![]() ![]() ![]() A few possible changes are described below. It is probable that in the future I will want to make changes. See post Getting a valid subCA certificate for squid from FreeIPA Operations Getting a valid ssl certificate for squid Without this step, squid could fail to start, or it could fail with an error about crashing too rapidly after so long. usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db The dynamic ssl certificate database needs to be initialized outside of squid itself. Without this configuration, it is possible that clients who trust the root CA would still not trust the web traffic because squid would have an incomplete cert chain. The cafile used is the root CA cert for the entire FreeIPA infrastructure in the example network. The certificate used here is described in a few steps. Several comments in this file demonstrate which lines are important to that end. Additionally, the Chromecast materials may be out of date, but Youtube it still important.Īn important consideration is to keep the work computer’s vpn uninterrupted. Strip_query_terms off #This will allow checking which youtube URLs were visited by user Ssl_bump bump all # needed for youtube somehow Ssl_bump splice DIRECT_sites DIRECT_site_clients discord.ggĪcl DIRECT_sites_name dstdomain. Sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MBĪcl SAFE_sites ssl::server_name. Generate-host-certificates=on dynamic_cert_mem_cache_size=4MB Key=/etc/pki/tls/private/-nopw.key \Ĭafile=/etc/pki/tls/certs/ \ # tail -f /var/log/squid/access.log | grep -iE '200 + GET https?:\/\/+'Īcl localnet src 10.0.0.0/8 # RFC1918 possible internal networkĪcl localnet src 172.16.0.0/12 # RFC1918 possible internal networkĪcl localnet src 192.168.0.0/16 # RFC1918 possible internal networkĪcl localnet src fc00::/7 # RFC 4193 local private network rangeĪcl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machinesĪcl Safe_ports port 1025-65535 # unregistered portsĬert=/etc/pki/tls/certs/.pem \ firewall-cmd -permanent -add-service=http -add-service=https -add-service=squid -add-port=3129/tcpįirewall-cmd -permanent -add-port=3130/tcp -add-port=3129/tcpĬonfigure squid itself. See weblink 7.Īlso allow a few services and additional ports. I was unable to find any other mechanism within firewalld that works for getting the traffic transparently to squid (i.e., that keeps the client IP address). i eth0 -p tcp -dport 443 -j REDIRECT -to-ports 3129 i eth0 -p tcp -dport 80 -j REDIRECT -to-ports 3130 Set contents of file /etc/firewalld/direct.xml. Configuring the proxy serverįirst, configure the firewall. The Chromecast device is given a reserved IP address in DHCP which is described later.Īn attempt was made to perform logging on the router level, and while this provides IP addresses, it was not sufficient for the needs of this project. Observe that CHROMECAST_IP is granted ACCEPT in the firewall. The web server steps are there to ensure that incoming web traffic get to the web server. The MARK rule performs a logical OR to set just a few binary flags, so it does not merely “set” all the flags. Ip route add default via $PROXY_IP dev br0 table 2 Ip route add $WEB_SERVER via $WEB_SERVER dev br0 table 2 Iptables -t mangle -I PREROUTING 7 -p tcp -m multiport -dports 80,443 -j CONNMARK -save-mark Iptables -t mangle -I PREROUTING 6 -p tcp -m multiport -dports 80,443 ! -s $PROXY_IP -j MARK -or 3 Iptables -t mangle -I PREROUTING 5 -p tcp -m multiport -dports 80,443 -s $PROXY_IP -j ACCEPT Iptables -t mangle -I PREROUTING 3 -p tcp -m multiport -dports 80,443 -s $CHROMECAST_IP -j ACCEPT Iptables -t mangle -I PREROUTING 2 -p tcp -m multiport -dports 80,443 -s $OBI_IP -j ACCEPT The router is set up with dd-wrt firmware: DD-WRT v3.0-r43055 big (05/05/20) and contains a firewall start script (`nvram get rc_firewall`) which forces all World Wide Web traffic (tcp ports 80 and 443) to a transparent proxy. Proxy server at 192.168.1.82 provides both transparent proxy and configured proxy behavior. ArchitectureĪ dd-wrt router is the heart of the example network, at 192.168.1.2. Exceptions for sites (destinations) as well as clients can be configured. This document explains how to set up a web proxy on the internal network so that it can act as a configured proxy as well as transparent network proxy, including both http and https traffic. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |