IIT Delhi proxy system

[Alok Singh Mahor]

Hi,
we access Internet via proxy. we can access all the local sites( 10.10.4.1, iitd.ac.in, etc ) without proxy. but maximum time we used to open external sites( google.com,etc ). so our browser is proxy configured to access external sites.and our browsers are always configured to proxy because we open external sits every minute. and we people used to open both type of sites in the same proxy configured browser.and the local sites also eats up our proxy quota.
e.g. if I am checking my mails on gmail.com and parallely   i am downloading fedora iso from 10.10.4.1 from the same browser then the downloading of fedora from 10.10.4.1 will eat up all my proxy quota fro one month.

so we have to disable proxy while downloading from 10.10.4.1 to save our quota

can IIT administrator allow all local sites without proxy weather the browser is proxy configured or not...so we could save our given proxy quota? if its possible we can unite and and make a request.

--
Alok Singh Mahor
Department of Computer Science & Engineering
Indian Institute of Technology, Delhi
Hauz Khas, New Delhi 110 016, India

Join the next generation of computing, Open Source, and Linux/GNU!

[gajendra khanna]

Its possible to block 10.10.4.1 alone from proxy in the browser settings.
In my case I didn't configure proxy for Konqueror/Epiphany which I used for 10.10.4.1 and Iceweasel with proxy for the surfing.
Gajendra

[narendra sisodiya]

        There can be case where a package manager download some package from internal repo and other from outside, I do not want to let user configure things everytime !! so user have to configure no-proxy for borwser, terminal and pacakge manager ???? We are not interested in workaround !!

       Team LUG@IITD show make effort to correct this crap behaviour. As per last discussion with NC Kalra Sir, It was mentioned that internal traffic will not accounted in proxy quota !! I suggest to have a proper mail + letter to NC Kalra Sir from LUG@IITD. before writing mail or letter communication we can also collect suggestions/problems from students, probably by making a drop-box suggesstion at WindT.



--
┌─────────────────────────┐
│    Narendra Sisodiya ( नरेन्द्र सिसोदिया )
│    R&D Engineer
│    Web : http://narendra.techfandu.org
│    Twitter : http://tinyurl.com/dz7e4a
└─────────────────────────┘

[vikas sarangal]

you can configure your browser such that it will not use proxy for selected sites. So, it is possible to surf external sites via proxy and download ubuntu ultimate(or anything else for that matter) from 10.10.4.1 without proxy simultaneously.
go to edit --> preferences --> Advanced --> network tab --> settings, down there is a option 'no proxy for' write 10.10.4.1 there and it wouldn't use proxy for 10.10.4.1. u can enter any other server or wesite domain too for example, u can add .ac.in which means it wouldn't use proxy for sites ending with .ac.in (ex. www.iitd.ac.in).

--
Regards,
Vikas Sarangal,
Indian Institute of Technology, Delhi.

[narendra sisodiya]

On Sat, Aug 1, 2009 at 11:48 AM, vikas sarangal <iitd...@gmail.com> wrote:

you can configure your....

No,,,, We want IITD to configure its proxy behaviour to bypass all internal traffic behind proxy. So that no quota apply for internal traffic. If this seems to be good approach, we can go ahead and write letter to CSC. This is not atall a big problem for them. All they need to make some change in configuration.

[Alok Singh Mahor]

On Sat, Aug 1, 2009 at 11:48 AM, vikas sarangal <iitd...@gmail.com> wrote:

you can configure your browser such that it will not use proxy for selected sites. So, it is possible to surf external sites via proxy and download ubuntu ultimate(or anything else for that matter) from 10.10.4.1 without proxy simultaneously.
go to edit --> preferences --> Advanced --> network tab --> settings, down there is a option 'no proxy for' write 10.10.4.1 there and it wouldn't use proxy for 10.10.4.1. u can enter any other server or wesite domain too for example, u can add .ac.in which means it wouldn't use proxy for sites ending with .ac.in (ex. www.iitd.ac.in).

yes we can do all these setup, but IIT should take care of it

[Sharad Birmiwal]

On Sat, Aug 1, 2009 at 11:48 AM, vikas sarangal<iitd...@gmail.com> wrote:
>

> you can configure your browser such that it will not use proxy for selected
> sites. So, it is possible to surf external sites via proxy and download

Exactly what Vikas said. For those who want to wait for CSC to
implement it, they can wait for it.

Meanwhile for at least Ubuntu users, you can actually make exceptions
for proxy usage on a system wide level (including synaptic) by setting
it in System > Preferences > Network Proxy Preferences (there is a tab
for "Ignored Hosts" in Ubuntu 9.04 at least; you can add something
like 10.10.0.0/16) :P

SB

[vikas sarangal]

Thank you Sharad for standing by me. I don't see any thing temporary about it(as Narendra said). You just have to configure your proxy settings and it's as good as permanent! Writing one line isn't too much of pain I guess!

[ishan chhabra]

Although these workarounds work, they are still workarounds. I remember, last year when i came to the campus, i presumed that they wouldnt count the intranet downloads and unfortunately downloaded 4 gig iso of opensuse. I couldnt use my account for the next 4 months.

Its not about solving the problem, its about pushing for something that is right.


Regards,
Ishan

[narendra sisodiya]

Thanks for giving such a beautiful example !! How much pain is needed to write a letter (with decency) to CSC. There is nothing wrong is making permanent solution !!

PS: most of the mtech guys who come to IITD , do not know about proxy and such things.

[ishan chhabra]

I wonder if the csc guys have the technical expertise to such a thing. I know it should be easy but government officers often show outright ignorance.

Regards,
Ishan

[sravan reddy]

A new question regarding IIT Delhi proxy system.

How the browser communicates with the proxy server.

If we are signed in, a session on our name is started and PAC script directs the browser to requested url??

My doubt is how will the server know if the user is logged in or not. Even if we close the proxy window server still processes our request until some time. Is there any session thing... And how does the proxy login page work? Is any documentation available on this topic, please guide me.

SRAVAN

B Tech 3rd year,

IIT Delhi

[Narendra Sisodiya]

On Wed, May 11, 2011 at 4:29 PM, sravan reddy <srav...@gmail.com> wrote:

My doubt is how will the server know if the user is logged in or not. Even if we close the proxy window server still processes our request until some time. Is there any session thing... And how does the proxy login page work? Is any documentation available on this topic, please guide me.

I guess, Proxy is a gatekeeper. like gatekeeper of a market main gate who will check your authentication and will not object whenever you go in market or cross gate again and again. And Yes, it should create a session kind  thing at proxy server..

 

[sravan reddy]

Thanks for the reply,

But how does the server know once we close the proxy tab...... does that mean the proxy tab is continuously communicating with the proxy server ?? How can I see these http requests between IITD proxy server and my browser?? 

SRAVAN

[Chhatoi Pritam Baral]

If you notice the packets sent by your browser, through a packet-sniffer, it carries a tiny cookie with each packet, a cookie set by the proxy with your browser. That's the behaviour of a SQUID proxy. It's the most popular linux based Proxy caching tool.

 

Regards,
Chhatoi Pritam Baral

[Akshat Goel]

@Sravan You check the HTML code for the proxy page. Basically, it has a small Javascript code which keeps refreshing the page after certain time interval. (Suppose this time interval is x)(You can check that time also in that page code). In that refreshing act it exchanges a "code" with the server. This code is basically the session id.

So now my interpretation is, this code is for the first time allotted by the server, and the client keeps telling the server that "Hey I am alive". The server waits for that 'x' seconds, if it does not get a reply from client in x seconds it will remove that session id. That is why, even when we close the proxy login page, we can still access internet for some time. This time should approximately be equal to x.

This was my idea about whole system.

Do tell me your ideas?

Thanks
Akshat Goel
--
aks

[sravan reddy]

Thanks akshat...yeah I was thinking same but there are three scripts (one simple javascript in the html itself and the other one is proxy.cgi and the other is a PAC script named proxy.btech) related to all this proxy thing, and I am confused which is responsible for what, if there is any documentation anywhere available please let me know.

