Dear community,
I take my first steps in case of FreeBSD server administration to improve my administration/security skills and learn something new, because I like it. I need a transparent Squid to intercept all HTTP connections without necessity to set up a proxy directly in OS or a browser. I use PF as a firewall / NAT.
I have installed Squid using a binary package (# pkg install squid). The installed version is:
squid-4.11_2 (running release FreeBSD 12.1 with last security patches)
What works:
- service is enabled in rc.conf and starts with OS
- squid in not transparent mode (proxy is set up directly in a browser) works as expected
- rdr on PF (the connection timeout error appears while intercepted by Squid), the same request works well in not transparent mode (explicit browser setup)
The service has two open ports:
- 3127 for PF redirection
- 3128 for explicit connections
The PF redirection rule works like that (seems to be fine):
The squid http listener is defined the following way (/usr/local/etc/squid.conf):
The problem is I get connection time out while the HTTP is intercepted via transparent proxy (squid error).
The questions:
1. Is the official package squid-4.11_2 compliant with access to /dev/pf to support transparent interception (--enable-pf-transparent)? I'm aware this is a required option to make it work well which is as it seems to me should be supported by default (why not?). How can I check options used to compile a package? I'm aware that mixing ports with binary packages is not recommended practice and I prefer to use binary packages (not having compilers installed on my server makes it more secure). I suppose that I might be missing something in my squid.conf.
I will be grateful for advice.
Regards,
Marcin Górski
I take my first steps in case of FreeBSD server administration to improve my administration/security skills and learn something new, because I like it. I need a transparent Squid to intercept all HTTP connections without necessity to set up a proxy directly in OS or a browser. I use PF as a firewall / NAT.
I have installed Squid using a binary package (# pkg install squid). The installed version is:
squid-4.11_2 (running release FreeBSD 12.1 with last security patches)
What works:
- service is enabled in rc.conf and starts with OS
- squid in not transparent mode (proxy is set up directly in a browser) works as expected
- rdr on PF (the connection timeout error appears while intercepted by Squid), the same request works well in not transparent mode (explicit browser setup)
The service has two open ports:
- 3127 for PF redirection
- 3128 for explicit connections
The PF redirection rule works like that (seems to be fine):
Code:
rdr pass on $int_if proto tcp from $localnet to any port http -> 192.168.0.1 port 3127
The squid http listener is defined the following way (/usr/local/etc/squid.conf):
Code:
http_port 192.168.0.1:3128
http_port 192.168.0.1:3127 intercept
cache_mem 128 MB
connect_timeout 10 seconds
The problem is I get connection time out while the HTTP is intercepted via transparent proxy (squid error).
The questions:
1. Is the official package squid-4.11_2 compliant with access to /dev/pf to support transparent interception (--enable-pf-transparent)? I'm aware this is a required option to make it work well which is as it seems to me should be supported by default (why not?). How can I check options used to compile a package? I'm aware that mixing ports with binary packages is not recommended practice and I prefer to use binary packages (not having compilers installed on my server makes it more secure). I suppose that I might be missing something in my squid.conf.
I will be grateful for advice.
Regards,
Marcin Górski