cchinoy
asked on
Squid As a Default Gateway
I have recently set up Squid 2.5 Stable 6 running on FreeBSD box running 4.9
Everything is working, however I have all my client machines using an automatic configuration script, so that everyone has to pass through the Squid box to get to the Internet.
Since it is possible to connect using alternate browsers, is there a way to make the squid box a Default gateway, rather than my firewall? This way nobody will be able to bypass the proxy.
Currently my firewall is responsible for NAT and PAT... The firewall is a Cisco Pix 506.
Thanks in advance
Everything is working, however I have all my client machines using an automatic configuration script, so that everyone has to pass through the Squid box to get to the Internet.
Since it is possible to connect using alternate browsers, is there a way to make the squid box a Default gateway, rather than my firewall? This way nobody will be able to bypass the proxy.
Currently my firewall is responsible for NAT and PAT... The firewall is a Cisco Pix 506.
Thanks in advance
ramazanyich
It is described in SQUID FAQ: http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.5
ASKER
This is the procedure necessary if there is a Cisco Router. I don't have a Cisco Router. I have a Cisco Pix 506 Firewall. The Firewall can not route any packets.
Currently the Firewall is setup to forward everything to the router of my ISP. The router is not under my control...
So essentially I need to understand how incoming requests to squid on Port 80 can be forwarded to squid port 3128 ?
Thanks,
Currently the Firewall is setup to forward everything to the router of my ISP. The router is not under my control...
So essentially I need to understand how incoming requests to squid on Port 80 can be forwarded to squid port 3128 ?
Thanks,
just add another host_port directive:
http_port 80
see details on
http://squid.visolve.com/squid/squid24s1/network.htm#http_port
http_port 80
see details on
http://squid.visolve.com/squid/squid24s1/network.htm#http_port
ASKER
This will involve running squid as Root, since low level ports can only be run as root.
I have configured squid to run on a separate group and user for security reasons.
I have configured squid to run on a separate group and user for security reasons.
In that case use use
cache_effective_user username
cache_effective_group groupname
and start squid as root. It will start listenign on port 80 and change user on which squid will run. See details
http://squid.visolve.com/squid/squid24s1/admin_parameter.htm#cache_effective_user
cache_effective_user username
cache_effective_group groupname
and start squid as root. It will start listenign on port 80 and change user on which squid will run. See details
http://squid.visolve.com/squid/squid24s1/admin_parameter.htm#cache_effective_user
ASKER
According to my squid documentation , it is not advisable to run squid as root because of potential security concerns - I am looking for a work-around to get transparent proxy working without running it as root.
It will not run as root. It will change PID to your squid user.
Start it and see the owner of squid processes using ps.
Start it and see the owner of squid processes using ps.
ASKER
Ok... Here is my configuration:
cache_effective_user squid
cache_effective_group squid
Squid being the group and userid I created to run squid...
What did you want me to change this to
cache_effective_user root
cache_effective_group wheel ????
Please clarify and I will give it a try....
cache_effective_user squid
cache_effective_group squid
Squid being the group and userid I created to run squid...
What did you want me to change this to
cache_effective_user root
cache_effective_group wheel ????
Please clarify and I will give it a try....
it should run with your cache_efective_user and cache_effective_group.
Just add
http_port 80
and try to start squid as user root.
It should now listen on port 80 and 3128 and squid processes will run as squid user.
Just add
http_port 80
and try to start squid as user root.
It should now listen on port 80 and 3128 and squid processes will run as squid user.
You may want to take a look at ipnat portion of the IPFilter code.
YourPrompt> man 8 ipnat
YourPrompt> man 5 ipnat
You'll have to build a kernel using a config with this line:
options IPFILTER
Then, you'd route your client PCs to the squid box, enable routing on the squid box (gateway_enable="YES" in /etc/rc.conf).
Reboot and set up an ipnat.conf file with an entry similar to the following:
rdr xx0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128
Then "ipnat -f ipnat.conf"
Oh, you also need to build squid with the option "--enable-ipf-transparent"
This should give you the transparent redirection you're looking for.
