Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 2 subscribers
  • Views 14591 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTP Proxy in transparent mode to port 8080

Snova
Hi!
I configured my proxy to run in transparent mode. Allowed services are, beneath others, HTTP and SQUID meaning port 80 and 8080.
When I tried to access a site on port 8080 today, it couldn't be downloaded, the packet filter showed packet to port 8080 being dropped. I had to add a rule allowing my PC to contact any server on port 8080.
Is this normal? I already allowed that port in the HTTP proxy config!


This thread was automatically locked due to age.
  • 0
    In the packetfilter log, was the source address the firewall, or the PC?

    If it was the PC, then the PC isn't using the proxy.

    Barry
  • 0 in reply to BarryG
    The source was the PC. As the proxy is running in transparent mode, I don't have to set the proxy in the PC's software (right?)
    For servers serving on port 80 the proxy is used, I can see all the addresses in the proxy accessed sites log.
    So, why don't the other allowed ports get proxied?

    Edit:
    Oh, running Version 6.101.
  • 0 in reply to Snova
    [ QUOTE ]
    For servers serving on port 80 the proxy is used, I can see all the addresses in the proxy accessed sites log.
    So, why don't the other allowed ports get proxied?


    [/ QUOTE ]

    Transparent proxying is only done for port 80. (Since you don't know if the traffic on other ports is HTTP, you can't intercept it). So you have to set the proxy manually if you want to redirect other ports over the proxy.
  • 0 in reply to Snova
    You need to set the proxy on the PCs to use 80. You don't require a filter rule to allow HTTP out. But you will require a filter rule for HTTPS.

    I use the HTTP proxy in standard mode and put the proxy in all the PCs, that gives me HTTP and HTTPS. Works well.
    But I am a home user and only have 6 devices that use HTTP/S.

    Ian M [:)]

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to svens

    I hate to resurrect a decade old thread, however have a question.

    svens wrote: Transparent proxying is only done for port 80. (Since you don't know if the traffic on other ports is HTTP, you can't intercept it).

    Is there a way to tell UTM that traffic on some other port (8080, 1234, 12345, etc.) is HTTP or HTTPS ?  Technically, it should be possible, as there is no reason UTM can't interpret traffic on an arbitrary port as HTTP/HTTPS.  80 (or 443) is not some magic number.

  • 0 in reply to A S

    Well, technically, these are magic numbers for the HTTP/S Proxy. [;)]  80 and 443 can't be changed inside the Transparent proxy.  12 years ago, the Transparent proxy didn't work with HTTPS (443).

    When you use the Standard proxy, the usual port is 8080, but that can be changed on the 'Misc' tab of 'Web Filtering Options'.  What is it that you want to accomplish?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    > Well, technically, these are magic numbers for the HTTP/S Proxy. [;)] 

    I'd say they may be hardcoded numbers but nothing about them is magic :)

     

    > 80 and 443 can't be changed inside the Transparent proxy.

    And I suppose no ports can be added ?  Interesting that for the Standard proxy, I can add extra ports to the "Allowed target services" list (i.e. the default list contains a very much custom port 4444).  But can't do the same for the transparent proxy.

     

    > 12 years ago, the Transparent proxy didn't work with HTTPS (443).

    Well, support for HTTPS required understanding of a brand new protocol.  I'm talking about just inspecting a protocol the proxy already understands, but on a different port.  Much easier and should be a matter of config change.  I guess it's just not implemented, at least not in GUI.

     

    > What is it that you want to accomplish?

    I want to continue inspecting HTTP traffic using the transparent proxy with all its benefits (like not having to configure proxy settings on clients) while allowing my users to browse to a few sites that use port 8080 (i.e. http://hrits4.un.org:8080/Harassment). Don't tell me that no serious site should run on 8080, tell that to the UN :).  Whitelisting these via firewall is something I really don't want to do.

     

  • 0 in reply to A S

    After having been a programmer and managing very talented programmers, I can tell you that if this is a make-or-break requirement that you will never have this capability with the UTM.  You could make a few adjustments with NAT rules, but there will never be a general solution for this.  You might want to consider a different solution.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML