go-any-proxy icon indicating copy to clipboard operation
go-any-proxy copied to clipboard

Published 20 hours ago verified publisher icon ryanchapman

Can go-any-proxy Do This?

Open nobozo opened this issue 6 years ago • 3 comments

I want to monitor the traffic that the 'dnf' update tool generates on Fedora. My understanding is that if I have go-any-proxy running to intercept traffic on port 80 (which I've modified dnf to use), then go-any-proxy will receive the dnf traffic and then send it on the the actual destination repo servers. However, when I run ./any-proxy -l :80, I see the following messages in the error log:

2018/06/21 20:40:38 any_proxy.go:475: : INFO : GETORIGINALDST|[::1]:46350->?->FAILEDTOBEDETERMINED|ERR: getsocketopt(SO_ORIGINAL_DST) failed: protocol not available 2018/06/21 20:40:38 any_proxy.go:681: : INFO : handleConnection(): can not handle this connection, error occurred in getting original destination ip address/port: protocol not available

Is my understanding of what any_proxy can do correct? If not, any suggestions for doing what I described?

Thanks! Jon Forrest

nobozo avatar Jun 22 '18 03:06 nobozo

Looks like you've an issue with the firewall configuration. Are you running any-proxy on the same host where your iptables rule -j REDIRECT is set up?

But I'm not sure if any-proxy will match your use case. any-proxy is designed to intercept traffic and then set up a connection through a corporate type proxy (squid, Symantec Secure Web Gateway). In many large corporations, they don't allow direct internet access and require you to connect through their proxies. If your application isn't proxy aware (via export http_proxy, export https_proxy, WPAD or some other mechanism), then any-proxy serves as a way for it to still work.

In your case, once you get iptables ... -j REDIRECT working, any-proxy will receive the intercepted packet, and will contact your upstream proxies (specified as option -p to any-proxy). It will then say CONNECT original_intended_ip_addr:original_intended_port\r\n\r\n. The upstream proxy opens a socket to original_intended_ip_addr:original_intended_port and the connection is ready for traffic.

ryanchapman avatar Jun 24 '18 01:06 ryanchapman

Wanted to post one more thing...

If you are just looking to monitor the traffic, a tool like tshark may be better. Let me know if that's the case and I'll send you some sample commands.

ryanchapman avatar Jun 24 '18 02:06 ryanchapman

On 6/23/2018 7:11 PM, Ryan A. Chapman wrote:

Wanted to post one more thing...

If you are just looking to monitor the traffic, a tool like tshark may be better. Let me know if that's the case and I'll send you some sample commands.

Thanks for the replies.

I'm aware of tshark, thanks.

The host I'm running on, a Fedora 28 VM, has no iptables rules, so I don't think this is it.

Meanwhile, I did some experimenting with mitmproxy, which is able to intercept my traffic. However, I'm hoping to find something written in go, which I can modify to do what I'm trying to do, which is to proxy dnf with a cache.

Jon

nobozo avatar Jun 24 '18 02:06 nobozo