I have a webserver with several applications of several users.
Since I'm not sure what the applications are doing and which outbound http/https traffic they produce, I want to get more control about it.
So my thought is to use an internal Squid which is only listening to 127.0.0.1:3128.
At first I just want to have a look into the access log, the second step would be a black/whitelist for securityrelevant urls and domains.
These lists should filter the outbound traffic of the apache and all the child processes (for example: one of the applications is running a curl as system call).
I already added http_proxy to /etc/sysconfig/proxy, to /etc/environment and to .bashrc of the apache system user.
Everything is worling fine when I'm using the shell, the apache doesn't use the proxy at all.
I've already restarted the apche after the changes, but without success.
By the way I have OpenSuse 11 running on the web server.
The solution: (thanks to ALex_hha, sorry I guess I was reading your answer too fast)
I entered the following iptables – rules:
iptables -t nat -I OUTPUT -p tcp --dport 80 -m owner --uid-owner apache -j DNAT --to-destination 127.0.0.1:3128
and set the Squid to transparent mode:
http_port 127.0.0.1:3128 transparent
and now it's running very fine.
Best Answer
You can redirect all outgoing http traffic to the squid. The squid should be running in transparent mode
But you can't identify from which user was the traffic. But you could try to run squid on a few ports, each one for specific user
And then redirect outgoing traffic to specific port
And use lp in the squid log format
you need to bypass all requests from squid himself
I assumed, that your instance of the squid is running under squid:squid, which is by default
Working config of the squid
Squid version and system details
Make sure that first rule in the OUTPUT chain is - "-p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT"