• March 28, 2024, 11:48:03 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: [1] 2

Author Topic: Pass HTTP traffic through Squid  (Read 22502 times)

Brasse

  • Level 1 Member
  • *
  • Posts: 20
Pass HTTP traffic through Squid
« on: November 23, 2010, 05:35:56 AM »

I have squid installed and running, port 3128, on a Ubuntu Linux server. and i want to pass all HTTP traffic through that without setting up proxy on each client.

How do i configure my DFL-800 to use my Squid proxy server?
Logged

chechito

  • Level 3 Member
  • ***
  • Posts: 193
Re: Pass HTTP traffic through Squid
« Reply #1 on: November 24, 2010, 02:52:00 PM »

maybe a policy based routing rule to send the http traffic to the proxy, maybe need a NAT rule to translate source address
Logged

navi

  • Level 1 Member
  • *
  • Posts: 17
Re: Pass HTTP traffic through Squid
« Reply #2 on: November 29, 2010, 08:15:35 AM »

I was looking for this option for a long time.

Unfortinatly, only solution that I've found is to set proxy for each browser with GPO (i have domain with active directory).

Browsers can search for atomatic proxy configuration, but this option is usually disabled (depend on browser version). If you want to use automatic proxy detection, you have to configure your dns and www server. Browser will ask http://wpad.localdomain/wpad.dat or http://wpad.localdomain/proxy.pac and need to get back file with script like:

 function FindProxyForURL(url, host) {
      // our local URLs from the domains below example.com don't need a proxy:
      if (shExpMatch(url,"*.example.com/*"))                  {return "DIRECT";}
      if (shExpMatch(url, "*.example.com:*/*"))               {return "DIRECT";}
 
      // URLs within this network are accessed through
      // port 8080 on fastproxy.example.com:
      if (isInNet(host, "10.0.0.0",  "255.255.248.0"))    {
         return "PROXY fastproxy.example.com:8080";
      }
 
      // All other requests go through port 8080 of proxy.example.com.
      // should that fail to respond, go directly to the WWW:
      return "PROXY proxy.example.com:8080; DIRECT";
   }

You can configure proxy with dhcp options. Unfortinatly code 252 is not suported with DFL-800 dhcp server.


Navi
Logged

silver_surfer30

  • Level 3 Member
  • ***
  • Posts: 107
Re: Pass HTTP traffic through Squid
« Reply #3 on: December 17, 2010, 02:09:27 PM »

why not redirect all http traffic to the proxy using ip rules ?
Logged

Woodjitsu

  • Level 1 Member
  • *
  • Posts: 2
Re: Pass HTTP traffic through Squid
« Reply #4 on: December 20, 2010, 04:21:20 AM »

I have just been asked this same question by some else that we deal with here locally.  While I do not have this setup and know very little about Linux / Squid this is what I would try.

1: NAT rule to pass all HTTP traffic FROM the proxy Squid server to the WAN interface
2: SAT rule to pass all HTTP traffic FROM the lannet network to the Squid Server.  Make sure you also translate the port number from 80 to 3128.
3. Corresponding Allow rule for the above SAT rule.
Logged

Brasse

  • Level 1 Member
  • *
  • Posts: 20
Re: Pass HTTP traffic through Squid
« Reply #5 on: December 20, 2010, 08:28:57 AM »

Yeah that sounds like what i want to do.

I have tried  to set it up like this, what am i doing wrong?



The squid server is on the address book item i call "server_albin"
Logged

chechito

  • Level 3 Member
  • ***
  • Posts: 193
Re: Pass HTTP traffic through Squid
« Reply #6 on: December 20, 2010, 10:12:58 AM »

try this


https://forums.clavister.com/viewtopic.php?f=8&t=3422
Logged

Brasse

  • Level 1 Member
  • *
  • Posts: 20
Re: Pass HTTP traffic through Squid
« Reply #7 on: December 28, 2010, 07:10:33 AM »

Thanks. I have some progress.
Now i get "Timed out" when trying to access a web site from any browser with the rules enabled. However i cant see anything in the /var/log/squid3/*.log -files

When i manually set the proxy in a browser it works fine.

It seems that traffic is not translated to server_albin:3128

Current settings:



Any ideas ?
Logged

silver_surfer30

  • Level 3 Member
  • ***
  • Posts: 107
Re: Pass HTTP traffic through Squid
« Reply #8 on: December 29, 2010, 12:06:25 PM »

can you tell me where is the squid located ?
is it on the same interface than the local computer or on another interface of the DFL ?
If located on diffrent interface be sure that squid can access to internet throught that interface.

The best solution will be to locate squid on a different interface on the dfl.
Allow squid to access to internet through that interface and to redirect all outgoing traffic from the local computer to internet to that squid linux ....
Logged

navi

  • Level 1 Member
  • *
  • Posts: 17
Re: Pass HTTP traffic through Squid
« Reply #9 on: December 30, 2010, 08:30:05 AM »

Now I see that this solution makes sence. After SAT of destination IP and port, server with squid should get http request for example.com website.

I tied to set up this with no luck:(
Squid access.log doesn't show any requests.
I've run tcpdump on squid server and I never recive any request. It looks like SAT on DLF-800 doesn't work properly.

