annoyed by web browsers that automatically convert
> > single-name URLs into www.{name}.com form, without even checking for the
> > existance of a machine {name} first. Lynx gets it right, checking first=
, th=3D
> > en
> > trying name expansions. Konqueror does not. Why don't you see if lynx b=
ehav=3D
> > es
> > properly for you?
>=20
> Lynx behaves properly when used from pc131.cs.ucdavis.edu (one of the=20
> new PCs installed this month in the CSIF labs - the older PCs don't have=
=20
> lynx installed). When used from my own computer, I get the http 503=20
> error caused by Omsoft's proxy. (By the way, the error=20
> page tells me that the proxy is running Squid/2.4.STABLE7)
>=20
> Rod's suggestion though is right: I tested various requests using=20
> `netcat my 80`
>=20
> =3D=3D=3D=3D
> GET / HTTP/1.1
>=20
> returned correct data
>=20
> =3D=3D=3D=3D
> GET / HTTP/1.1
> Host: my.ucdavis.edu
>=20
> returned correct data
>=20
> =3D=3D=3D=3D
> GET / HTTP/1.1
> Host: my
>=20
> returned the error.=20
>=20
> Who's right, and who's wrong? Is the web browser wrong for not expanding
> the Host header? Or is the proxy wrong for relying on the Host header to
> resolve IP addresses instead of relying on the IP address that the
> actual packets are destined for? Or are they both wrong (this could very
> well be the case)?
The web browser is right. I think what happens is something like this:=20
1) The browser gets a request from the user for http://my/.=20
2) The browser issues a gethostbyname(my) call.=20
3) The DNS resolver checks its search order, and finds "ucdavis.edu", so
sends a query to the name server for "my.ucdavis.edu"
4) The DNS resolver gets an IP back from the name server.=20
5) gethostbyname(my) returns that IP.=20
Notice that the browser doesn't have any idea that "my" is in domain
ucdavis.edu; the search order information is in /etc/resolv.conf, and
only the DNS libraries make use of that.=20
The proxy is the one screwing things up.=20
What the proxy should do:=20
1) Get a request originally destined for IP A.B.C.D, with "Host: my" in
the header.=20
2) Connect to A.B.C.D, passing the Host header (and any other headers)
along.
3) If the content is in cache, return it from cache rather than
downloading it again.=20
What it does:=20
1) Get a request originally destined for IP A.B.C.D, with "Host: my" in=20
the header.=20
2) Look up "my" in the DNS, and fail.=20
3) Ignore the fact that the request was headed for A.B.C.D, and give an
error message.=20
I recommend bugging Omsoft about this; their proxy is clearly broken.=20
--=20
Samuel Merritt
OpenPGP key is at http://meat.andcheese.org/~spam/spam_at_andcheese_dot_org=
.asc
Information about PGP can be found at http://www.mindspring.com/~aegreene/p=
gp/
--lEGEL1/lMxI0MVQ2
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQE911aoW3tuPJ1t7wURAgd5AKCK7jwCUX0hqMEvuAO54qHmdMybXQCfTUW1
YkPP35ysy+cP6FkstTeopds=
=ma+T
-----END PGP SIGNATURE-----
--lEGEL1/lMxI0MVQ2--