Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsSpark New Zealand (including Skinny and BigPipe)Transparent proxy disabled?
tcpdump

311 posts

Ultimate Geek
+1 received by user: 3


#92580 2-Nov-2011 10:07
Send private message

Hi,

I recall the last time I checked I was using Telecom's transparent proxy but it seems it's no longer the case:

# telnet 1.1.1.1 80
Trying 1.1.1.1...
^C

 
My network knowledge tells me that transparrent proxies capture all traffic, including the one for IP addresses that don't run a web server and/or are down.

Am I mistaken?

Thanks. 

PS: I am comfortable not using their proxies so I'm not looking to have it enabled, I am just wondering if they have disabled the "feature" or they are using a different method. I'm on a Total Home 60GB broadband plan. 

Create new topic
BarTender
3629 posts

Uber Geek
+1 received by user: 2572

ID Verified
Trusted
Lifetime subscriber

  #540226 2-Nov-2011 10:23
Send private message

tcpdump: Hi,

I recall the last time I checked I was using Telecom's transparent proxy but it seems it's no longer the case:

# telnet 1.1.1.1 80
Trying 1.1.1.1...
^C

 
My network knowledge tells me that transparrent proxies capture all traffic, including the one for IP addresses that don't run a web server and/or are down.

Am I mistaken?


Yes, you are.

Transparent proxies only cache http traffic to allow for faster browsing experience and reduced usage of international connectivity.  It won't cache https or any other traffic such as vpn's or tcp sessions that are reset due to the remote site being down.

tcpdump: PS: I am comfortable not using their proxies so I'm not looking to have it enabled, I am just wondering if they have disabled the "feature" or they are using a different method. I'm on a Total Home 60GB broadband plan. 


You can request a static IP, and have that IP added to the no-proxy list.

Transparent proxies by their nature shouldn't be affecting your browsing experience in any other way than a positive one by making it go faster.  That is of course if the cache hasn't got corrupted and the proxies are all bent out of shape :)



tcpdump

311 posts

Ultimate Geek
+1 received by user: 3


  #540231 2-Nov-2011 10:34
Send private message

I have a remote linux machine and I launched a tcpdump -n port 80 and host $telecom_ip

10:29:34.858398 IP $telecom_ip.36881 > $remote_server.80: Flags [S], seq 1524399974, win 14600, options [mss 1340,sackOK,TS val 208051953 ecr 0,nop,wscale 5], length 0
10:29:34.859587 IP $remote_server:80 > $telecom_ip.36881: Flags [R.], seq 0, ack 1524399975, win 0, length 0
 
This would point to a transparent proxy not being used, correct?

Thanks.

PS: Based on http://www.telecom.co.nz/packages/packages/plansandpricing/totalhomebroadband - does the "static ip address - included" mean it's free? :) 

BarTender
3629 posts

Uber Geek
+1 received by user: 2572

ID Verified
Trusted
Lifetime subscriber

  #540336 2-Nov-2011 14:02
Send private message

tcpdump: I have a remote linux machine and I launched a tcpdump -n port 80 and host $telecom_ip

10:29:34.858398 IP $telecom_ip.36881 > $remote_server.80: Flags [S], seq 1524399974, win 14600, options [mss 1340,sackOK,TS val 208051953 ecr 0,nop,wscale 5], length 0
10:29:34.859587 IP $remote_server:80 > $telecom_ip.36881: Flags [R.], seq 0, ack 1524399975, win 0, length 0
 
This would point to a transparent proxy not being used, correct?

Thanks.

PS: Based on http://www.telecom.co.nz/packages/packages/plansandpricing/totalhomebroadband - does the "static ip address - included" mean it's free? :) 


You wouldn't be able to tell if you are going via the transparent proxy unless you took a trace on both end and saw different sequence numbers between source and destination.  You might see additional http headers injected into the payload but that's at layer 5 rather than 3.

