Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Sun Dec 10, 2023 6:44 am


Author Message
mandrei99
Post  Post subject: Squid http(s) transparent proxy with Juniper SRX | part 3  |  Posted: Fri May 24, 2013 8:32 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 250

Offline
 

Squid http(s) transparent proxy with Juniper SRX | part 3

This is the final part of this tutorial - Configuring the SRX to "detour" HTTP and HTTPS traffic to PF/SQUID box.
Squid http(s) transparent proxy with Juniper SRX | part 3

As mentioned before, the SRX will not change neither the souce nor the destination IP addresses of the packets. Instead, it will use different default route for them (default route because destination IP is the internet, not a specific IP or block).

First, we define a custom VR (type forwarding - does only forwarding for outbound traffic, doesn't need any interfaces assigned to it) that will send the traffic to default route IP of FreeBSD/Squid/PF box:
Code:
# show routing-instances SQUID-VR
instance-type forwarding;
routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop 10.1.22.3;
            qualified-next-hop 10.1.20.2 {
                preference 9;
            }
            preference 10;
        }
        route 10.1.20.3/32 next-hop 10.1.20.2;
    }
    instance-import squid-vr-default-in;
}

http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-routing/routing-specifying-the-instance-type-for-routing-instances.html

Next, trust zone vlan (RVI) interface (vlan.8) needs an input filter that matches http/https traffic and assign it to SQUID-VR routing instance as terminate action:
Code:
# top show interfaces vlan.8
family inet {
    filter {
        input to-SQUID;
    }
    address 192.168.2.1/24;
}

Here is the filter that does the job:
Code:
# top show firewall family inet filter to-SQUID
term 0 {
    from {
        source-address {
            192.168.2.67/32;
        }
        destination-address {
            0.0.0.0/0;
        }
        protocol tcp;
        destination-port [ 80 443 ];
    }
    then {
        routing-instance SQUID-VR;
    }
}
term default {
    then accept;
}

What the filter does exactly is first match source address of the lan host (my case a /32): 192.168.2.67/32 with destination ports 80/443 and any destination IPaddress and protocol TCP. Then it assigns the packets to "SQUID-VR" routing instance. Basically it tells the PFE to look at this specific routing instance for forwarding decissions (or routing if you prefer).

Next, I create a security policy that (different from firewall filter, which is stateless) to allow traffic from "trust" zone to "dmz-zone":
Code:
# top show security policies from-zone trust to-zone dmz-zone
policy any-squid-redir {
    match {
        source-address trust-all;
        destination-address any;
        application [ junos-http junos-https ];
    }
    then {
        permit;
        log {
            session-close;
        }
    }
}

The match for source address is "trust-all" and can be defined either in globall address book ("security address-book global") or in source/destination zone context. Note that the destination match is "any" as the Internet is the destination.

Here is a Google Chrome showing intercepted HTTPS connection information:
Squid http(s) transparent proxy with Juniper SRX | part 3

How to import the CA certificate into your browser is not explained in this tutorial.


Attachments:
squid-man-in-the-middle-chrome-cert-information.png [19.27 KiB]
Downloaded 1894 times



Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "Squid http(s) transparent proxy with Juniper SRX | part 3"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. Attachment(s) Squid http(s) transparent proxy with Juniper SRX | part 1

mandrei99

0

10594

Fri May 03, 2013 4:30 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Squid http(s) transparent proxy with Juniper SRX | part 2

mandrei99

0

9243

Tue May 21, 2013 5:58 am

mandrei99 View the latest post

There are no new unread posts for this topic. Attachment(s) Juniper SRX Branch - Blocking HTTPS websites using the AppFW (application-firewall) feature - Part 1

mandrei99

0

11140

Sat Jul 27, 2013 3:48 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX Branch - Blocking HTTPS websites using the AppFW (application-firewall) feature - Part 2

mandrei99

0

6911

Sat Jul 27, 2013 3:59 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX - How to collect RSI (Request Support Information) to provide it to Juniper TAC

mandrei99

0

28185

Fri Jul 12, 2013 9:46 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX: How to access/vty on the PFE from CLI

mandrei99

0

8895

Mon Jan 26, 2015 6:39 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX cluster - How the hostname is configured

mandrei99

0

6266

Sat Jan 31, 2015 7:04 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX PPPoE configuration for RCS RDS provider in Romania

mandrei99

0

4429

Fri Jan 09, 2015 8:21 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper - SRX: SNMP monitoring of interface input output bytes per second

mandrei99

0

10484

Wed Oct 16, 2013 9:45 am

mandrei99 View the latest post

There are no new unread posts for this topic. How to monitor CPU usage and flow sessions via SNMP - Juniper SRX Branch - 12.1X44

mandrei99

0

14529

Tue Jun 18, 2013 6:13 pm

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
cronNews News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO