Monday, December 26, 2005

Transparent Proxying with Squid

Taming the Squid

You’ll need to make sure you have IP forwarding enabled.

$ cat /proc/sys/net/ipv4/ip_forward
If that command returns 0, you can enable IP forwarding by putting net.ipv4.ip_forward=1 in your /etc/sysctl.conf. And since that won’t
take effect until you reboot, you can temporarily enable the
feature by running:
# echo 1 > /proc/sys/net/ipv4/ip_forward

After downloading and possibly patching the code, you can build
Squid. Squid has a wide variety of build options, and you should
research all of them carefully, since many can greatly impact
both security and performance. The options shown here are the
minimum for building Squid as a transparent proxy using WCCP.

To compile Squid, run:

$ ./configure ––enable-linux-netfilter ––enable-wccp && make

Next, run make install as root.

With Squid installed, you can configure it to suit your needs.
Edit the squid.conf file, which is located in /usr/local/squid/etc/ by default.

(The squid.conf file is heavily commented and contains a ton of
useful information. Read the entire file when you have time.)

For transparent proxying to work, ensure that the following lines are present:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Minimally, you’ll also need to adjust the http_access directives to
allow traffic from your IP addresses. Depending on your distribution,
you may also need to create a Linux user and group based on your cache_effective_user and cache_effective_group directives.

Once you’re happy with your configuration, run squid –z to initialize
the cache directories. Then start Squid by running the included
script. By default, Squid runs on port 3128. If you’ve
changed that default, remember which port you’ve chosen,
as you’ll need that information in the next step.

Playing Traffic Cop

With Squid up and running, you now need to redirect traffic destined
for port 80 to Squid running on port 3128. (While you can configure
squid to run on port 80, this can cause problems, including endless
loops when Squid tries to contact itself.) Use an iptables rule to
redirect traffic.

To setup the rule, you’ll need to know which interface the requests
to be proxied will be coming in on (for example eth0) and the
port number for Squid on. Once you have this information,
run the following command:

# iptables –t nat –A PREROUTING –i eth0 –p tcp ––dport 80 –j
REDIRECT ––to-port 3128

Of course, you’ll also need to add this command to the appropriate
script so that the rule is recreated on subsequent reboots.

To make https proxied( it is not actually because we can't proxied encrypted packets but they are just forwarded), the command is as below :

#iptables -t nat -I PREROUTING -s -p tcp --dport 443
-j REDIRECT --to-port 3128

You can also do the same for ftp (port 21).

There's one more way to handle https connection. Instead of going through squid, you can also NAT it. Drop the above https command and use this :

#iptables -t nat -I POSTROUTING -s -p tcp --dport 443
-j SNAT --to 111.222.333.444

Where 111.222.333.444 is your proxy server public IP address.

It is up to you which way you want to use, there's no noticeable difference in
terms of performance.

No comments: