Find the answer to your Linux question:
Results 1 to 2 of 2
I need help on the configuration of me Proxy Server with Firewall. I am trying to configure it to work as a transparent proxy. My problem is that I can't ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2006
    Location
    I.C., Phils.
    Posts
    3

    Help on Proxy Server Configuration


    I need help on the configuration of me Proxy Server with Firewall. I am trying to configure it to work as a transparent proxy.

    My problem is that I can't access any https: sites transparently, only http:
    https: sites can be access only if proxy is configured manually at the user's pc.

    Server Configuration:
    OS - Debian Etch 2.6
    Proxy - Squid 2.6
    Firewall - Shorewall 3.2

    Here are my shorewall files and squid configuration

    /etc/shorewall/interfaces
    Code:
    #ZONE	INTERFACE	BROADCAST	OPTIONS
    net	eth0		detect
    loc	eth1		detect		routeback,blacklist
    /etc/shorewall/zones
    Code:
    #ZONE	TYPE		OPTIONS		IN			OUT
    #					OPTIONS			OPTIONS
    fw	firewall
    net	ipv4
    loc	ipv4
    /etc/shorewall/masq
    Code:
    #INTERFACE		SUBNET		ADDRESS		PROTO	PORT(S)	IPSEC
    eth0			eth1
    eth1			eth1		192.168.0.1
    /etc/shorewall/policy
    Code:
    #SOURCE		DEST		POLICY		LOG		LIMIT:BURST
    #						LEVEL
    
    loc		net		ACCEPT		info
    loc		$FW		ACCEPT		info
    
    $FW		all		ACCEPT		info
    
    net		all		REJECT		info
    
    all		all		DROP		info
    /etc/shorewall/rules
    Code:
    #ACTION	SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/
    #						PORT(S)	PORT(S)		DEST		LIMIT		GROUP
    #SECTION ESTABLISHED
    #SECTION RELATED
    SECTION NEW
    ACCEPT:info	loc		net		tcp	443
    
    REDIRECT 	loc		3128		tcp	www	-	!192.168.0.1/23
    ACCEPT		$FW		net		tcp	www
    
    ACCEPT:info	net		$FW		tcp	443
    ACCEPT:info	$FW		loc		tcp	443
    ACCEPT:info	$FW		net		tcp	443
    
    DROP	net		$FW		tcp	22
    DROP	loc		net		tcp	25
    /etc/squid/squid.conf
    Code:
    http_port 3128 transparent
    hierarchy_stoplist cgi-bin ?
    acl QUERY urlpath_regex cgi-bin \?
    cache deny QUERY
    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache
    access_log /var/log/squid/access.log squid
    hosts_file /etc/hosts
    url_rewrite_program /usr/bin/squidGuard
    url_rewrite_children 5
    refresh_pattern ^ftp:		1440	20%	10080
    refresh_pattern ^gopher:	1440	0%	1440
    refresh_pattern .		0	20%	4320
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443		# https
    acl SSL_ports port 563		# snews
    acl SSL_ports port 873		# rsync
    acl Safe_ports port 80		# http
    acl Safe_ports port 21		# ftp
    acl Safe_ports port 443		# https
    acl Safe_ports port 70		# gopher
    acl Safe_ports port 210		# wais
    acl Safe_ports port 1025-65535	# unregistered ports
    acl Safe_ports port 280		# http-mgmt
    acl Safe_ports port 488		# gss-http
    acl Safe_ports port 591		# filemaker
    acl Safe_ports port 777		# multiling http
    acl Safe_ports port 631		# cups
    acl Safe_ports port 873		# rsync
    acl Safe_ports port 901		# SWAT
    acl purge method PURGE
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    acl our_networks src 192.168.0.1-192.168.15.255
    http_access allow our_networks
    http_access allow localhost
    http_access deny all
    http_reply_access allow all
    icp_access allow all
    cache_effective_group proxy
    coredump_dir /var/spool/squid

  2. #2
    Linux Newbie Ziplock's Avatar
    Join Date
    Jan 2009
    Location
    Adelaide
    Posts
    169
    Hi,

    You can't cache SSL traffic. You need to forward it through your firewall directly, only NAT'ing on the way. Not sure how to do that in shorewall.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •