Transparent squid installed from official binary package not intercepts

mar.gorski

New Member


Messages: 7

Dear community,
I take my first steps in case of FreeBSD server administration to improve my administration/security skills and learn something new, because I like it. I need a transparent Squid to intercept all HTTP connections without necessity to set up a proxy directly in OS or a browser. I use PF as a firewall / NAT.

I have installed Squid using a binary package (# pkg install squid). The installed version is:
squid-4.11_2 (running release FreeBSD 12.1 with last security patches)

What works:
- service is enabled in rc.conf and starts with OS
- squid in not transparent mode (proxy is set up directly in a browser) works as expected
- rdr on PF (the connection timeout error appears while intercepted by Squid), the same request works well in not transparent mode (explicit browser setup)

The service has two open ports:
- 3127 for PF redirection
- 3128 for explicit connections

The PF redirection rule works like that (seems to be fine):
Code:
rdr pass on $int_if proto tcp from $localnet to any port http -> 192.168.0.1 port 3127
The squid http listener is defined the following way (/usr/local/etc/squid.conf):
Code:
http_port 192.168.0.1:3128
http_port 192.168.0.1:3127 intercept
cache_mem 128 MB
connect_timeout 10 seconds
The problem is I get connection time out while the HTTP is intercepted via transparent proxy (squid error).

The questions:
1. Is the official package squid-4.11_2 compliant with access to /dev/pf to support transparent interception (--enable-pf-transparent)? I'm aware this is a required option to make it work well which is as it seems to me should be supported by default (why not?). How can I check options used to compile a package? I'm aware that mixing ports with binary packages is not recommended practice and I prefer to use binary packages (not having compilers installed on my server makes it more secure). I suppose that I might be missing something in my squid.conf.

I will be grateful for advice.

Regards,
Marcin Górski
 

mjollnir

Aspiring Daemon

Reaction score: 269
Messages: 658

pkg alias view /usr/ports/www./squid/Makefile pkg options squid|grep PF
Looks like it is not enabled (for PF -- for ipfw(4) yes) in the package & you have to build it yourself. Please use either devel/poudriere or devel/synth & do not build in the host system (portmaster, portXYZ...), but in a jail. I'd guess the maintainer decided not to enable it because the standard/native packet filter on FreeBSD is ipfw(4), not pf(4) (beware the differences -- in pf(4), last matching rule fires).
Standard disclaimer: install the docs: pkg install {de,en}-freebsd-doc, replace de with your native tongue, and point your favorite browser to /usr/local/share/doc/freebsd.
You can add to the ALIAS section of /usr/local/etc/pkg.conf
Code:
  message: "query '[%C/%n] %M'",
and read through all pkg message|less.
 

wolffnx

Well-Known Member

Reaction score: 73
Messages: 402

Dear community,
I take my first steps in case of FreeBSD server administration to improve my administration/security skills and learn something new, because I like it. I need a transparent Squid to intercept all HTTP connections without necessity to set up a proxy directly in OS or a browser. I use PF as a firewall / NAT.

I have installed Squid using a binary package (# pkg install squid). The installed version is:
squid-4.11_2 (running release FreeBSD 12.1 with last security patches)

What works:
- service is enabled in rc.conf and starts with OS
- squid in not transparent mode (proxy is set up directly in a browser) works as expected
- rdr on PF (the connection timeout error appears while intercepted by Squid), the same request works well in not transparent mode (explicit browser setup)

The service has two open ports:
- 3127 for PF redirection
- 3128 for explicit connections

The PF redirection rule works like that (seems to be fine):
Code:
rdr pass on $int_if proto tcp from $localnet to any port http -> 192.168.0.1 port 3127
The squid http listener is defined the following way (/usr/local/etc/squid.conf):
Code:
http_port 192.168.0.1:3128
http_port 192.168.0.1:3127 intercept
cache_mem 128 MB
connect_timeout 10 seconds
The problem is I get connection time out while the HTTP is intercepted via transparent proxy (squid error).

The questions:
1. Is the official package squid-4.11_2 compliant with access to /dev/pf to support transparent interception (--enable-pf-transparent)? I'm aware this is a required option to make it work well which is as it seems to me should be supported by default (why not?). How can I check options used to compile a package? I'm aware that mixing ports with binary packages is not recommended practice and I prefer to use binary packages (not having compilers installed on my server makes it more secure). I suppose that I might be missing something in my squid.conf.

