I'm trying to set up a transparent proxy server for content filtering using Squid 3.3.8 running on Ubuntu 14.04.5.
I want to run it as a transparent proxy alongside the clients.
ie. the Squid server is running on 192.168.2.212 currently and the clients are also on the 192.168.2.0 range.
Other Network addresses:
Gateway: 192.168.2.254
Primary DNS: 192.168.2.12
Secondary DNS: 192.168.2.6
DHCP Sever: 192.168.2.10
Ideally I'd like to change the DHCP server settings to give 192.168.2.212 as the gateway, allowing Squid to filter the requests, then allowing them to pass on to the router as normal.
I did manage to get this partially working on a test server through iptables configuring. Although it only allowed http traffic as the version of Squid I had did not have https configured.
This is my Squid config:
## Access Control Lists
acl localnet src 192.168.2.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl ads dstdomain "/etc/squid3/ads"
acl adsurl url_regex "/etc/squid3/adsurl"
acl aggressive dstdomain "/etc/squid3/aggressive"
acl aggressiveurl url_regex "/etc/squid3/aggressiveurl"
acl alcohol dstdomain "/etc/squid3/alcohol"
acl alcoholurl url_regex "/etc/squid3/alcoholurls"
acl anonvpn dstdomain "/etc/squid3/anonvpn"
acl anonvpnurl url_regex "/etc/squid3/anonvpnurl"
acl automobiles dstdomain "/etc/squid3/automobiles"
acl automobilesurl url_regex "/etc/squid3/automobilesurl"
acl chat dstdomain "/etc/squid3/chat"
acl chaturl url_regex "/etc/squid3/chaturl"
acl costtrap dstdomain "/etc/squid3/costtrap"
acl costtrapurl url_regex "/etc/squid3/costtrapurl"
acl dating dstdomain "/etc/squid3/dating"
acl datingurl url_regex "/etc/squid3/datingurl"
acl downloads dstdomain "/etc/squid3/downloads"
acl downloadsurl url_regex "/etc/squid3/downloadsurl"
acl drugs dstdomain "/etc/squid3/drugs"
acl drugsurl url_regex "/etc/squid3/drugsurl"
acl dynamicdns dstdomain "/etc/squid3/dynamicdns"
acl fortunetelling dstdomain "/etc/squid3/fortunetelling"
acl fortunetellingurl url_regex "/etc/squid3/fortunetellingurl"
acl forum dstdomain "/etc/squid3/forum"
acl forumurl url_regex "/etc/squid3/forumurl"
acl gambling dstdomain "/etc/squid3/gambling"
acl gamblingurl url_regex "/etc/squid3/gamblingurl"
acl hacking dstdomain "/etc/squid3/hacking"
acl hackingurl url_regex "/etc/squid3/hackingurl"
acl hobby_online_games dstdomain "/etc/squid3/hobby_online_games"
acl hobby_online_gamesurl url_regex "/etc/squid3/hobby_online_gamesurl"
acl games_misc dstdomain "/etc/squid3/games_misc"
acl games_miscurl url_regex "/etc/squid3/games_miscurl"
acl imagehosting dstdomain "/etc/squid3/imagehosting"
acl imagehostingurl url_regex "/etc/squid3/imagehostingurl"
acl models dstdomain "/etc/squid3/models"
acl modelsurl url_regex "/etc/squid3/modelsurl"
acl movies dstdomain "/etc/squid3/movies"
acl moviesurl url_regex "/etc/squid3/moviesurl"
acl music dstdomain "/etc/squid3/music"
acl musicurl url_regex "/etc/squid3/musicurl"
acl podcasts dstdomain "/etc/squid3/podca"
acl podcastsurl url_regex "/etc/squid3/podcastsurl"
acl radiotv dstdomain "/etc/squid3/radiotv"
acl radiotvurl url_regex "/etc/squid3/radiotvurl"
acl redirector dstdomain "/etc/squid3/redirector"
acl redirectorurl url_regex "/etc/squid3/redirectorurl"
acl ringtones dstdomain "/etc/squid3/ringtones"
acl ringtonesurl url_regex "/etc/squid3/ringtonesurl"
acl sex_lingerie dstdomain "/etc/squid3/sex_lingerie"
acl sex_lingerieurl url_regex "/etc/squid3/sex_lingerieurl"
acl shopping dstdomain "/etc/squid3/shopping"
acl shoppingurl url_regex "/etc/squid3/shoppingurl"
acl socialnet dstdomain "/etc/squid3/socialnet"
acl socialneturl url_regex "/etc/squid3/socialneturl"
acl spyware dstdomain "/etc/squid3/spyware"
acl spywareurl url_regex "/etc/squid3/spywareurl"
acl tracker dstdomain "/etc/squid3/tracker"
acl trackerurl url_regex "/etc/squid3/trackerurl"
acl violence dstdomain "/etc/squid3/violence"
acl violenceurl url_regex "/etc/squid3/violenceurl"
acl warez dstdomain "/etc/squid3/warez"
acl warezurl url_regex "/etc/squid3/warezurl"
acl weapons dstdomain "/etc/squid3/weapons"
acl weaponsurl url_regex "/etc/squid3/weaponsurl"
acl webmail dstdomain "/etc/squid3/webmail"
acl webmailurl url_regex "/etc/squid3/webmailurl"
acl webphone dstdomain "/etc/squid3/webphone"
acl webphoneurl url_regex "/etc/squid3/webphoneurl"
acl webradio dstdomain "/etc/squid3/webradio"
acl webradiourl url_regex "/etc/squid3/webradiourl"
acl webtv dstdomain "/etc/squid3/webtv"
acl webtvurl url_regex "/etc/squid3/webtvurl"
acl smluk src 192.168.0.0/24
acl humour dstdomain "/etc/squid3/humour"
acl humoururl url_regex "/etc/squid3/humoururl"
acl Proxy port "/etc/squid3/proxallow"
acl Allow url_regex "/etc/squid3/allow"
## Allow and Deny Lists
http_access allow Allow
http_access deny ads
http_access deny adsurl
http_access deny aggressive
http_access deny aggressiveurl
http_access deny alcohol
http_access deny alcoholurl
http_access deny anonvpn
http_access deny anonvpnurl
http_access deny automobiles
http_access deny automobilesurl
http_access deny chat
http_access deny chaturl
http_access deny costtrap
http_access deny costtrapurl
http_access deny dating
http_access deny datingurl
http_access deny downloads
http_access deny downloadsurl
http_access deny drugs
http_access deny drugsurl
http_access deny dynamicdns
http_access deny fortunetelling
http_access deny fortunetellingurl
http_access deny forum
http_access deny forumurl
http_access deny gambling
http_access deny gamblingurl
http_access deny hacking
http_access deny hackingurl
http_access deny hobby_online_games
http_access deny hobby_online_gamesurl
http_access deny games_misc
http_access deny games_miscurl
http_access deny imagehosting
http_access deny imagehostingurl
http_access deny models
http_access deny modelsurl
http_access deny warezurl
http_access deny weapons
http_access deny weaponsurl
http_access deny webmail
http_access deny webmailurl
http_access deny webphone
http_access deny movies
http_access deny moviesurl
http_access deny warezurl
http_access deny weapons
http_access deny weaponsurl
http_access deny webmail
http_access deny webmailurl
http_access deny webphone
http_access deny music
http_access deny musicurl
http_access deny podcasts
http_access deny podcastsurl
http_access deny radiotv
http_access deny radiotvurl
http_access deny redirector
http_access deny redirectorurl
http_access deny ringtones
http_access deny ringtonesurl
http_access deny sex_lingerie
http_access deny sex_lingerieurl
http_access deny shopping
http_access deny shoppingurl
http_access deny socialnet
http_access deny socialneturl
http_access deny warezurl
http_access deny weapons
http_access deny weaponsurl
http_access deny webmail
http_access deny webmailurl
http_access deny webphone
http_access deny spyware
http_access deny spywareurl
http_access deny tracker
http_access deny trackerurl
http_access deny violence
http_access deny violenceurl
http_access deny warez
http_access deny warezurl
http_access deny weapons
http_access deny weaponsurl
http_access deny webmail
http_access deny webmailurl
http_access deny webphone
http_access deny webphoneurl
http_access deny webradio
http_access deny webradiourl
http_access deny webtv
http_access deny webtvurl
http_access deny humour
http_access deny humoururl
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny manager
http_access allow Proxy
http_access allow localhost manager
http_access allow localhost
http_access allow localnet
http_access allow smluk
http_access deny all
acl ident_aware_hosts src 198.168.0.0/24
ident_lookup_access allow ident_aware_hosts
ident_lookup_access deny all
#http_port 3129
#http_port 3128 intercept
http_port 3129
http_port 0.0.0.0:3128 intercept
https_port 0.0.0.0:3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid3/ssl_certs/myCA.pem
cache_dir ufs /var/spool/squid3 100 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
cache_effective_user proxy
cache_effective_group proxy
## Cache Stuff
cache_dir ufs /var/spool/squid3 100 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
cache_effective_user proxy
cache_effective_group proxy
access_log daemon:/var/log/squid3/access.log squid
log_fqdn on
memory_pools on
memory_pools_limit none
## DNS Options
dns_timeout 10 seconds
dns_nameservers 192.168.2.12 192.168.2.6 192.168.2.3 # DNS Server
I've cleared any kind of iptables rule for the time being.
Looking on Netstat I can see the server is listening on 3128. I have tried opening up 3130 but I guess I didn't use the right format or something.
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
I've tried prerouting in iptables to intercept from port 80 to port 3128 and port 443 to 3130 it doesn't seem to be working correctly.
This is what I've tried:
-A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
-A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3130
And:
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.212:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.2.212:3130
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130
-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
Any help will be much appreciated.
Also my experience with Ubuntu/Linux in general is limited to tinkering with this server for my place of work.
Update 1
I got http working now.
I added
-A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Why it worked this time and not others I don't know.
I tried redirecting 443 to 3130 using the same method but I cannot connect to any https websites still.
Best Answer
The iptables setup you tried first was correct. Just add a REDIRECT line for port 443 next to the port 80 one. You wont easily see it working though until the Squid part also works.
Without any ssl_bump lines in squid.conf informing Squid how to bump the traffic - SSL-Bumping will be disabled.
Also, since TLS is changing so often the Squid SSL-Bump feature has gone through many updates since 3.3.8 just to stay working with current browsers and servers. As of this writing Squid-3.5.19 or later is required. You can get a copy of that version as 'squid' package from the Debian Sid repository, but you will still have to rebuild it yourself with OpenSSL support.
The http://wiki.squid-cache.org/Features/SslPeekAndSplice explains how the Squid-3.5 SSL-Bump works and how to set its ssl_bump rules up.