I am looking / already started to use a squid proxy, currently Transparent Proxy, what I am looking to do is to filter out content from my site but also access https://whatever.com. I have setup a transparent proxy but for some reason I am unable to access the https:// websites.
My network configuration is as such
Internet --> eth0 to firewall (static ip address)
Firewall --> eth1 to local network (192.168.110.0/24)
Firewall --> eth2 to DMZ (10.1.1.0/24)
The local network accesses the DMZ through the firewall by iptables
The DMZ network accesses the Internet through the firewall by iptables
Currently today I have the Local Network accessing the internet by iptables and masquerade/Source NAT, but due to the multiple users that are at my site, I want to turn off Masquerade and use a proxy server to access the websites, this way they get a "Forbidden Web Page" when the try to access inappropriate webpages, such as site that contain violence/p0rn and anything that the blacklists.tar.gz file from squidGuard.
I have setup the shorewall configuration as it pertains to squid. http://www.shorewall.net/Shorewall_Squid_Usage.html
I have also setup my configuration as stated by Ricky, but I am not able to access the https:// websites. I am new to squid, I have only started to set it up this week, so I need all the assistance I can get. My goal is to have all my web flitering done so that my users can not access such sites that are deemed inappropriate, but to access sites that use the https://. We use https:// for company email and normal everyday use as well.
Any ideas?
My configuration as it is today - does not have to be set in stone if there is a better way to do the goal stated above.
vi /etc/squid/squid.conf
maximum_object_size 8192 KB
cache_mem 16 MB
cache_dir ufs /var/spool/cache/ 2048 22 256
cache_store_log none
cache_mgr bryan.jones@xxxx.com
cache_effective_user squid
cache_effective_group squid
ftp_user bryan.jones@xxxx.com
#auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
#auth_param basic children 5
#auth_param basic realm [xxxxx.com] Squid proxy-caching web server authentication
#acl name proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl internal_lightning src 192.168.110.47
acl loc_net src 192.168.110.0/255.255.255.0
#acl internal proxy_auth 192.168.110.0/255.255.255.0
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access allow name
http_access allow loc_net
http_access allow internal_lightning
http_access deny all
redirector_access allow all
redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
redirect_children 5
visible_hostname xxxx.com
unique_hostname xxxx.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_port 3128
Things that I do on the firewall to access the squid server
First:
if [ -z "`ip rule list | grep www.out`" ] ; then
ip rule add fwmark CA table www.out # Note 0xCA = 202
ip route add default via 65.xxx.xxx.xxx dev eth2 table www.out
ip route flush cache
fi
Second:
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK --set-mark 202
This is what I do on the squid server:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
