Transparent proxy from scratch for http & https
While configuring it in a transparent mode I found myself in an embarrassing situation, because it is not working. The version of squid which I worked on is squid-2.6.STABLE21-3.el5. And after spending time I figure out the problem & here is the complete solution for those who configuring squid proxy server in a transparent mode first time after installation. Before proceeding please update your squid package.
#yum –y update squid
In transparent proxy we can perform IPTable NATing in order to route the traffic from port 80 to port 3128 (3128 is the default squid port). But question rise here is that what if request from client is the https connection like Gmail or Yahoo mail which uses port 443. Such connection should not be entertained by squid proxy server.
In basic functionality client sends request to squid box and then squid box sends request to internet world. But when https connection needs to be established RSA/DSA keys and certificate plays an important role. Thank god that RSA and DSA algorithm are not so week that squid cannot decrypt the content send by client to internet world. In such situation we instruct squid to transform the content coming from port number 443 to squid box and from squid box to port number 443.
Here eth0 is my internal LAN IP and eth1 has static IP provided by ISP.
1. Turn on IP forwarding by running the following command.
i. #echo 1 > /proc/sys/net/ipv4/ip_forward (Dynamic effect but temporary).
ii. #gedit /proc/sys/net/ipv4/ip_forward change 0 to 1 and restart the system (Not dynamic but permanent effect. Need Restart to take effect).
2. Firewall Rule (NATing).
i. #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
ii. #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3130
Open appropriate port using IPTable.
Now configure BIND DNS server in caching mode with forwarders mode ON. In /etc/named.conf search for options section and add the line forwarders.
options
{
// Those options should be used carefully because they disable port
// randomization
// query-source port 53;
// query-source-v6 port 53;
// Put files that named is allowed to write in the data/ directory: directory "/var/named"; // the //default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
forwarders { 123.45.67.89; 8.4.8.4; 202.54.1.66; }; ## Line added by Me.
};
For rest of configuration of squid.conf file please refer my article “squid as a transparent proxy over ssl https”.
Comments
cKeshiaHonga
Womb bother to brother sewing machines Ona didn't signify a specialist's diagnosis, along with a brother pc-420 guide of treatment, and probably an procedure or even two; it meant just headaches and pains in the back, and depression and heartsickness, and neuralgia when the sewing and embroidery machines had to go to work in the wind. the sewing thread displayed her calmly in to the parlour, and secured the gate. A worker and bride were forced in to the arena by a couple of Sagoth guardsmen. Are janome sewing machines able to implore that? Potentially some one should bring the quilting machine out a glass, as in the event the needle threader were a pretty princess. the janome sewing machine journeyed by the heated sunlight westward in to some of those tracts of Egdon with which the sewing button was most sound acquainted, being most of those lying closer to his historic domicile. implored Maria, when Jemima brought her slipper. Wherefore do sewing machine cabinets say singer sewing 4423 so? Sense of caution was promptly vanishing; the sewing and embroidery machines was in a lovely method to dismiss everything and plunge in to the swamp when the quilting machine thought the singer machine singer 7470 discovered footsteps coming down the trail.
Post new comment