[squid-users] [MASSMAIL] Squid: forward to another squid server with authentication

Amaury Viera Hernández avhernandez at uci.cu
Wed Dec 16 18:38:34 UTC 2015


Thank you. I will follow you instructions.

Amaury.
On 15/12/15 19:03, Amaury Viera Hernández wrote:
> Hello everyone. This is a more detailed explanation about my trouble:
>
> I have two network cards:
>
> a shared Wifi card(wlp2s0) : 10.42.0.1
> a Network card with access to my LAN(enp4s0): 10.8.77.1
>
> In short, I am looking for a simple way to do the following (please give code samples if possible):
>
> Set up and start a transparent proxy server on my computer (wifi card, say that squid will listen at 10.42.0.1:3128) that can capture all web requests from my phone, once the http request from phone comes to this proxy, it will forward it to the university proxy (say address is 10.0.0.1:8080 with user and password authentication)
>
> Note: Is posible that one of the authentication methods of my proxy server will be ntlm
>
> Now, more details to fully explain my situation:
>
> In my university, authentication is needed to pass through a proxy so that we can connect to the internet. I normally enter my active directory username/password to authenticate when the pop up appears in the web browser
>
> Now, I want to connect my phone to my hared wifi(10.42.0.1) and using the network card with access to the lan(10.8.77.1), forward de http request of my phone to the proxy server in the university( 10.0.0.1:8080 with user and password authentication) because some application of my phone require a direct connection, without proxy and without proxy authentication. So, I am planning to set up a transparent proxy on my laptop to catch all requests from my phone. Of course, I don't need to use the proxy for local domains (uci.cu in this case)
>
> I'm using ubuntu 15.10 with squid3 (3.3.8)
>
> I have this configuration in squid.conf (This is very functional for local domain(without proxy authentications, against the local domains, for example: intranet.uci.cu, but for internet domains I need to authenticate(cache_peer my proxy with the proxy of my university)) )
>
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> acl localdst dstdomain
> acl mi_red src 10.42.0.0/24
> http_access allow mi_red
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost
> http_access deny all
> http_port 10.42.0.1:3128 transparent
> coredump_dir /var/spool/squid3
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
> refresh_pattern .               0       20%     4320
> cache_mem 512 MB
> cache_dir ufs /var/spool/squid3 2048 16 256
> cache_effective_user proxy
> cache_effective_group proxy
> half_closed_clients off
> maximum_object_size 1024 KB
> cache_swap_low 90
> cache_swap_high 95
> memory_pools off
> error_directory /usr/share/squid3/errors/es/
> access_log /var/log/squid3/access.log squid
> cache_peer 10.0.0.1 parent 8080 0 no-query default no-digest login=avhernandez:MyPass
> never_direct allow all
>
>
> I'm using this firewall script
>
> #!/bin/sh
> # IP del servidor SQUID
> SQUID_SERVER="10.42.0.1"
> # Interface conectada a Internet
> INTERNET="enp4s0"
> # Interface interna
> LAN_IN="wlp2s0"
> # Puerto Squid
> SQUID_PORT="3128"
>
> # Limpia las reglas anteriores
> iptables -F
> iptables -X
> iptables -t nat -F
> iptables -t nat -X
> iptables -t mangle -F
> iptables -t mangle -X
> # Carga los modulos IPTABLES para NAT e IP con soporte conntrack
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> echo 1 > /proc/sys/net/ipv4/ip_forward
> # Politica de filtro por defecto
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> # Acceso ilimitado a loop back
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> # Permite UDP, DNS y FTP pasivo
> iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
> # Establece el servidor como router para la red
> iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
> iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
> # acceso ilimiato a la LAN
> iptables -A INPUT -i $LAN_IN -j ACCEPT
> iptables -A OUTPUT -o $LAN_IN -j ACCEPT
> # Redirige las peticiones de la red interna hacia el proxy
> iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
> # Redirige la entrada al proxy
> iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
>
> Best regards. Amaury.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



More information about the squid-users mailing list