Transparent Squid Proxy Setup
Setting up Squid as a transparent proxy with “peek and splice” enabled involves configuring it to intercept and manage TLS/SSL connections by examining and optionally modifying them without the client’s knowledge. This setup requires configuring Squid to listen on port 3128 and using iptables to redirect traffic from specified ports (80 and 443) to this local Squid port, ensuring consistent DNS settings across both the Squid configuration and client devices to prevent TLS errors. Alternatively, other TCP redirectors like v2fly, xray, or gost can be used for similar functionality.
Configuring Squid for SSL Bumping
To configure Squid for SSL Bumping, you’ll need to follow a series of steps to enable the proxy server to intercept and decrypt SSL traffic, allowing for content inspection and filtering. Start by ensuring that your Squid installation supports the necessary options, such as --enable-ssl-crtd
and --with-openssl
.
Next, generate a self-signed SSL certificate using OpenSSL. This involves creating a new RSA private key and a certificate that Squid will use to intercept SSL traffic.
The command for this is:
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout /etc/squid/ssl_cert/myCA.pem -out /etc/squid/ssl_cert/myCA.pem
Once the certificate is ready, configure the Squid configuration file (/etc/squid/squid.conf
) to enable SSL Bumping. Add directives such ashttp_port 3128 ssl-bump
and specify the path to your generated certificate.You can use actions likepeek
andsplice
to manage how connections are handled during the SSL handshake process. Finally, test your setup by accessing an HTTPS site through Squid to ensure that the SSL Bumping is functioning correctly.
Redirecting Traffic with Iptables
To redirect traffic to Squid for transparent proxying, iptables rules are essential. For clients on the local network, use the PREROUTING chain in the nat table:
- Redirect HTTP traffic:
-
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
- Redirect HTTPS traffic:
-
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 443 -j REDIRECT --to-port 3129
For traffic originating on the Squid server itself, use the OUTPUT chain to avoid forwarding loops:
- Allow traffic from root and squid users:
-
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j RETURN iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j RETURN
- Redirect remaining traffic:
-
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128
- Apply similar rules for HTTPS traffic on port 443. These iptables rules ensure all relevant traffic is intercepted and processed by Squid.
Avoiding TLS Errors with DNS Consistency
To avoid TLS errors when using Squid as a transparent proxy, it’s crucial to maintain DNS consistency between the Squid server and client devices. This ensures that domain name resolutions match, preventing certificate validation issues. Here are key points to consider:
- Configure Squid to use the same DNS server as the client devices. This can be done by specifying the DNS server in Squid’s configuration file using the
dns_nameservers
directive. - Ensure that the client devices are configured to use the same DNS server as Squid. This can typically be set through DHCP or manually in network settings.
- Consider using a local DNS resolver on the Squid server to cache DNS responses and improve performance.
- Tools like dnsmasq or unbound can be used for this purpose.
- If using split-horizon DNS, make sure Squid resolves domain names from the same perspective as the clients to avoid mismatches in IP resolutions.
By maintaining DNS consistency, you can significantly reduce the likelihood of TLS errors and ensure smooth operation of your transparent proxy setup.