YourPrompt> man 8 ipnat
YourPrompt> man 5 ipnat
You'll have to build a kernel using a config with this line:
options IPFILTER
Then, you'd route your client PCs to the squid box, enable routing on the squid box (gateway_enable="YES" in /etc/rc.conf).
Reboot and set up an ipnat.conf file with an entry similar to the following:
rdr xx0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128
Then "ipnat -f ipnat.conf"
Oh, you also need to build squid with the option "--enable-ipf-transparent"
This should give you the transparent redirection you're looking for.
Oh, and you should not need to run squid on port 80 or give it special permissions for the above to work for you. ipnat handles all of that as a kernel module.
ASKER
Finally,
This is exactly what I am looking for. It is very clear and consise.
I am a newbie to FreeBSD, but I am doing well so far (I think). I understand your email but I have a few followup questions. Please forgive my ignorance
1. I have never rebuild the kernel before. I take it that all I need to do is add the line - options IPFILTER - to the kernel and recompile? Would you happen to have a document or a site that would detail exactly what needs to be done?
2. I take it that in the command
rdr xx0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128
xx refers to my NIC. How can I find out what the name of my NIC is on my system?
3. I believe I did NOT create squid with --enable-ipf-transparent. so do I have to
./configure --enable-ipf-transparent
make
make all
All over again?
4. Is there anything that I would have to create i.e. an *.sh file so that certain daemons fire up automatically when the server is rebooted? I have created one for squid so that is launches automatically when the server is rebooted. I was wondering if this needs to be done for ipnat?
All over again?
This is exactly what I am looking for. It is very clear and consise.
I am a newbie to FreeBSD, but I am doing well so far (I think). I understand your email but I have a few followup questions. Please forgive my ignorance
1. I have never rebuild the kernel before. I take it that all I need to do is add the line - options IPFILTER - to the kernel and recompile? Would you happen to have a document or a site that would detail exactly what needs to be done?
2. I take it that in the command
rdr xx0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128
xx refers to my NIC. How can I find out what the name of my NIC is on my system?
3. I believe I did NOT create squid with --enable-ipf-transparent. so do I have to
./configure --enable-ipf-transparent
make
make all
All over again?
4. Is there anything that I would have to create i.e. an *.sh file so that certain daemons fire up automatically when the server is rebooted? I have created one for squid so that is launches automatically when the server is rebooted. I was wondering if this needs to be done for ipnat?
All over again?
1)
The definitive resource for kernel building is the FreeBSD handbook:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html
2) ifconfig will tell you what your network interface(s) is (are). If you have two, you want the rdr on the *inbound* interface (the one that faces the clients).
3) Yes, that's exactly correct. Don't forget make install.
4) ipnat is a kernel module and so will load itself once compiled in.
Good luck!
The definitive resource for kernel building is the FreeBSD handbook:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html
2) ifconfig will tell you what your network interface(s) is (are). If you have two, you want the rdr on the *inbound* interface (the one that faces the clients).
3) Yes, that's exactly correct. Don't forget make install.
4) ipnat is a kernel module and so will load itself once compiled in.
Good luck!
ASKER
Ok,
I was able to compile and install the new kernel with the
options IPFILTER
option. However, I do not see any file called ipnat.conf in the /etc directory. Do I have to create this myself? Am I missing anything?
Thanks,
I was able to compile and install the new kernel with the
options IPFILTER
option. However, I do not see any file called ipnat.conf in the /etc directory. Do I have to create this myself? Am I missing anything?