My configuration (set up this rules as 3 first to make sure that no other configuration affect):

1  SAT   lan:10.0.0.11        *:0.0.0.0/0            "http"
   SETDEST 192.0.0.20:3128 (All to one)
2  Allow lan:10.0.0.10-.100        *:0.0.0.0/0            "http"
3  NAT dmz:192.0.0.20    *:0.0.0.0/0    "http"


When I set up proxy i browser everything work just fine.
Logged

silver_surfer30

  • Level 3 Member
  • ***
  • Posts: 107
Re: Pass HTTP traffic through Squid
« Reply #10 on: January 02, 2011, 04:52:59 PM »

here is the topology I think should work.
your local network is on lan interface and has lan_ip as default gw.
your proxy is on dmz and has dmz_ip as gw

first rule to create is:
lan/lannet sat http wan1/all-nets  dest :IP of squid on dmz

second rule
lan/lannet allow http dmz/dmznet

if the squid is also dns proxy then create a service object that include all squid services to redirect.

third rule

dmz/dmznet nat all_services wan1/all_nets




Logged

navi

  • Level 1 Member
  • *
  • Posts: 17
Re: Pass HTTP traffic through Squid
« Reply #11 on: January 03, 2011, 03:42:20 AM »

here is the topology I think should work.
your local network is on lan interface and has lan_ip as default gw.
your proxy is on dmz and has dmz_ip as gw

My proxy is on dmz but it is configure in transparent mode so it has my isp gw
as default gw.



first rule to create is:
lan/lannet sat http wan1/all-nets  dest :IP of squid on dmz

second rule
lan/lannet allow http dmz/dmznet

if the squid is also dns proxy then create a service object that include all squid services to redirect.

third rule

dmz/dmznet nat all_services wan1/all_nets

DNS server is in lannet.

-------EDIT---------
This solution has an error. Theoretical example:
Localnet 10.0.0.0/24
DMZ: 192.168.0.0/24
1.Host from lannet sends a packet to google.com
10.0.0.11:1099 => 209.85.149.99:80
2. According to 1 and 2 rule the traffic would be redirected to dmz server
10.0.0.11:1099=> 192.168.0.5:3128
3. After squid complete request for google.com it sends data back to host
192.168.0.5:3128 => 10.0.0.11:1099

Because host expects on port 1099 traffic from 209.85.149.99 he ignores traffic coming from
192.168.0.5.

We can use nat instead of allow rule, but then we lose ACL posibilities on squid (we will always
see dfl-800 lannet ip as source address.

---------------------------------------------------------


I turn on logging on dfl-800 for my Sat and Allow rules with alert category and this is what I get:

Date     Severity     Category/ID     Rule     Proto     Src/DstIf     Src/DstIP     Src/DstPort     Event/Action
2011-01-03 12:18:39    Alert    CONN 600001    wwwallow    TCP    lan wan1    10.0.0.11 213.180.146.27    4233
80    conn_open
satdestrule=TransparentProxy conn=open

So traffic is allowed and SAT rule (which name is "transparentProxy") is applied, but after that,
there is no traffic between dfl-800<->proxy in dmz.

My dmz server ip is not 192.0.0.20 as I written before but it has public IP address from WAN1 subnet,
and I have a switch route for group(wan1,dmz) in main routing table, so dmz is not behind NAT.

Is this a reason why I dont get any requests on proxy server ?  
(DLF-800 firmware is 2.27.02.11-14417).

thanks in advance,
Navi









« Last Edit: January 04, 2011, 02:23:32 AM by navi »
Logged

Brasse

  • Level 1 Member
  • *
  • Posts: 20
Re: Pass HTTP traffic through Squid
« Reply #12 on: January 04, 2011, 02:17:06 AM »

Squid is located on the same net as everything else.. Except for WAN1 of course.

DMZ is not an option here :(
Logged

silver_surfer30

  • Level 3 Member
  • ***
  • Posts: 107
Re: Pass HTTP traffic through Squid
« Reply #13 on: January 06, 2011, 05:01:13 AM »

For Brasse, I don't think you can fullfill the scénario. I will make a lab test and get back asap.

for navi : let me undersatand your topology.

from lan to wan1 : nat is applied.
from dmz to wan1 transparent mode is running.

logs refered to a trafic sent from 10.x.x.x network to internet via port 80.
and your computer is expecting reply on port 1099.
On the sat rule did you set the new port to be 1099?

Can you modify the first sat rule accordingly and let us know the result.
also please provide logs

Logged

navi

  • Level 1 Member
  • *
  • Posts: 17
Re: Pass HTTP traffic through Squid
« Reply #14 on: January 18, 2011, 02:36:27 AM »

for navi : let me undersatand your topology.

from lan to wan1 : nat is applied.
from dmz to wan1 transparent mode is running.


Yes:
lan to wan1 NAT
dmz to wan1 TRANSPARENT

logs refered to a trafic sent from 10.x.x.x network to internet via port 80.
and your computer is expecting reply on port 1099.
On the sat rule did you set the new port to be 1099?

That was an example to show that this configuration should not work at all.
Windows hosts use port range above 1000 for replays, thats why I said
1099 in example.

Please study this theoretical example one more time:
Localnet 10.0.0.0/24
DMZ: 192.168.0.0/24
lan to wan1 NAT
dmz to wan1 NAT
lan to dmz Allow

1.Host from lannet sends a packet to google.com
10.0.0.11:1099 => 209.85.149.99:80
2. According to 1 and 2 rule the traffic would be redirected to dmz server
10.0.0.11:1099=> 192.168.0.5:3128
3. After squid complete request for google.com it sends data back to host which made a request
192.168.0.5:3128 => 10.0.0.11:1099

Because host expects on port 1099 traffic from 209.85.149.99 he ignores traffic coming from
192.168.0.5.
BTW TCP 3-way handshake would never succeed if host A sends data to B, and gets an answer
from host C.

Please correct me if I'm wrong.
Logged
Pages: [1] 2