I will be grateful for advice.

Regards,
Marcin Górski

Build it from ports, and select PF in the options to compile..sometimes is necesary build from ports
I think that default package build if selected for IPFW
 
OP
M

mar.gorski

New Member


Messages: 7

Well, I built it from ports on a VM using simple:
Code:
# make package
(selected PF transparency support instead of IPFW) and deployed on a target server via SFTP.

The package was installed by
Code:
# pkg-static install squid-4.12.txz
and installation was successful.

However the transparency mode is still not working, while explicit mode is. When I try to connect via transparent mode in my /var/log/squid/access.log I get the following error (it is being tested on neverssl.com):
Code:
1596229168.673      0 192.168.0.3 NONE/000 0 NONE error:accept-client-cection - HIER_NONE/- -
Seems like TCP socket accept failed. I get a warning because of disabled IPv6 support during package build, but it should have no impact because it is not used.
Code:
WARNING: BCP 177 violation. IPv6 transport forcOFF by build parameters.
Finally I think about not using a transparent mode (trivial for HTTP, but might be hard to setup for HTTPS). Explicit mode is fine when all network computers are forced to use it by not allowing any outgoing HTTP/HTTPS connections to the Internet (trivial and makes the job done, however requires additional setup on client machines to use local Squid gateway).

--- SOLVED
Ok the issue was lack of access of squid user to /dev/pf which can be easily solved by plain /etc/devfs.conf modifcation:
Code:
perm    pf      0640
own    pf    root:squid
Do you practically use transparent proxy for HTTPS? This is necessary to make network interception practical, however is less secure than explicit mode because network without NAT doesn't allow unknown outgoing traffic such as sending data to external sources by backdoors (maybe even hardware/firmware related).
 

wolffnx

Well-Known Member

Reaction score: 73
Messages: 402

now I read that you used squid4
(the 3 version if not supported in the ports by now)

disabling ipv6 dont create any problem as you see(me too,never use ipv6..so I disable)

back to the point, in squid4 I have one bug related to mime.conf
and happen the same problem that you have, squid starts but only listening on UDP port
in direct mode works,looks for the squid logs

I clean the mime.conf file and squid starts fine

and now I replace the mime.conf file
with the mime.conf.sample file and squid runs without a problem 🤷‍♂️
seems to be some bug related to the first time that you run squid and the mime.conf file
 
OP
M

mar.gorski

New Member


Messages: 7

Well in my case it seems this is not a mime.conf issue, but an access and permissions issue to /dev/pf.conf (solved by devfs.conf). However I don't like the transparent proxy approach because of necessity to import SSL certifacate on a client side to have HTTPS correctly intercepted without warnings as described on a video:

View: https://youtu.be/Bogdplu_lsE?t=447


Direct mode is much more secure and works without NAT and SSL out-of-box, what is great and simple.

Thank you.
 

obsigna

Daemon

Reaction score: 684
Messages: 1,096

...
Do you practically use transparent proxy for HTTPS? This is necessary to make network interception practical, however is less secure than explicit mode because network without NAT doesn't allow unknown outgoing traffic such as sending data to external sources by backdoors (maybe even hardware/firmware related).
I happen to have a working transparent HTTPS proxy on my FreeBSD Home Server with www/squid, however I use it with ipfw(8). Nonetheless, most of the settings which I have written-up here, should work for pf (4) as well.
 

Alain De Vos

Aspiring Daemon

Reaction score: 107
Messages: 524

Related question. Can you do something interesting with a transparant squid, or what is it good for ,it's use ?
 

obsigna

Daemon

Reaction score: 684
Messages: 1,096

just what a need,thanks
squid can filter https headers and block it like a layer7 firewall right? , only for https web pages of course
For an easy example on how to filter and modify traffic, see my following BLog post:
German language: https://obsigna.com/articles/1533292343.html
English translation: https://www.translatetheweb.com/?from=de&to=en&a=https://obsigna.com/articles/1533292343.html

Note, the German version is full of rants about the GDPR and the related Cookie directive, some of which doesn’t make much sense for non-Germans. So you want to simply focus on the filter program which has been written in C. Take the .js-file as an example. The filter can be programmed to replace any content with other files.

AFAIK, for other kinds of filters, you would write a filter program and then plug it in to squid.
 
Top