Thanks,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I guess if you were to call it something other than ipnat.rules, you would have to add a separate line to the /etc/rc.conf like
ipnat_rules=/etc/ipnat.con
Either way, I added
ipnat_enable="YES" (I am curious. Does this mean that my FreeBSD box is doing NAT? My Cisco box currently does NAT and PAT for my network)
add I created the /etc/ipnat.rules with the following
rdr xxx 0/0 port 80 -> 127.0.0.1 port 3128 tcp
add life was good. Transparent proxy is working !!!! Thanks for all you help and pointing me in the right direction. I will add that up top of this you must make sure that the following exists within your squid.conf file for transparent proxy to work. (For anybody else who happens upon this post and is trying to set this up as well):
http_port 8080
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_head
ipnat_rules=/etc/ipnat.con
Either way, I added
ipnat_enable="YES" (I am curious. Does this mean that my FreeBSD box is doing NAT? My Cisco box currently does NAT and PAT for my network)
add I created the /etc/ipnat.rules with the following
rdr xxx 0/0 port 80 -> 127.0.0.1 port 3128 tcp
add life was good. Transparent proxy is working !!!! Thanks for all you help and pointing me in the right direction. I will add that up top of this you must make sure that the following exists within your squid.conf file for transparent proxy to work. (For anybody else who happens upon this post and is trying to set this up as well):
http_port 8080
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_head
Your FreeBSD box is using its NAT functionality to do the transparent redirection (those things happen at the same spot in the network stack and so are handled by the same code). Setting up an actual NAT would use the "map" ipnat ruletype instead of "rdr."
It is a sort of NAT if you think about it. Usually with NAT you have a client , the NAT, and a server. The NAT pretends to be the client while talking to the server. In this case, the NAT pretends to be the server while talking to the client. So it's really the same thing, just from a different perspective.
I don't think you need those squid.conf lines you quoted. Those are for reverse proxy (accel) configuration, which is something entirely different, and you are not running on port 8080.
In any case, I'm glad it's working for you.
It is a sort of NAT if you think about it. Usually with NAT you have a client , the NAT, and a server. The NAT pretends to be the client while talking to the server. In this case, the NAT pretends to be the server while talking to the client. So it's really the same thing, just from a different perspective.
I don't think you need those squid.conf lines you quoted. Those are for reverse proxy (accel) configuration, which is something entirely different, and you are not running on port 8080.
In any case, I'm glad it's working for you.
ASKER
I got this information right off the Squid website (See below)... I actually remed (#) those items to see if it made a difference and it did. The minute I disabled those tags, transparent proxy no longer worked. Either way, I appreciate all you help in getting this to work.
However, I have one problem now that I didn't have before. I created an acl to block all ports except 80 and 21. This worked prior to the setup of transparent proxy but now it no longer works.
acl !Safe_ports port 1-20
acl !Safe_ports port 22-79
acl !Safe_ports port 81-65535
http_access deny !Safe_ports
I have tried them in different areas in the squid.conf file but with no luck.. Is there something I am missing?
The http_port 8080 in this example assumes you will redirect incoming port 80 packets to port 8080 on your cache machine. If you are running Squid on port 3128 (for example) you can leave it there via http_port 3128, and redirect to that port via your IP filtering or forwarding commands.
In the httpd_accel_host option, virtual is the magic word!
The httpd_accel_with_proxy on is required to enable interception proxy mode; essentially in interception proxy mode Squid thinks it is acting both as an accelerator (hence accepting packets for other IPs on port 80) and a caching proxy (hence serving files out of cache.)
You must use httpd_accel_uses_host_head
However, I have one problem now that I didn't have before. I created an acl to block all ports except 80 and 21. This worked prior to the setup of transparent proxy but now it no longer works.
acl !Safe_ports port 1-20
acl !Safe_ports port 22-79
acl !Safe_ports port 81-65535
http_access deny !Safe_ports
I have tried them in different areas in the squid.conf file but with no luck.. Is there something I am missing?
The http_port 8080 in this example assumes you will redirect incoming port 80 packets to port 8080 on your cache machine. If you are running Squid on port 3128 (for example) you can leave it there via http_port 3128, and redirect to that port via your IP filtering or forwarding commands.
In the httpd_accel_host option, virtual is the magic word!
The httpd_accel_with_proxy on is required to enable interception proxy mode; essentially in interception proxy mode Squid thinks it is acting both as an accelerator (hence accepting packets for other IPs on port 80) and a caching proxy (hence serving files out of cache.)
