Tips

Transparent proxy with Squid

Posted on by hoangbui

Enable IP Packet Forwarding on the machine

Solution 1

sudo vim /etc/sysctl.conf

then change the following parameter to 1

net.ipv4.ip_forward = 1

Save file & exit. Now execute the following command to implement the changes made,

sudo sysctl -p

Solution 2

echo 1 > /proc/sys/net/ipv4/ip_forward

Configure the squid proxy

Configure for ssl

mkdir /etc/squid/ssl_cert
cd /etc/squid/ssl_cert
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squid35.pem  -out squid35.pem

# Generate ssl db
/usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db

Add following configuration to squid.conf

http_access allow all
http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/squid35.pem

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 8MB
sslcrtd_children 16 startup=5 idle=1

ssl_bump peek all
ssl_bump splice all

Restart squid

Configuring firewall rules

In this example, the machine has two interfaces eth0, eth1. And squid is listening on 192.168.1.10:3128 of interface eth1

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT --to 192.168.1.10:3128
sudo iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j REDIRECT --to-port 3128
sudo iptables –t nat -A POSTROUTING –out-interface eth1 -j MASQUERADE

Save iptables configuration

sudo /sbin/iptables-save
hoangbui

This site uses cookies to offer you a better browsing experience. By browsing this website, you agree to our use of cookies.
Accept