Integrate Squid into Firewall
Enable Gateway Mode
To make Squid listen on transparently redirected ports 3126 and 3127, login into Admin UI of Web Safety at http://10.0.0.1:8000 , click Squid / Settings / Network and select Default Gateway Proxy transparent mode as shown on the screenshot below. Do not forget to click Save and Restart afterwards.
After clicking Save and Restart, Admin UI will generate required
https_port directives in
/opt/websafety/etc/squid folder. These will look something like the following. IMPORTANT: ports 3126 and 3128 are prefixed with http_port directive and port 3127 is prefixed with https_port directive.
# port configuration http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem http_port 3126 intercept https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem
Redirect HTTP and HTTPS Traffic
Squid will now listen to redirected traffic on ports 3126, 3127 and normal proxy traffic on port 3128. But we also need to allow this traffic through the firewall. Add the following rules to
/etc/network/iptables, section services, somewhere before the
-A INPUT -j DROP.
# accept traffic to redirected ports 3126, 3127 and proxy port 3128 -A INPUT -i ens33 -p tcp --dport 3126 -j ACCEPT -A INPUT -i ens33 -p tcp --dport 3127 -j ACCEPT -A INPUT -i ens33 -p tcp --dport 3128 -j ACCEPT
Finally to redirect the HTTP and HTTPS traffic to locally installed Squid we need to add the following rules to the
*nat section of iptables. Place them somewhere before the final
# redirect HTTP to locally installed Squid instance -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT --to-ports 3126 # redirect HTTPS to locally installed Squid instance -A PREROUTING -i ens33 -p tcp --dport 443 -j REDIRECT --to-ports 3127
Restart your proxy box now and continue on the next step.