I suggest you request a static IP, to me I don't see a issue with it since it only improves browsing, but if you have a specific business need / reason then put in the request and see how you go.



codyc1515
1598 posts

Uber Geek
Inactive user


  #540352 2-Nov-2011 14:31
Send private message

BarTender:
tcpdump: I have a remote linux machine and I launched a tcpdump -n port 80 and host $telecom_ip

10:29:34.858398 IP $telecom_ip.36881 > $remote_server.80: Flags [S], seq 1524399974, win 14600, options [mss 1340,sackOK,TS val 208051953 ecr 0,nop,wscale 5], length 0
10:29:34.859587 IP $remote_server:80 > $telecom_ip.36881: Flags [R.], seq 0, ack 1524399975, win 0, length 0
 
This would point to a transparent proxy not being used, correct?

Thanks.

PS: Based on http://www.telecom.co.nz/packages/packages/plansandpricing/totalhomebroadband - does the "static ip address - included" mean it's free? :) 


You wouldn't be able to tell if you are going via the transparent proxy unless you took a trace on both end and saw different sequence numbers between source and destination.  You might see additional http headers injected into the payload but that's at layer 5 rather than 3.

I suggest you request a static IP, to me I don't see a issue with it since it only improves browsing, but if you have a specific business need / reason then put in the request and see how you go.

Would I be correct in saying that you couldn't use an Alternate DNS if you we're on the transparent proxy?

tcpdump

311 posts

Ultimate Geek
+1 received by user: 3


  #540354 2-Nov-2011 14:35
Send private message


Would I be correct in saying that you couldn't use an Alternate DNS if you we're on the transparent proxy?


Not necessarily. They are two different things as the transparent proxy intercepts requests at the IP level (layer 3) , not on the DNS level (layer 7).
 
However, I have read quite a few topics on various issues when using non-Telecom provided DNS servers.

 

Ragnor
8279 posts

Uber Geek
+1 received by user: 585

Trusted

  #540361 2-Nov-2011 14:51
Send private message

My understanding is that Telecom use a large cluster of Bluecoat devices for caching (some of the newer Cacheflow, some of the older Proxy SG).

In practice they only intercept international http requests (not https or other protocols) and serve those from the cache.

I believe a http request served from the cache will have an the cache domain name added to the http headers in the server field.  You can inspect the response headers in the dev tools in any modern browser (IE9, Chrome, Firefox + Firebug addon).

It will look something like this (this is Firefox w/ Firebug addon), except the server field will have additional text like: AKmdrL2CacheBC4.telecom.co.nz



So you will probably need to inspect a http request for a static resource eg: css, js, images from an international site where the cache-control headers have been set for caching in order to see this in action.

 
 
 
 

Support Geekzone with one-off or recurring donations Donate via PressPatron.
ptinson
677 posts

Ultimate Geek
+1 received by user: 27

Trusted

  #540536 2-Nov-2011 23:48
Send private message

Ragnor is pretty much on the money, with the exception that the the high end cacheflows didnt allow the insertion of the via header, so if you pass through one of those you wont see it.

The Telecom cache was setup so that if your HTTP request didnt match certain criteria it would bypass the cache farm, this was to catch port 80 international traffic that wasnt actually HTTP, so if you simply open a telnet connection to international IP on port 80 and send any random char down it you will bypass the cache:)

There are other tricks you can try and use to see if you are being proxy cached, some are reliable and others arent, things like window scaling size etc. All depends on the cache...

The Telecom caches do secondary DNS resolution before filling a request (it is also a dns cache) so if you use a DNS cache other than the one the caches do then it will screw with your requests.
Common things like requesting facetube from google dns returning a server in the states and the cache seeing it as some where a lot closer, you start getting responses from servers you didnt request them from.

Also be wary of testing to a server the is international, always make sure both the request and response paths are international routes, they are not always and this causes other issues...

Paul (please Telecom, help me purge the cache from my brain:))




meat popsicle

plambrechtsen
1948 posts

Uber Geek
+1 received by user: 459
Inactive user


  #540563 3-Nov-2011 07:56
Send private message

ptinson: Paul (please Telecom, help me purge the cache from my brain:))


Cheers Paul for the insightful response... And no.. you won't ever be able to purge the cache ;).

ptinson
677 posts

Ultimate Geek
+1 received by user: 27

Trusted

  #540567 3-Nov-2011 08:16
Send private message

Insightful? mmm, just factual i think, nothing in that post is new.
I would still be pushing for a big change in how they run if I was still there, ah well. Such is life.




meat popsicle

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright