Search squid archive

Re: Setting up a transparent http and https proxy server using squid 4.6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey,

 

I am missing a bit of the context, like:

Did you self compiled squid? Is it from the OS repository?

Squid -v might help a bit to understand what you do have enabled in your Squid.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: ngtech1ltd@xxxxxxxxx

Zoom: Coming soon

 

 

From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of jean francois hasson
Sent: Thursday, December 31, 2020 11:10 AM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Setting up a transparent http and https proxy server using squid 4.6

 

Hi,

I am trying to create for my home network a transparent proxy to implement filtering rules based on website names mainly.

I have been looking at using a Raspberry pi 3B+ running pi OS. I configured it to be a Wifi access point using RaspAP quick install. The Wifi network on which the filtering option is to be implemented is with IP 10.3.141.xxx. The router is at address 10.3.141.1.

I have the following squid.conf file which I tried to create based on different mails, websites and blogs I read :

acl SSL_ports port 443 #https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

#Le réseau local
acl LocalNet src 10.3.141.0/24

acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3

#Définition des autorisations
http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow LocalNet
http_access deny all

#Définition des ports d'écoute
http_port 8080
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
  tls-cert=/etc/squid/cert/example.crt \
  tls-key=/etc/squid/cert/example.key \
  generate-host-certificates=on  dynamic_cert_mem_cache_size=4MB

sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5

ssl_bump peek all
acl tls_whitelist ssl::server_name .example.com
ssl_bump splice tls_whitelist
ssl_bump terminate all

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

cache_dir ufs /cache 400 16 256
cache_access_log /var/log/squid/access.log
cache_effective_user proxy

If I set up on a device connected to the access point a proxy manually ie 10.3.141.1 on port 8080, I can access the internet. If I put the following rules for iptables to use in files rules.v4 :

*nat
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.3.141.1:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.3.141.1:3129
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE
COMMIT
Now, if I remove the manual proxy configuration of the device connected to the access point, I can't connect to the internet. If I leave the manual proxy configuration it does work and there is activity logged in /var/log/squid/access.log.

Please let me know what might be wrong in my configuration if possible.

Best regards,

JF

 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux