<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi,</p>
<p>I am trying to create for my home network a transparent proxy to
implement filtering rules based on website names mainly.</p>
<p>I have been looking at using a Raspberry pi 3B+ running pi OS. I
configured it to be a Wifi access point using RaspAP quick
install. The Wifi network on which the filtering option is to be
implemented is with IP 10.3.141.xxx. The router is at address
10.3.141.1.</p>
<p>I have the following squid.conf file which I tried to create
based on different mails, websites and blogs I read :</p>
<blockquote>
<p>acl SSL_ports port 443 #https<br>
acl SSL_ports port 563 # snews<br>
acl SSL_ports port 873 # rsync<br>
acl Safe_ports port 80 # http<br>
acl Safe_ports port 21 # ftp<br>
acl Safe_ports port 443 # https<br>
acl Safe_ports port 70 # gopher<br>
acl Safe_ports port 210 # wais<br>
acl Safe_ports port 1025-65535 # unregistered ports<br>
acl Safe_ports port 280 # http-mgmt<br>
acl Safe_ports port 488 # gss-http<br>
acl Safe_ports port 591 # filemaker<br>
acl Safe_ports port 777 # multiling http<br>
<br>
#Le réseau local<br>
acl LocalNet src 10.3.141.0/24<br>
<br>
acl bump_step1 at_step SslBump1<br>
acl bump_step2 at_step SslBump2<br>
acl bump_step3 at_step SslBump3<br>
<br>
#Définition des autorisations<br>
http_access deny !Safe_ports<br>
#http_access deny CONNECT !SSL_ports<br>
http_access allow localhost manager<br>
http_access deny manager<br>
http_access allow localhost<br>
http_access allow LocalNet<br>
http_access deny all<br>
<br>
#Définition des ports d'écoute<br>
http_port 8080<br>
http_port 3128 intercept<br>
https_port 3129 intercept ssl-bump \<br>
tls-cert=/etc/squid/cert/example.crt \<br>
tls-key=/etc/squid/cert/example.key \<br>
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br>
<br>
sslcrtd_program /usr/lib/squid/security_file_certgen -s
/var/lib/ssl_db -M 4MB<br>
sslcrtd_children 5<br>
<br>
ssl_bump peek all<br>
acl tls_whitelist ssl::server_name .example.com<br>
ssl_bump splice tls_whitelist<br>
ssl_bump terminate all<br>
<br>
coredump_dir /var/spool/squid<br>
<br>
refresh_pattern ^ftp: 1440 20% 10080<br>
refresh_pattern ^gopher: 1440 0% 1440<br>
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>
refresh_pattern . 0 20% 4320<br>
<br>
cache_dir ufs /cache 400 16 256<br>
cache_access_log /var/log/squid/access.log<br>
cache_effective_user proxy<br>
</p>
</blockquote>
<p>If I set up on a device connected to the access point a proxy
manually ie 10.3.141.1 on port 8080, I can access the internet. If
I put the following rules for iptables to use in files rules.v4 :</p>
<p>*nat<br>
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 10.3.141.1:3128<br>
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT
--to-ports 3128<br>
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT
--to-destination 10.3.141.1:3129<br>
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT
--to-ports 3129<br>
-A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE<br>
COMMIT<br>
Now, if I remove the manual proxy configuration of the device
connected to the access point, I can't connect to the internet. If
I leave the manual proxy configuration it does work and there is
activity logged in /var/log/squid/access.log.</p>
<p>Please let me know what might be wrong in my configuration if
possible.</p>
<p>Best regards,</p>
<p>JF<br>
</p>
<p><br>
</p>
</body>
</html>