Squid http(s) transparent proxy with Juniper SRX | part 3
This is the final part of this tutorial - Configuring the SRX to "detour" HTTP and HTTPS traffic to PF/SQUID box.

As mentioned before, the SRX will not change neither the souce nor the destination IP addresses of the packets. Instead, it will use different default route for them (default route because destination IP is the internet, not a specific IP or block).
First, we define a custom VR (type forwarding - does only forwarding for outbound traffic, doesn't need any interfaces assigned to it) that will send the traffic to default route IP of FreeBSD/Squid/PF box:
Code:
# show routing-instances SQUID-VR
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 10.1.22.3;
qualified-next-hop 10.1.20.2 {
preference 9;
}
preference 10;
}
route 10.1.20.3/32 next-hop 10.1.20.2;
}
instance-import squid-vr-default-in;
}
http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-routing/routing-specifying-the-instance-type-for-routing-instances.htmlNext, trust zone vlan (RVI) interface (vlan.8) needs an input filter that matches http/https traffic and assign it to SQUID-VR routing instance as terminate action:
Code:
# top show interfaces vlan.8
family inet {
filter {
input to-SQUID;
}
address 192.168.2.1/24;
}
Here is the filter that does the job:
Code:
# top show firewall family inet filter to-SQUID
term 0 {
from {
source-address {
192.168.2.67/32;
}
destination-address {
0.0.0.0/0;
}
protocol tcp;
destination-port [ 80 443 ];
}
then {
routing-instance SQUID-VR;
}
}
term default {
then accept;
}
What the filter does exactly is first match source address of the lan host (my case a /32): 192.168.2.67/32 with destination ports 80/443 and any destination IPaddress and protocol TCP. Then it assigns the packets to "SQUID-VR" routing instance. Basically it tells the PFE to look at this specific routing instance for forwarding decissions (or routing if you prefer).
Next, I create a security policy that (different from firewall filter, which is
stateless) to allow traffic from "trust" zone to "dmz-zone":
Code:
# top show security policies from-zone trust to-zone dmz-zone
policy any-squid-redir {
match {
source-address trust-all;
destination-address any;
application [ junos-http junos-https ];
}
then {
permit;
log {
session-close;
}
}
}
The match for source address is "trust-all" and can be defined either in globall address book ("security address-book global") or in source/destination zone context. Note that the destination match is "any" as the Internet is the destination.
Here is a Google Chrome showing intercepted HTTPS connection information:
How to import the CA certificate into your browser is not explained in this tutorial.