Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

Squid http(s) transparent proxy with Juniper SRX | part 3

This is the final part of this tutorial - Configuring the SRX to "detour" HTTP and HTTPS traffic to PF/SQUID box.


As mentioned before, the SRX will not change neither the souce nor the destination IP addresses of the packets. Instead, it will use different default route for them (default route because destination IP is the internet, not a specific IP or block).

First, we define a custom VR (type forwarding - does only forwarding for outbound traffic, doesn't need any interfaces assigned to it) that will send the traffic to default route IP of FreeBSD/Squid/PF box:

http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-routing/routing-specifying-the-instance-type-for-routing-instances.html

Next, trust zone vlan (RVI) interface (vlan.8) needs an input filter that matches http/https traffic and assign it to SQUID-VR routing instance as terminate action:

Here is the filter that does the job:

What the filter does exactly is first match source address of the lan host (my case a /32): 192.168.2.67/32 with destination ports 80/443 and any destination IPaddress and protocol TCP. Then it assigns the packets to "SQUID-VR" routing instance. Basically it tells the PFE to look at this specific routing instance for forwarding decissions (or routing if you prefer).

Next, I create a security policy that (different from firewall filter, which is stateless) to allow traffic from "trust" zone to "dmz-zone":

The match for source address is "trust-all" and can be defined either in globall address book ("security address-book global") or in source/destination zone context. Note that the destination match is "any" as the Internet is the destination.

Here is a Google Chrome showing intercepted HTTPS connection information:


How to import the CA certificate into your browser is not explained in this tutorial.