0

I have installed squid v3.3.8 on CentOS 7 that has two interfaces as follows:

internal

interface: ens32

external

interface: ens33    >   masquerade is enabled here

First of all, I enabled IPv4 forwarding:
sysctl -w net.ipv4.ip_forward=1

I want to be able to put ens32 IP address in my browser with port 3128 and be able to access internet, whether ftp, http or https. To honest, I need to make all traffic types allowed later on, but block some websites because some apps I use need tcp/udp traffic on different ports.

I added firewalld rule:

firewall-cmd --permanent --zone=internal --add-service=squid

I can telnet ens32 IP on port 3128!

As an unlucky beginning I left squid.conf as is, but added "intercept" after http_port 3128 to force traffic from ens32 to ens33. When I try to access internet from my browser, I always get the following:

The following error was encountered while trying to retrieve the URL: http://www.whatever.com

    Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is root.

I also don't know how to correctly create necessary firewalld rules in order to forward requests received on ens32 to ens33. All tutorials I read were using iptables, what I really want to use is firewalld. I am new to the whole linux world, I never studied iptables in the past.

I first need to make http requests work first, then I continue with the rest.

thanks in advance

elekgeek
  • 51
  • 5
  • 14
  • The following article describes HTTPS filtering on CentOS 7 with intercept scenario just like you have. http://docs.diladele.com/tutorials/transparently_filtering_https_centos/index.html – Rafael May 24 '16 at 18:13
  • this one forces me to use diladele. Do I really have to use it? frankly, I don't need it. I was following this one, till I got stuck in the fact that I have to install diladele, also this uses direct iptables in firewalld, which is not what I am looking for. finally, do I reaaly have to install apache.. – elekgeek May 24 '16 at 18:18
  • diladele is a web filter acting as ICAP server; just skip it and you will get the squid; apache is also not required if you do not need Web UI – Rafael May 24 '16 at 21:52
  • I followed the instructions again, when I issue "squid -k reconfigure" I get this: FATAL: No valid signing SSL certificate configured for http_port [::]:3128 Squid Cache (Version 3.3.8): Terminated abnormally. – elekgeek May 25 '16 at 17:55
  • Please generate your signing certificates and replace the path to the one in /opt/qlproxy/etc. See http://docs.diladele.com/administrator_guide_4_5/https_filtering/generate_certificates/manually.html – Rafael May 25 '16 at 21:01
  • I did that successfully. It worked for sometime, I rebooted the server and I started getting abother strange error: "The ssl_crtd helpers are crashing too rapidly, need help!" – elekgeek May 25 '16 at 21:03
  • I digged more into this error: SELinux is preventing /usr/lib64/squid/ssl_crtd from open access on the file /var/spool/squid_ssldb/index.txt, how can make SELinux allow it? I am also getting " $SQUID_CONF (code=exited, status=1/FAILURE)", what is this all about? – elekgeek May 25 '16 at 21:18

1 Answers1

1

Let's hope someone finds this answer useful, as I did not find these things online any where!

I received the "Access Denied" error because when I first stated in my question that I had

http_port 3128 intercept

It meant that this squid port was dedicated to intercepting the traffic rather than forwarding it, hence firewalld was expected to forward the traffic from port 3128 to another port, for example port 3126:

firewall-cmd --permanent --zone=internal --add-forward-port=port=80:proto=tcp:toport=3126:toaddr=LAN_INTERFACE_IP
firewall-cmd --reload

to enable squid processing the traffic and forward it to port 3126, while listening to port 3128. Off course, I had to open port 3126 as follows:

firewall-cmd --permanent --zone=internal --add-port=3126/tcp

and I can do squid this way then:

http_port  3126 intercept
http_port  3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem

Note that port 3128 is not in intercept mode. So, when firewalld forwards http traffic to port 3126. squid does its job listening to port 3128 while ipv4 forwarding forwards unknown traffic (which is what we wanted in the first place) to WAN interface i.e. ens33.

To be able to reach the server from a different subnet, simply add a static route on LAN interface where the gateway of this route is set to the actual gateway of the subnet to which LAN interface IP belongs.

Concerning the certificate thing, I did the following:

mkdir /etc/squid/ssl_cert/
cd /etc/squid/ssl_cert
openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout myca.pem -out myca.pem
openssl x509 -in myca.pem -outform DER -out myca.der
chown -R squid:squid /etc/squid/ssl_cert/

Finally, SELinux is enabled, I solved this way, ironically I found the solution in the error log of SELinux:

grep ssl_crtd /var/log/audit/audit.log | audit2allow -M ssl_crtd_pol
semodule -i ssl_crtd_pol

This should answer my question and all of my comments above..

elekgeek
  • 51
  • 5
  • 14