记录日常工作关于系统运维,虚拟化云计算,数据库,网络安全等各方面问题。
 
0

Configure Squid as HTTP and HTTPS Transparent Proxy
发表者:admin分类:应用服务2020-07-06 23:02:16 阅读[1342]

Configure Squid as HTTP and HTTPS Transparent Proxy

LinuxSquid Proxy

by admin

These days, it is really important to have proxy server to analyze web traffic of the organization. Among proxy servers, the Squid is very famous, because of it’s flexibility and easy of configuration. Squid can be operated at non-transparent and transparent mode which is going to discuss here. Main benefit of transparent mode is, clients are not aware that their requests are processed through the proxy. Simply there is no configuration at client side. So let’s look at how to configure Squid as HTTP and HTTPS Transparent Proxy

 

Before begin please adjust the ip and other configuration as per your requirement. Below values are used only for demonstration.

Internet –> etho
interface IP :- 192.168.2.39/24 Gateway:- 192.168.2.1

LAN –> eth1
interface IP :- 192.168.231.126/24  Gateway:- 0.0.0.0

 

If you have single interface no need to worry. you can create virtual interface which is act either LAN or Internet interface. This process has more steps to follow, so I thought to divide into 4 major section to make it more easy to understand.

(01) Install and Configure Squid

(02) Install bind DNS

(03) Configure iptables

(04) Configure Windows client.

So Let’s follow each section in depth.

(01) Install and Configure Squid

1) To analyses https traffic, following packages are required.

yum install openssl openssl-devel

2) Download and install latest Squid version

Download location :- http://www.squid-cache.org/Versions/

–squid run as squid user, and following parameters are mandatory.

./configure --with-openssl --enable-ssl-crtd --with-default-user=squid
make
make install

3) Initialize squid ssl_db directory

/usr/local/squid/libexec/ssl_crtd -c -s /var/lib/ssl_db
chown -R squid.squid /var/lib/ssl_db

Dynamically generated ssl certificates are stored at /var/lib/ssl_db directory

4) Comment or add following extra fields to squid.conf file.

http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
 
cert=/usr/local/squid/ssl_cert/myca.pem key=/usr/local/squid/ssl_cert/myca.pem
 
ssl_bump server-first all
 
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
 
coredump_dir /usr/local/squid/var/cache/squid

5) create the certificate folder and generate the keys

mkdir /usr/local/squid/ssl_cert
chown -R squid.squid /usr/local/squid/ssl_cert
cd /usr/local/squid/ssl_cert

6) execute new certificate request

openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout myca.pem -out myca.pem
 
ex:-
Country Name (2 letter code) [XX]:lk
State or Province Name (full name) []:western
Locality Name (eg, city) [Default City]:colombo
Organization Name (eg, company) [Default Company Ltd]:it
Organizational Unit Name (eg, section) []:itdept
Common Name (eg, your name or your server's hostname) []:squidserver.local
Email Address []:admin@squidserver.local

7) Generate certificate for web browsers. later this der file (myca.der) needs to add into browser to avoid SSL Error.

openssl x509 -in myca.pem -outform DER -out myca.der

(02) Install bind DNS

1) install bind

yum install bind

2) Configure DNS

vim /etc/named.conf

 

3) Configure zone for squidserver.local

mkdir /var/named/squidserver.local
touch /var/named/squidserver.local/db.home
chown -R named.named /var/named/squidserver.local/db.home

4) Add following line to /var/named/squidserver.local/db.home

$ORIGIN squidserver.local.
$TTL 86400
@    IN    SOA    proxy.squidserver.local.    proxy.squidserver.local. (
2014032801 ; Serial
28800 ; Refresh
7200 ; Retry
604800 ; Expire
86400 ; Negative Cache TTL
)
@    IN    NS    proxy.squidserver.local.
proxy    IN    A    192.168.231.126

5) Start named

service named start

(03) Configure iptables

beware about the interface and ip address.alter those values according to your requirement. You can learn about iptables from here if you are novice.

1) Redirect HTTP and HTTPS traffic to squid

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 443 -j REDIRECT –to-ports 3129

2) Enable udp and tcp port 53 , tcp port 80,443,3128,3129 from inbound lan port.

ex:- Added to rule 5, it may be changed according to existing iptable rule
iptables -I INPUT 5 -p udp -m udp –dport 53 -j ACCEPT

iptables -I INPUT 5 -p tcp –dport 53 -m state –state NEW,ESTABLISHED  -j ACCEPT
iptables -I INPUT 5 -p tcp –dport 80 -j ACCEPT
iptables -I INPUT 5 -p tcp –dport 443 -j ACCEPT
iptables -I INPUT 5 -p tcp –dport 3128 -m state –state NEW,ESTABLISHED  -j ACCEPT
iptables -I INPUT 5 -p tcp –dport 3129 -m state –state NEW,ESTABLISHED  -j ACCEPT

3) So what happen to other traffic such as ftp, vpn. Let’s by pass those traffic.

Here assume squid does not handle those requests. Accept connection from inside  (eth1) and forward them to (eth0) internet
iptables -I FORWARD 1 -o eth0 -i eth1 -s 192.168.231.0/24 -m conntrack –ctstate NEW -j ACCEPT

We accept to forward all already established connection
 iptables -I FORWARD 2 -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

Masquerading (substitute the local source ip address to the public address)
iptables -A POSTROUTING -t nat -j MASQUERADE

4) enable packet forwarding for IPv4

edit /etc/sysctl.conf and add following
net.ipv4.ip_forward=1

(04) Configure Windows client.

1) Configure client Default gateway and DNS as 192.168.231.126 (LAN ip address)

2) Upload myca.der to web browser to avoid SSL error.



转载请标明出处【Configure Squid as HTTP and HTTPS Transparent Proxy】。

《www.micoder.cc》 虚拟化云计算,系统运维,安全技术服务.

Tags: [阅读全文...]
网站已经关闭评论