SRAVAN

[Akshat Goel]

I don't think that there is any documentation available. But proxy.cgi does all the server side stuff, of redirection and all. simple javascript refreshes the client side. proxy.btech just points to the correct IP Address, otherwise there is no functional benefit of it.

On Thu, May 12, 2011 at 4:12 PM, sravan reddy <srav...@gmail.com> wrote:

Thanks akshat...yeah I was thinking same but there are three scripts (one simple javascript in the html itself and the other one is proxy.cgi and the other is a PAC script named proxy.btech) related to all this proxy thing, and I am confused which is responsible for what, if there is any documentation anywhere available please let me know.

SRAVAN

--
LUG@IITD - http://lug-iitd.org/Footer

--
aks

[sravan reddy]

Thanks akshat :)

[Sharad Birmiwal]

On Wed, May 11, 2011 at 11:28 AM, Akshat Goel <aksh...@gmail.com> wrote:
> @Sravan You check the HTML code for the proxy page. Basically, it has a
> small Javascript code which keeps refreshing the page after certain time
> interval. (Suppose this time interval is x)(You can check that time also in
> that page code). In that refreshing act it exchanges a "code" with the
> server. This code is basically the session id.

Disclaimer: The proxy system was installed in IIT after I graduated. I
haven't used it.

Didn't somebody point out in a different thread that you can still
browse the internet even after you close the tab where you typed in
the username/password. If that's the case, then the javascript should
not be running in the background. If the guy in the other thread is
correct and the javascript code IS running in the background even
after closing the tab, then you have possibly discovered a wonderful
vulnerability in most browser implementations!

I find the above explanation a bit irregular. Again, I haven't used
the proxy system so I might be wrong. I'll give the explanation
anyways as an academic exercise. If you can use some messenger
software (say pidgin or kopete) without logging into the browser (by
only supplying the username and password) in the proxy settings, then
that means that javascript is NOT involved in authentication and
maintaining session IDs. Another tool is wget (or other command line,
non-javascript capable tools).

@Sravan, use a packet sniffer like wireshark to get an in-depth view
besides looking at the html code.

Regarding the session expiry, RFC 2616 [1] and RFC 2617 [2] indicate
that a proxy server may request for authentication or challenge the
client (browser, messenger, etc) with a give me a valid
username/password. I am assuming this happens when the session
expires. The RFCs also indicate that the client side may optionally
include authentication details even though it is not requested. The
point of saying this is that unlike the previous explan It should be
handled via the lower layers of the application ayation, instead of
the client actively sending a KEEP-ALIVE message, these features
indicate that the client is usually passive. It authenticates itself
once. If the session expires, the proxy server may challenge the
client again. Take note that this should not be happening via html or
javascript (take note of the example on Page 17 of RFC 2617). The
browser may prompt the user to provide the username and password.

Again, all my blabbering is based on my experience with using (http
type and other) proxy systems elsewhere. I guess these two RFCs should
be the authoritative answer to your question as long as the deployment
in IIT uses a standards compliant solution.

SB

[1] http://www.ietf.org/rfc/rfc2616.txt
[2] http://www.ietf.org/rfc/rfc2617.txt

[sravan reddy]

Thats a wonderful insight, given that u haven't seen the new proxy system.

No, no javascript is running in the background after closing the proxy tab.
 

  I have found from the html source of the page that there are 2 forms each with two hidden field input fields. First form named logged_in has two fields one with the name session ID  with value equal to some number(kind of hexadecimal, this must be assigned by the server), and other an action field with value "refresh". 

  The javascript in the page is submitting this form to the server for every 2 mins (120000 milliseconds as in the code, thanks Akshat for pointing me ) . By this way the server must be keeping track of if the user is logged in or not.

And the 2nd form is form_unload with 1st hidden field as session ID and the other hidden action field "logout" and one more submit-button field "log out" . This is submitted when the user clicks logout.


So, if the user logs in, the proxy server directs the user to requested webpage for 2 mins regardless javascript.

If after 2 mins the server doesn't receive the "logged_in" form, it stops directing user (with that session ID from logged_in form) to the requested webpage, instead it will redirect to proxy-login page, so there is no javascript running in background AFTER the proxy tab is closed. 