You must use httpd_accel_uses_host_head
acl !Safe_ports port 1-20
is invalid syntax.
acl Safe_ports port 1-20
[etc]
is correct
Then,
http_access deny !Safe_ports
means "deny if Safe_ports is not matched."
is invalid syntax.
acl Safe_ports port 1-20
[etc]
is correct
Then,
http_access deny !Safe_ports
means "deny if Safe_ports is not matched."
ASKER
Well here is the problem...
If I have my squid box as the default gateway then my rules to block these ports i.e 443 no longer work. However, if I put in the proxy setting in the web browser the ports are no blocked.
Since ports other than 80 are not capable of transparent proxy, I guess the ideal situation would be to setup the squid box as your default gateway, but at the same time configure the browser to the squid box as well. Is this the case? or am I totally off?
If I have my squid box as the default gateway then my rules to block these ports i.e 443 no longer work. However, if I put in the proxy setting in the web browser the ports are no blocked.
Since ports other than 80 are not capable of transparent proxy, I guess the ideal situation would be to setup the squid box as your default gateway, but at the same time configure the browser to the squid box as well. Is this the case? or am I totally off?
If you use the correct syntax for your ACL definition, it will probably work better.
ASKER
Tried it that way and various other ways. It will only work if the proxy settings are explicitly set in Internet Explorer.
ASKER
I did a little research and what I want to do is not possible since Squid is a HTTP proxy server, and can't be used to proxy other protocols.
However, implementing the transparent proxy combined with a Automatic Configuration script will allow you to make sure that nobody will be able to by-pass your proxy (See below for a sample configuration script). The language is java and you must save with this with a *.pac extension. Modify according to your environment.
function FindProxyForURL(url,host) {
if (url.substring(0,5) == "http:") {
return "PROXY xxx.xxx.xx.xx:3128; DIRECT";}
else if (url.substring(0,6) == "https:") {
return "PROXY xxx.xxx.xx.xx:3128; DIRECT";}
else {
return "DIRECT"; }
}
However, implementing the transparent proxy combined with a Automatic Configuration script will allow you to make sure that nobody will be able to by-pass your proxy (See below for a sample configuration script). The language is java and you must save with this with a *.pac extension. Modify according to your environment.
function FindProxyForURL(url,host) {
if (url.substring(0,5) == "http:") {
return "PROXY xxx.xxx.xx.xx:3128; DIRECT";}
else if (url.substring(0,6) == "https:") {
return "PROXY xxx.xxx.xx.xx:3128; DIRECT";}
else {
return "DIRECT"; }
}
Wouldnt it be easiler to use ipchains and Squid together? no need to recompile anything for testing...
I remember my uni used to forward all port 80 access to a transparent cache/proxy and intentionally ban all outgoing traffic to non-80 ports. Problem... some webserver run on port 81, then access to those server will timeout.
cchinoy,
"I did a little research and what I want to do is not possible since ..."
What exactly u want to do??? I thought u only want to force all out-going port-80 access to firstly fetch from local proxy. You can do that quite easily without configurating any browser...
-Dan
I remember my uni used to forward all port 80 access to a transparent cache/proxy and intentionally ban all outgoing traffic to non-80 ports. Problem... some webserver run on port 81, then access to those server will timeout.
cchinoy,
"I did a little research and what I want to do is not possible since ..."
What exactly u want to do??? I thought u only want to force all out-going port-80 access to firstly fetch from local proxy. You can do that quite easily without configurating any browser...
-Dan
1) This question is closed.
2) ipchains does not exist on FreeBSD.
3) He is looking to redirect other ports, not just 80.
4) https cannot be transparently redirected as it implements the CONNECT method which requires proxy awareness.
2) ipchains does not exist on FreeBSD.
3) He is looking to redirect other ports, not just 80.
4) https cannot be transparently redirected as it implements the CONNECT method which requires proxy awareness.