Configure Transparent Interception on Squid

As proxy box we will use the latest web filtering virtual appliance from https://www.diladele.com/virtual_appliance.html. This virtual appliance contains pre-configured recent version of Squid proxy coupled with Web Safety ICAP web filter. You can easily build the same appliance on the real hardware yourself. Installation scripts at https://github.com/diladele/websafety-virtual-appliance will help you along the way.

Step 1. Set the proxy IP address

First you’d need to download the virtual appliance and run it in VMware vSphere of Microsoft Hyper-V. If you have built your web filtering appliance on real hardware, boot it up, open browser, navigate to UI / Dashboard / Network and set the static IP address for the ens160 network interface card. Do not forget to click Save Settings.

../../_images/network3.png

Now reboot the proxy from the root console. After it is back to life, ping our router to make sure the network is working.

root@proxy:~# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.255 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=1.20 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.400 ms

--- 10.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.255/0.619/1.204/0.418 ms

Step 2. Redirect traffic to local Squid instance

To redirect the incoming HTTP and HTTPS traffic to local instance of Squid proxy we need to add several rules to the firewall. Just as in Ars Technica guide at https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-building-a-linux-router-from-scratch we are going to create a special firewall definition file and load it at system startup.

Lets vi /etc/network/if-pre-up.d/iptables to create a startup script for iptables and populate it as.

#!/bin/sh
/sbin/iptables-restore < /etc/network/iptables

Save it and make it executable by running chown root /etc/network/if-pre-up.d/iptables; chmod 755 /etc/network/if-pre-up.d/iptables.

When our router re-routes traffic to ports 80 and 443 on this proxy box, we will need to redirect them to two different Squid ports for interception and filtering. This will be done by nat table in PREROUTING chain, ports 3126 and 3127. So create firewall definition file at /etc/network/iptables and make it look like this.

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# redirect HTTP to locally installed Squid instance
-A PREROUTING -i ens160 -p tcp --dport 80 -j REDIRECT --to-ports 3126

# redirect HTTPS to locally installed Squid instance
-A PREROUTING -i ens160 -p tcp --dport 443 -j REDIRECT --to-ports 3127

COMMIT

Step 3. Enable Gateway Mode

To make Squid listen on these transparently redirected ports, navigate to UI / Squid / Settings / Network and select Default Gateway Proxy mode as shown on the screenshot below. Click Save and Restart afterwards.

../../_images/transparent_mode1.png

After clicking Save and Restart, UI will generate required http_port and https_port directives in /opt/websafety/etc/squid folder. These will look like the following.

# port configuration
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem
http_port 3126 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem

Note

Ports 3126 and 3128 are prefixed with http_port directive and port 3127 is prefixed with https_port directive!

Reboot your proxy box now and continue to the next step.