Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Fri Dec 01, 2023 3:37 pm


Author Message
mandrei99
Post  Post subject: Squid http(s) transparent proxy with Juniper SRX | part 2  |  Posted: Tue May 21, 2013 5:58 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 250

Offline
 

Squid http(s) transparent proxy with Juniper SRX | part 2

How to intercept HTTP/HTTPS connections with Juniper SRX, FreeBSD and Squid -part 2
Network diagram:
Squid http(s) transparent proxy with Juniper SRX | part 2
Part 2 of this tutorial focuses on preparing the FreeBSD Squid/PF box for intercepting HTTP/HTTPS connections.
As mentioned in part 1 of this tutorial (http://forum.ivorde.ro/how-to-intercept ... 14111.html), starting with Squid version 3.2, packets arriving to SQUID port need to be destination NATed, but the difference is that squid needs to look at the nat table to see original destination IP address of each HTTP request.

This is done in order for Squid to check the destination domain IP address (from DNS records) of the request against the original destination IP (taken from the NAT table).

Since Squid cannot look at NAT table of the SRX or whatever networking device is used as in my above diagram, traffic needs to be "detoured" to PF/Squid box by the SRX. How it's done, it will be described in part 3 of this tutorial (coming soon).

Let's focus on PF firewall part.

As a side note, before I begin: squid needs the "intercept" keyword on the ports that will expect HTTP requests (GET /index.html) and not proxy requests (CONNECT http://www.site.com/index.html).

IP address of the PF/Squid FreeBSD box, as seen in the diagram is 10.1.20.2. All I know for now is that packets will be "detoured" by the SRX so all HTTP/HTTPS request reaching em0 interface will have source address from the "trust" security zone (192.168.2.x) and destination IP addresses from the "untrust"/Internet security zones. Example: from 192.168.2.67 -> 91.195.7.1:80.

Here are my PF rules to destination NAT this traffic:
Code:
# cat /etc/pf.conf
if0="em0"
if0_ip0="10.1.20.2"

rdr pass inet proto tcp from 192.168.2.0/24 to any port 80 -> 10.1.20.2 port 3128
rdr pass inet proto tcp from 192.168.2.0/24 to any port 443 -> 10.1.20.2 port 3129

pass in quick on $if0
pass out keep state


Below is an entry from the PF session state ( showing NAT) that squid will use to check original destination IP against the IP of the destination domain:
Code:
# pfctl -s state | grep 192.168.2.67
...
all tcp 10.1.20.2:3128 (91.195.7.1:80) <- 192.168.2.67:2566       ESTABLISHED:ESTABLISHED


This means that packet IP header from trust to SRX is: 192.168.2.67:2566->91.195.7.1:80
Packet IP header from SRX to PF is: 192.168.2.67:2566->91.195.7.1:80
Packet IP header from PF to Squid is: 192.168.2.67:2566->10.1.20.2:3128.

Important notes:
Squid needs read permissions to /dev/pf device in order to perform this check. Otherwise, it will fail ( I think it can be disabled with "host_verify_strict" - http://www.squid-cache.org/Doc/config/h ... fy_strict/), but it's not the purpose of this article. If it hasn't read permissions, you will see following errors in squid logs:
Code:
2013/05/07 15:34:08 kid1| PF open failed: (13) Permission denied

To allow squid read permissions to "/dev/pf" device, use chmod:
Code:
# chown root:squid /dev/pf
# chmod 0640 /dev/pf

And to make these permanent, devfs conf file (/etc/devfs.conf )has to have following two lines:
Code:
own     pf      root:squid
perm    pf      0640





Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "Squid http(s) transparent proxy with Juniper SRX | part 2"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. Attachment(s) Squid http(s) transparent proxy with Juniper SRX | part 1

mandrei99

0

10589

Fri May 03, 2013 4:30 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Attachment(s) Squid http(s) transparent proxy with Juniper SRX | part 3

mandrei99

0

9099

Fri May 24, 2013 8:32 am

mandrei99 View the latest post

There are no new unread posts for this topic. Attachment(s) Juniper SRX Branch - Blocking HTTPS websites using the AppFW (application-firewall) feature - Part 1

mandrei99

0

11136

Sat Jul 27, 2013 3:48 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX Branch - Blocking HTTPS websites using the AppFW (application-firewall) feature - Part 2

mandrei99

0

6909

Sat Jul 27, 2013 3:59 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX - How to collect RSI (Request Support Information) to provide it to Juniper TAC

mandrei99

0

28175

Fri Jul 12, 2013 9:46 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX: How to access/vty on the PFE from CLI

mandrei99

0

8884

Mon Jan 26, 2015 6:39 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX cluster - How the hostname is configured

mandrei99

0

6262

Sat Jan 31, 2015 7:04 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX PPPoE configuration for RCS RDS provider in Romania

mandrei99

0

4423

Fri Jan 09, 2015 8:21 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper - SRX: SNMP monitoring of interface input output bytes per second

mandrei99

0

10479

Wed Oct 16, 2013 9:45 am

mandrei99 View the latest post

There are no new unread posts for this topic. How to monitor CPU usage and flow sessions via SNMP - Juniper SRX Branch - 12.1X44

mandrei99

0

14521

Tue Jun 18, 2013 6:13 pm

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO