Transparent proxy from scratch for http & https

While configuring it in a transparent mode I found myself in an embarrassing situation, because it is not working. The version of squid which I worked on is squid-2.6.STABLE21-3.el5. And after spending time I figure out the problem & here is the complete solution for those who configuring squid proxy server in a transparent mode first time after installation. Before proceeding please update your squid package.

#yum –y update squid

In transparent proxy we can perform IPTable NATing in order to route the traffic from port 80 to port 3128 (3128 is the default squid port). But question rise here is that what if request from client is the https connection like Gmail or Yahoo mail which uses port 443. Such connection should not be entertained by squid proxy server.

In basic functionality client sends request to squid box and then squid box sends request to internet world. But when https connection needs to be established RSA/DSA keys and certificate plays an important role. Thank god that RSA and DSA algorithm are not so week that squid cannot decrypt the content send by client to internet world. In such situation we instruct squid to transform the content coming from port number 443 to squid box and from squid box to port number 443.

Here eth0 is my internal LAN IP and eth1 has static IP provided by ISP.

1. Turn on IP forwarding by running the following command.

i. #echo 1 > /proc/sys/net/ipv4/ip_forward (Dynamic effect but temporary).

ii. #gedit /proc/sys/net/ipv4/ip_forward change 0 to 1 and restart the system (Not dynamic but permanent effect. Need Restart to take effect).

2. Firewall Rule (NATing).

i. #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

ii. #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3130

Open appropriate port using IPTable.

Now configure BIND DNS server in caching mode with forwarders mode ON. In /etc/named.conf search for options section and add the line forwarders.

options

{

// Those options should be used carefully because they disable port

// randomization

// query-source    port 53;

// query-source-v6 port 53;

// Put files that named is allowed to write in the data/ directory:               directory "/var/named"; // the //default

dump-file                            "data/cache_dump.db";

statistics-file         "data/named_stats.txt";

memstatistics-file              "data/named_mem_stats.txt";

forwarders { 123.45.67.89; 8.4.8.4; 202.54.1.66; }; ## Line added by Me.

};

For rest of configuration of squid.conf file please refer my article “squid as a transparent proxy over ssl https”.

Comments

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options