nginx as proxy to squid forward proxy
535 views
Skip to first unread message
Max Stainer
Jul 31, 2020, 3:36:58 AM7/31/20
to openresty-en
Hello,
Regards
Max
Rainer Canavan
Jul 31, 2020, 6:38:10 AM7/31/20
to openre...@googlegroups.com
>> the system has to work as if browser is confgured to use a proxy but I don't want to force users to configure proxy parameter.
>> I'm not an expert but I think there is a need to make a module with lua.
This cannot be done in the general case. You'll need to modify all
absolute URLs and paths (in HTML, CSS, JS, Set-Cookie headers etc.),
including those generated from within Javascript. That's equivalent to
the https://en.wikipedia.org/wiki/Halting_problem which has been
proven to be impossible to solve.
It can be done on a limited scope, i.e. not all web sites will work
(without manual intervention), but it's not an easy task. Since all
the "interesting" sites nowadays are fundamentally javascript
applications, you'll have to assume that those won't work "out of the
box" with a simple, generic solution. It's also a potential security
problem for your users, since you'll probably miss rewriting a few
cookies and send them to places they were not intended to go, assuming
they trust your server in the first place.
rainer
Max Stainer
Jul 31, 2020, 9:29:36 AM7/31/20
to openresty-en
leaving security problems aside and assuming we want to stop rewriting absolute URL the first depth
is it possible to do something like this with openresty script or module?
is it possible to do something like this with openresty script or module?
Rainer Canavan
Jul 31, 2020, 9:44:09 AM7/31/20
to openre...@googlegroups.com
On Fri, Jul 31, 2020 at 3:29 PM Max Stainer <mcod...@gmail.com> wrote:
>
> leaving security problems aside and assuming we want to stop rewriting absolute URL the first depth
I've got no idea what "the first depth" is supposed to mean here.
>
> leaving security problems aside and assuming we want to stop rewriting absolute URL the first depth
> is it possible to do something like this with openresty script or module?
body) as you like. It just isn't a simple task to do it properly, and
no matter how good a job you think you may have done, it will not work
with some web sites unless you deal with each and every one of the
outliers "manually".
You can reduce the complexity a bit and get to something that (kind
of) works a lot quicker if, instead of having your clients surf on
something like https://proxyserver/<uri_to_visit> you send them to
https://<uri_to_visit_with_dots_replaced_with_dashes>.proxyserver/
Just get a wildcard certificate for *.proxyserver, and you'll at least
not have to modify paths.
rainer
Reply all
Reply to author
Forward
0 new messages