Powered by Blogger.
/ / / / INSTALLING SQUID 3.5.7 AS TRANSPARENT PROXY CACHING HTTPS On UBUNTU SERVER 14.04.2 LTS

INSTALLING SQUID 3.5.7 AS TRANSPARENT PROXY CACHING HTTPS On UBUNTU SERVER 14.04.2 LTS

, ,
NETWORK TOPOLOGY
Client with network address (192.168.2.0) access the internet via eth1 (192.168.2.50) on Ubuntu Server machine, eth0 (192.168.1.50) will represent the client connection to modem / gateway (192.168.1.200). This typology requires client to make proxy as a gateway that can make proxy true transparent. The easiest way to make proxy as the main gateway is installing dhcp server on Ubuntu machine. See How to configure Ubuntu as Dhcp Server.



INSTALL ADDITIONAL PROGRAMS THAT REQUIRED BY SQUID 3.5.7

Login as root:
# sudo suNote:
"For prevent some errors on adding programs do these step, skip if your Ubuntu Server has been updated."
# nano /etc/apt/sources.list

deb http://us.archive.ubuntu.com/ubuntu/ trusty main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ trusty main restricted
deb http://us.archive.ubuntu.com/ubuntu/ trusty-updates main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ trusty-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu/ trusty universe
deb-src http://us.archive.ubuntu.com/ubuntu/ trusty universe
deb http://us.archive.ubuntu.com/ubuntu/ trusty-updates universe
deb-src http://us.archive.ubuntu.com/ubuntu/ trusty-updates universe
deb http://us.archive.ubuntu.com/ubuntu/ trusty multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ trusty multiverse
deb http://us.archive.ubuntu.com/ubuntu/ trusty-updates multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ trusty-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu trusty-security main restricted
deb-src http://security.ubuntu.com/ubuntu trusty-security main restricted
deb http://security.ubuntu.com/ubuntu trusty-security universe
deb-src http://security.ubuntu.com/ubuntu trusty-security universe
deb http://security.ubuntu.com/ubuntu trusty-security multiverse
deb-src http://security.ubuntu.com/ubuntu trusty-security multiverse
deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib

# apt-get update
# apt-get install devscripts build-essential openssl libssl-dev fakeroot libcppunit-dev libsasl2-dev cdbs ccze libfile-readbackwards-perl libcap2 libcap-dev libcap2-dev libnetfilter-conntrack-dev -y

# apt-get install ccze sysv-rc-conf -y

#apt-get install libnetfilter-conntrack-dev

INSTALLING SQUID 3.5.7 (Latest 3.5.13)
a. Download and Extract, choose one!

# wget -O - http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.7.tar.gz | tar zxfv -
# cd squid-3.5.7
Or The Latest Version Of Squid.
# wget -O - http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.13.tar.gz | tar zxfv -
# cd squid-3.5.13

b. Compile and Install Squid 3.5.x(for lines 2-4, adjust your processor specifications to maximize the number of cores that will be used to handle Squid proxy process , eg core2duo .

./configure \
CHOST="x86_64-pc-linux-gnu" \
CFLAGS="-march=core2 -O2 -pipe" \
CXXFLAGS="${CFLAGS}" \
--build=x86_64-linux-gnu \
--prefix=/usr \
--exec-prefix=/usr \
--bindir=/usr/bin \
--sbindir=/usr/sbin \
--libdir=/usr/lib \
--sharedstatedir=/usr/com \
--includedir=/usr/include \
--localstatedir=/var \
--libexecdir=/usr/lib/squid \
--srcdir=. \
--datadir=/usr/share/squid \
--sysconfdir=/etc/squid \
--infodir=/usr/share/info \
--mandir=/usr/share/man \
--x-includes=/usr/include \
--x-libraries=/usr/lib \
--with-default-user=proxy \
--with-logdir=/var/log/squid \
--with-pidfile=/var/run/squid.pid \
--enable-err-languages=English \
--enable-default-err-language=English \
--enable-storeio=ufs,aufs,diskd \
--enable-linux-netfilter \
--enable-removal-policies=lru,heap \
--enable-gnuregex \
--enable-follow-x-forwarded-for \
--enable-x-accelerator-vary \
--enable-zph-qos \
--enable-delay-pools \
--enable-snmp \
--enable-underscores \
--with-openssl \
--enable-ssl-crtd \
--enable-http-violations \
--enable-async-io=24 \
--enable-storeid-rewrite-helpers \
--with-large-files \
--with-libcap \
--with-netfilter-conntrack \
--with-included-ltdl \
--with-maxfd=65536 \
--with-filedescriptors=65536 \
--with-pthreads \
--without-gnutls \
--without-mit-krb5 \
--without-heimdal-krb5 \
--without-gnugss \
--disable-icap-client \
--disable-wccp \
--disable-wccpv2 \
--disable-dependency-tracking \
--disable-auth --disable-epoll \
--disable-ident-lookups \
--disable-icmp


