Transparent redirection to squid proxy server on the cloud

Question

We have a squid proxy on the cloud with IP Address 50.x.y.z listening on tcp port 3128 and running in transparent mode. This proxy server is running Debian 6.0 and is located at a data center.

In our office we have a Cisco router with Public IP 203.x.y.z/29 and private IP 192.168.1.1/24. The Local LAN network is 192.168.1.0/24. I have allowed the public IP 203.x.y.z/29 in the squid.conf file and hence the LAN users can browse internet using this squid proxy. I would like to know if it is possible to transparently redirect all web traffic to the squid server running at data center ??

Please note that I am fully aware of the fact that this can been be done using route map or WCCP if I had a proxy server in the LOCAL LAN and also that I can use WPAD for automatic proxy detection but I want transparent redirection.

Mentioning "cloud" in the question title isn't going to garner much good-will from IT Professionals. — Chris S, Mar 27 '12 at 14:43
WCCP uses GRE tunnel to forward traffic to proxy. I guess it could just work - local lan network or remote site. Am I wrong? — kupson, Mar 27 '12 at 15:11

score 0 · Accepted Answer · answered Mar 27 '12 at 15:00

The only thing I can think of is some form of a tunnel. You simply have to route that port 80 traffic, which will have random global destination IP addresses, to your cloud proxy. This is impossible to do without some sort of support in your routing infrastructure.

You'd probably want an IPsec tunnel between your network and the cloud instance for security anyway. If your current router(s) don't support such features, I would suggest expermienting with Vyatta Core, pointing some test workstations at the Vyatta router as their default gateway. They Vyatta would then be configured to redirect all public-bound TCP-port-80 traffic through an IPsec tunnel (or even GRE or IP-in-IP if you don't care about security) that terminates on the cloud instance.

Note whenever tunnels are involved, you will have MTU issues, so you should make sure you are not blocking ICMP packet too big messages in any firewall (even local to the workstation) and you can potentially rewrite the TCP max segment size in TCP handshake packets seen by the Vyatta.

Honestly, proxy-auto-config is going to be much easier to deal with. You can even enforce proxy configuration for IE and Google Chrome via Group Policy if you have an ACtive Directory Domain, and use proxy autoconfig for visitors/Macs/Linux/Firefox users.

score 0 · Answer 2 · answered Apr 14 '12 at 13:32

The only real way you can do this without additional hardware on-site locally is to use WCCP. You should be able to create the WCCP GRE tunnel over the external public address to the cloud system.

If your ISP runs the datacentre too then they may be able to route your traffic through the squid server you have. Otherwise I'd look at putting a small squid box in locally that performs the transparent interception of traffic then sends that to the cloud system, or replace the cisco box with an all-in-one proxy/cache/filter/firewall, be that home-grown FOSS or something commercial.

Transparent redirection to squid proxy server on the cloud

2 Answers2