That' all I can infer from the html source.Please do correct me if I am mistaken. 

And about the pocket sniffer, there is no live_http headers plug in for firefox 4, and also not in chrome. :( . Tell me if there is any other plug in.

SRAVAN

[Akshat Goel]

@Sravan you can have a look at http://www.fiddler2.com/fiddler2/
Its a free tool. (but not open source, and works only on Windows). It works at system level so will catch all the browsers.

For, firefox level sniffing install "Live HTTP Headers" (link) (but it is as of now available only for FF3.6)

Thanks
Akshat Goel

--
LUG@IITD - http://lug-iitd.org/Footer

--
aks

[Akshat Goel]

@Sharad

I would like to share two of my findings.
1. Chat Messengers work in IIT even without proxy login (but in the starting at the time of authentication - suppose gmail-you have to login your proxy, then you can logout your proxy, and keep chatting).

Its a known fact at IIT that IMAP access in IIT can happen without proxy.

2. FTP also works without proxy. This way we can download unlimited data, without squishing our proxy.

The reason for above might be that, For applications IIT asks us to enter an IP Address (which means that it automatically bypasses Javascript funda, )...!! Javascript funda exists only for browser or its derivatives.

Thanks
Akshat Goel

--
LUG@IITD - http://lug-iitd.org/Footer

--
aks

[sravan reddy]

....and also 'wget' DOES require proxy authentication, right? 

[Sharad Birmiwal]

> 2. FTP also works without proxy. This way we can download unlimited data,
> without squishing our proxy.

Very interesting observation. Have you tried exploring if it is the
filtering is just port based or is the firewall in IIT using DPI
(looking at packet payload to identify that real FTP traffic is
transferring)?

It might be an interesting challenge to write a FTP-proxy (tunnelling
HTTP traffic over FTP) if it doesn't already exist.

SB

[Akshat Goel]

Very interesting observation. Have you tried exploring if it is the
filtering is just port based or is the firewall in IIT using DPI
(looking at packet payload to identify that real FTP traffic is
transferring)?

I think it is port based. Because free-FTP works on WIFI and not on ethernet (in hostel). So we must note here that the gateway for both of them are different. So this means there must be some setting in the router (or a mid way server) which blocks port 22 (or ftps port) in hostel..and IIT people forgot to block that in WIFI gateway.

Thanks
Akshat Goel

--

LUG@IITD - http://lug-iitd.org/Footer

--
aks

[Mihir Mehta]

On May 13, 12:27 am, Akshat Goel <aksha...@gmail.com> wrote:
> > Very interesting observation. Have you tried exploring if it is the
> > filtering is just port based or is the firewall in IIT using DPI
> > (looking at packet payload to identify that real FTP traffic is
> > transferring)?
>
> I think it is port based. Because free-FTP works on WIFI and not on ethernet
> (in hostel). So we must note here that the gateway for both of them are
> different. So this means there must be some setting in the router (or a mid
> way server) which blocks port 22 (or ftps port) in hostel..and IIT people
> forgot to block that in WIFI gateway.
>
> Thanks
> Akshat Goel
>
> On Fri, May 13, 2011 at 12:29 AM, Sharad Birmiwal

> <sharadbirmi...@gmail.com>wrote:

>
>
>
>
>
>
>
>
>
> > > 2. FTP also works without proxy. This way we can download unlimited data,
> > > without squishing our proxy.
>
> > Very interesting observation. Have you tried exploring if it is the
> > filtering is just port based or is the firewall in IIT using DPI
> > (looking at packet payload to identify that real FTP traffic is
> > transferring)?
>
> > It might be an interesting challenge to write a FTP-proxy (tunnelling
> > HTTP traffic over FTP) if it doesn't already exist.
>
> > SB
>
> > --
> > LUG@IITD -http://lug-iitd.org/Footer
>
> --
> aks

In reply to someone's mention of Wget, a few posts before- you DO need
to configure it to make it work over the proxy. See
http://www.gnu.org/software/wget/manual/html_node/Proxies.html for
more details. In brief, you need to set the http_proxy shell variable
(or maybe environment variable, i'm not sure) using export, to point
to the proxy server which applies to you.