Configure Transparent Interception on Squid

As proxy box we will use the latest web filtering virtual appliance from This virtual appliance contains pre-configured recent version of Squid proxy coupled with Web Safety ICAP web filter. You can easily build the same appliance on the real hardware yourself. Installation scripts at will help you along the way.


Please note, our proxy box will be based on Ubuntu 18 and NOT on Ubuntu 16 as our router. This is because we have built the router based on Arstechnica article where they use Ubuntu 16 for this purpose. The proxy box will instead be using the latest version 7.0 of Web Safety which runs on Ubuntu 18.

Step 1. Set the proxy IP address

First you’d need to download the virtual appliance and run it in VMware vSphere of Microsoft Hyper-V. If you have built your web filtering appliance on real hardware, boot it up, open browser, navigate to UI / Dashboard / Network and set the static IP address for the ens160 network interface card. Do not forget to click Save Settings.


Now reboot the proxy from the root console. After it is back to life, ping our router to make sure the network is working.

root@proxy:~# ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=0.255 ms
64 bytes from icmp_seq=2 ttl=64 time=1.20 ms
64 bytes from icmp_seq=3 ttl=64 time=0.400 ms

--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.255/0.619/1.204/0.418 ms

Step 2. Enable Gateway Mode

To make Squid listen on these transparently redirected ports, navigate to UI / Squid / Settings / Network and select Default Gateway Proxy mode as shown on the screenshot below. Click Save and Restart afterwards.


After clicking Save and Restart, UI will generate required http_port and https_port directives in /opt/websafety/etc/squid folder. These will look like the following.

# port configuration
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem
http_port 3126 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem


Ports 3126 and 3128 are prefixed with http_port directive and port 3127 is prefixed with https_port directive!

Step 3. Redirect traffic to local Squid instance

To redirect the incoming HTTP and HTTPS traffic to local instance of Squid proxy we need to add the following rules to the firewall on the proxy box (not on your Ubuntu 16 firewall!!!). Please note, here HTTP traffic is redirected to http_port 3126 and HTTPS traffic is redirected to https_port 3127.

# redirect HTTP to locally installed Squid instance
iptables -t nat -A PREROUTING -i ens160 -p tcp --dport 80 -j REDIRECT --to-ports 3126

# redirect HTTPS to locally installed Squid instance
iptables -t nat -A PREROUTING -i ens160 -p tcp --dport 443 -j REDIRECT --to-ports 3127

To save configured iptables between reboots run the following command (you might need to install the iptables-persistent package by running apt-get install iptables-persistent).

netfilter-persistent save

Reboot your proxy box again and check the output of iptables -t nat -S command. It should look like: