PageViews: 651 hits / 95 nets

Transparent Proxy over SOCKS by DeleGate

Yutaka Sato
December 8, 2006

SocksTap: SOCKS based Transparent Application-level Proxy :p

DeleGate version 9.4.1 realized a "transparent proxy over SOCKS" (*1). It is useful to do cache, log, filtering, or so for application protocols including HTTP, FTP and NNTP for the clients which are configured to connect target servers through a SOCKS proxy. This mechanism requires clients to be "SOCKSified", instead it does not require the forwarding in the IP layer.

The DeleGate server for this purpose is invoked as a SOCKS server. After the negotiation in the SOCKS protocol is completed, the server process becomes an application level proxy which interprets the application protocol conveyed on the TCP connection between a client and a server, doing cache and logging and so on in the way and the format which are specific to each application protocol.

phase-1) DeleGate acts as a SOCKS server, doing authentication of the client and negotiation about the destination server.

   client ================> DeleGate
           SOCKS / TCP

phase-2) DeleGate acts as an application-level proxy, relaying between the client and the server, or relaying data from the cache.

                                       +-----> another-proxy
   client ================> DeleGate --+------------> server
           HTTP                cache
           FTP                 log  
           NNTP                filtering
           SMTP                routing
           POP                 mount
           ...                 authentication

The protocol on a TCP connection is guessed by the pattern of the first request from the client-side or the first response from the server-side sent on the connection. (*2)
The connection to the server may not be established when the application protocol is HTTP and there is a fresh cache for the request.

To configure a DeleGate to act like this, add the names of application protocols to be interpreted to the SOCKSTAP parameter as follows.

The easiest way of the configuration is making arbitrary protocols to be interpreted as follows.

(*1) the term "transparent proxy" is usually used for "a HTTP proxy which is not visible from a client". DeleGate can be used for the purpose too. Note that the formally defined meaning of it in the specification of HTTP does not mean such usage but just a proxy which does not modify the request/response data.

(*2) DeleGate has another kind of "transparent application-level proxy over a circuit-level proxy" which has been called as "Generalist" historically. Since it has the information of the application protocol indicated in it, it is easier to know in which application protocol the communication should be interpreted.

DeleGate reference manual version 9.9 / <A Href=/delegate/Manual.htm?SOCKSTAP id=hgen>SOCKSTAP</A> parameter

[CTX] [ALL] SOCKSTAP parameter
SOCKSTAP parameter*  ==  SOCKSTAP=ProtoList[:[dstHostList][:[srcHostList][:params]]]
                     --  default: none
    If specified with a SOCKS server, the data stream relayed over the SOCKS is interpreted in each application protocol. For example, with SOCKSTAP=http, the delegated act as a server of SERVER=http when the relayed protocol is detected to be the HTTP protocol.

    Example: Socks-DeleGate which do caching for HTTP and FTP

    Example: Socks-DeleGate which do caching for HTTP with an upstream proxy

    See> for more details.