Integrate Squid into Firewall

Enable Gateway Mode

To make Squid listen on transparently redirected ports 3126 and 3127, login into Admin UI of Web Safety at http://10.0.0.1:8000 , click Squid / Settings / Network and select Default Gateway Proxy transparent mode as shown on the screenshot below. Do not forget to click Save and Restart afterwards.

../../_images/transparent_mode2.png

After clicking Save and Restart, Admin UI will generate required http_port and https_port directives in /opt/websafety/etc/squid folder. These will look something like the following. IMPORTANT: ports 3126 and 3128 are prefixed with http_port directive and port 3127 is prefixed with https_port directive.

# port configuration
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem
http_port 3126 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem

Redirect HTTP and HTTPS Traffic

Squid will now listen to redirected traffic on ports 3126, 3127 and normal proxy traffic on port 3128. But we also need to allow this traffic through the firewall. Add the following rules to /etc/network/iptables, section services, somewhere before the -A INPUT -j DROP.

# accept traffic to redirected ports 3126, 3127 and proxy port 3128
-A INPUT -i ens33 -p tcp --dport 3126 -j ACCEPT
-A INPUT -i ens33 -p tcp --dport 3127 -j ACCEPT
-A INPUT -i ens33 -p tcp --dport 3128 -j ACCEPT

Finally to redirect the HTTP and HTTPS traffic to locally installed Squid we need to add the following rules to the *nat section of iptables. Place them somewhere before the final COMMIT.

# redirect HTTP to locally installed Squid instance
-A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT --to-ports 3126

# redirect HTTPS to locally installed Squid instance
-A PREROUTING -i ens33 -p tcp --dport 443 -j REDIRECT --to-ports 3127

Restart your proxy box now and continue on the next step.