[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] OpenBSD and pf - Transparent proxy
From:       Amos Jeffries <squid3 () treenet ! co ! nz>
Date:       2008-04-28 14:35:55
Message-ID: 4815E0CB.4080006 () treenet ! co ! nz
[Download RAW message or body]

Chris Benesch wrote:
> This is how to set up a transparent proxy with OpenBSD, pf, and Squid.
> 
> A transparent proxy is a proxy that intercepts all connections out of a
> network on port 80.  The reason that I wanted to have a transparent proxy is
> because I wanted to cache all IPv4 traffic and allow IPv6 traffic to flow
> unimpeded.  I have the OpenBSD box running a NAT with the cable company,
> serving a web site, and acting as a router for an IPv6 tunnel and my own /64
> I was assigned by my tunnel broker.
> 
> I am using squid-2.6STABLE19 and OpenBSD 4.1, MP kernel.
> 
> <root:openbsd> [/root]
>> uname -a
> OpenBSD maricopacomputer.com 4.1 GENERIC.MP#1225 i386
> 
> First, compile and install Squid.  I used the following options  ./configure
> --prefix=/var/squid --with-pthreads --enable-pf-transparent  obviously
> prefix is entirely up to the users choice.
> 
> Then inside squid.conf, all of the options are pretty much boilerplate
> except for the following:
> 
> acl our_networks src 192.168.231.0/24 >>127.0.0.1<< http_access allow
> our_networks
> 
> You must add 127.0.0.1 to your acl.
> 
> # Squid normally listens to port 3128
> http_port 192.168.231.1:3128 transparent
>>> http_port 127.0.0.1:3128 transparent<<
> 
> I had to have it listen on two ip addresses, one of which being localhost.
> Also note the transparent keyword at the end.
> 
> Then in pf.conf, the following changes need to be made.
> 
> In the top portion where you set skip on your internal interfaces, remove
> those lines.  Those lines tell the pf filter not to do any processing on
> packets coming in on an internal interface.
> #set skip on $int_if << These lines commented out 
> #set skip on $wi_if
> 
> # redirect only IPv4 web traffic to squid 
> rdr pass inet proto tcp from 192.168.231.0/24 to any port 80 -> 127.0.0.1
> port 3128

Does it work if you omit the 127.0.0.1 bits?

We don't exactly want to recommend people route external 'random' 
packets into the highly-trusted localhost zones.

> 
> block in
> pass in quick on $int_if
> pass in quick on $wi_if
> pass out keep state
> 
> Some pointers:
> 
> 1 . Use "rdr pass" instead of "rdr on ..."  part of the way that pf
> evaluates packets, it would drop through and be allowed as is instead of
> redirected if you don't use "rdr pass"
> 2 . Make sure and add the pass in quick lines.  Myself I have two internal
> interfaces, one for wired and one for wireless internet.  Although there is
> a bridge configured, strange things happen sometimes when you don't
> explicitly allow all traffic on both interfaces.  If you don't add these
> lines, you will lose local network connectivity and have to go to the
> console to figure it out.
> 3 . If it seems to be ignoring your changes and no redirection is happening,
> make sure you removed the set skip on ... lines.
> 4 . To test if it worked, use the nc utility.  From the command line type in
> (as root) nc -l 3128 (with squid stopped of course) and then try to navigate
> to a page with it running.  You should see an output like this:
> 
> <root:openbsd> [/root]
>> nc -l 3128
> GET /mail/?ui=pb HTTP/1.1
> User-Agent: Mozilla/5.0 (compatible; GNotify 1.0.25.0)
> Host: mail.google.com
> Connection: Keep-Alive
> Cache-Control: no-cache
> Cookie: GV=XXXXXXXX...You get the picture
> 
> 
> From there on out, just set your browsers up normally with no proxy server,
> and you should see the cache fill up and your browsing speed up.
> 


-- 
Please use Squid 2.6.STABLE19 or 3.0.STABLE4
[prev in list] [next in list] [prev in thread] [next in thread]