# make && make install


CUSTOMIZING Of SQUID 3.5.x CONFIGURATION
a. Squid.conf

# mv /etc/squid/squid.conf /etc/squid/squid.conf.backup
# wget --no-check-certificate -O /etc/squid/squid.conf 

https://raw.githubusercontent.com/cyberscie/cyberscie.com/master/server/squid-3.5.5/step1/squid.conf

(Adjust with Your Network Conditions)

# nano /etc/squid/squid.conf

(Check if there are missed configuration)

# squid -k parse

b. Store-id.pl
Store-id.pl is cache key used by squid. Please download store-id.pl configuration!

# wget --no-check-certificate -O /etc/squid/store-id.pl https://raw.githubusercontent.com/cyberscie/cyberscie.com/master/server/squid-3.5.5/store-id.pl


MAKING CACHE DIRECTORY And SQUID 3.5.x CERTIFICATES
a. Make Directory of Cache. eg:

# mkdir /cache/cache
b. Make Certificates

# cd /etc/squid
# mkdir ssl_certs
(Note! fill in the data as you want)

# openssl genrsa -out squid.key 2048
# openssl req -new -key squid.key -out squid.csr -nodes
# openssl x509 -req -days 3652 -in squid.csr -signkey squid.key -out squid.crt
c. Make Cache Directory of Certificate that Using by Squid

# mkdir /var/lib/squid
# chown -R nobody /var/lib/squid/
# /usr/lib/squid/ssl_crtd -c -s /var/lib/squid/ssl_db (be sure that there are no errors)


MAKING A SQUID 3.5.x START UP FILE

# wget --no-check-certificate -O /etc/init.d/squid https://raw.githubusercontent.com/cyberscie/cyberscie.com/master/server/squid-3.5.5/squid
Customize squid start up file as your needs

# nano /etc/init.d/squid
Note:
Find this words "cache_dir=`find_cache_dir cache_dir /cache/cache`"
"/cache/cache" Change this path of folder according your cache directory

Making auto start up squid programs on boot.

# update-rc.d squid defaults


CREATING Of SQUID 3.5.x FOLDER And FILE ACCESS RIGHTS
Type or copy on command line. (Note! User Name: proxy)

# chown -R proxy:proxy /etc/squid/squid.conf | chown -R proxy:proxy /usr/lib/squid | chown -R proxy:proxy /var/lib/squid/ssl_db/certs | chown -R proxy:proxy /etc/squid/store-id.pl | chown -R proxy:proxy /cache/cache | chown -R proxy:proxy /var/log/squid | chown -R proxy:proxy /var/log/squid/access.log | chmod 777 /cache/cache | chmod 777 /var/log/squid | chmod 777 /var/log/squid/access.log | chmod 755 /var/lib/squid/ssl_db/certs | chmod +x /etc/init.d/squid


STARTING SQUID 3.5.x
Making caches directories and starting squid 3.5.x

# squid -f /etc/squid/squid.conf -z
Whait a while.., hit ctrl+c for get back to main terminal (command line). Restart Squid 3.5.x

# squid restart
Make sure that there are many errors appears.

# /etc/init.d/squid status


CONFIGURE SQUID 3.5.x As TRANSPARENT PROXY
See illustration at upper side of this article!

Configure rc.local file

# nano /etc/rc.local
Add these lines!

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE
iptables -I INPUT -p tcp -m tcp --dport 3129 -j ACCEPT
modprobe xt_TPROXY
modprobe xt_socket
modprobe xt_mark
modprobe nf_nat
modprobe nf_conntrack_ipv4
modprobe nf_conntrack
modprobe nf_defrag_ipv4
modprobe ipt_REDIRECT
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A INPUT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -d 192.168.1.50 -p tcp -m multiport --dports 22,80,443,3127,3128,3129,8000,8080,10000 -j ACCEPT
iptables -t mangle -A PREROUTING ! -d 192.168.1.50 -p tcp -m multiport --dports 80,8080,8000 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3127
iptables -t mangle -A PREROUTING ! -d 192.168.1.50 -p tcp -m multiport --dports 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
exit 0


Note:
As you see, port 3128 not configured. This to left port 3128 for http traffic, and use for individual setting. eg. for trading software that not working with transparent https proxy.

FINISHING STEP
Restart Server.
Copy Squid.crt in "/etc/squid/ssl_certs" to the browser (Eg. Mozilla /Chrome/ Opera)
    Blogger Comment
    Facebook Comment