Configure Squid as HTTP and HTTPS Transparent Proxy |
发表者:admin分类:应用服务2020-07-06 23:02:16 阅读[1056] |
Configure Squid as HTTP and HTTPS Transparent Proxy
These days, it is really important to have proxy server to analyze web traffic of the organization. Among proxy servers, the Squid is very famous, because of it’s flexibility and easy of configuration. Squid can be operated at non-transparent and transparent mode which is going to discuss here. Main benefit of transparent mode is, clients are not aware that their requests are processed through the proxy. Simply there is no configuration at client side. So let’s look at how to configure Squid as HTTP and HTTPS Transparent Proxy
If you have single interface no need to worry. you can create virtual interface which is act either LAN or Internet interface. This process has more steps to follow, so I thought to divide into 4 major section to make it more easy to understand.
(01) Install and Configure Squid
(02) Install bind DNS
(03) Configure iptables
(04) Configure Windows client.
So Let’s follow each section in depth.
(01) Install and Configure Squid
1) To analyses https traffic, following packages are required.
yum install openssl openssl-devel |
2) Download and install latest Squid version
Download location :- http://www.squid-cache.org/Versions/
–squid run as squid user, and following parameters are mandatory.
. /configure --with-openssl -- enable -ssl-crtd --with-default-user=squid make make install |
3) Initialize squid ssl_db directory
/usr/local/squid/libexec/ssl_crtd -c -s /var/lib/ssl_db chown -R squid.squid /var/lib/ssl_db |
Dynamically generated ssl certificates are stored at /var/lib/ssl_db directory
4) Comment or add following extra fields to squid.conf file.
http_port 3130 http_port 3128 intercept https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert= /usr/local/squid/ssl_cert/myca .pem key= /usr/local/squid/ssl_cert/myca .pem ssl_bump server-first all sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 coredump_dir /usr/local/squid/var/cache/squid |
5) create the certificate folder and generate the keys
mkdir /usr/local/squid/ssl_cert chown -R squid.squid /usr/local/squid/ssl_cert cd /usr/local/squid/ssl_cert |
6) execute new certificate request
openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout myca.pem -out myca.pem ex:- Country Name (2 letter code) [XX]:lk State or Province Name (full name) []:western Locality Name (eg, city) [Default City]:colombo Organization Name (eg, company) [Default Company Ltd]:it Organizational Unit Name (eg, section) []:itdept Common Name (eg, your name or your server's hostname ) []:squidserver. local Email Address []:admin@squidserver. local |
7) Generate certificate for web browsers. later this der file (myca.der) needs to add into browser to avoid SSL Error.
openssl x509 - in myca.pem -outform DER -out myca.der |
(02) Install bind DNS
1) install bind
yum install bind
2) Configure DNS
vim /etc/named.conf
3) Configure zone for squidserver.local
mkdir /var/named/squidserver . local touch /var/named/squidserver . local /db .home chown -R named.named /var/named/squidserver . local /db .home |
4) Add following line to /var/named/squidserver.local/db.home
$ORIGIN squidserver. local . $TTL 86400 @ IN SOA proxy.squidserver. local . proxy.squidserver. local . ( 2014032801 ; Serial 28800 ; Refresh 7200 ; Retry 604800 ; Expire 86400 ; Negative Cache TTL ) @ IN NS proxy.squidserver. local . proxy IN A 192.168.231.126 |
5) Start named
service named start
(03) Configure iptables
beware about the interface and ip address.alter those values according to your requirement. You can learn about iptables from here if you are novice.
1) Redirect HTTP and HTTPS traffic to squid
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 443 -j REDIRECT –to-ports 3129
2) Enable udp and tcp port 53 , tcp port 80,443,3128,3129 from inbound lan port.
ex:- Added to rule 5, it may be changed according to existing iptable rule
iptables -I INPUT 5 -p udp -m udp –dport 53 -j ACCEPT
iptables -I INPUT 5 -p tcp –dport 53 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 5 -p tcp –dport 80 -j ACCEPT
iptables -I INPUT 5 -p tcp –dport 443 -j ACCEPT
iptables -I INPUT 5 -p tcp –dport 3128 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 5 -p tcp –dport 3129 -m state –state NEW,ESTABLISHED -j ACCEPT
3) So what happen to other traffic such as ftp, vpn. Let’s by pass those traffic.
Here assume squid does not handle those requests. Accept connection from inside (eth1) and forward them to (eth0) internet
iptables -I FORWARD 1 -o eth0 -i eth1 -s 192.168.231.0/24 -m conntrack –ctstate NEW -j ACCEPT
We accept to forward all already established connection
iptables -I FORWARD 2 -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
Masquerading (substitute the local source ip address to the public address)
iptables -A POSTROUTING -t nat -j MASQUERADE
4) enable packet forwarding for IPv4
edit /etc/sysctl.conf and add following
net.ipv4.ip_forward=1
(04) Configure Windows client.
1) Configure client Default gateway and DNS as 192.168.231.126 (LAN ip address)
2) Upload myca.der to web browser to avoid SSL error.
转载请标明出处【Configure Squid as HTTP and HTTPS Transparent Proxy】。
《www.micoder.cc》
虚拟化云计算,系统运维,安全技术服务.
Tags: | [阅读全文...] |
最新评论