A transparent proxy with squid and pf
Introduction
squid is a caching web proxy, it’s set up between web browsers and servers, fetching documents from servers on behalf of browsers. It can accelerate web access by caching frequently requested pages and serving them from its cache. It can also be used to filter pop-up ads and malware or to enforce access control (which clients may request what pages based on different authentication methods).
Traditionally, the proxy is an optional component, and browsers are configured to actively use the proxy. Transparent proxying means forcing all web traffic through the proxy without the cooperation (or knowledge) of the clients. Once all browser connections pass through the proxy, outgoing connections to external hosts can be restricted to the proxy, and direct connections from local clients can be blocked.
The OpenBSD packet filter (pf) can be used to redirect connections based on various criteria, including source and destination addresses and ports. For instance, one can redirect all TCP connections with destination port 80 (HTTP) that arrive through an interface connected to local workstations to a squid proxy running on a different address and port.
Since the destination address is translated for such connections, the squid proxy needs some way to find the originally intended destination address of the web server to fetch the document from. If the client sends a HTTP 1.1 compliant Host: header in its HTTP request, squid uses the specified host. Older clients don’t provide a Host: header, in which case squid can query the packet filter about the original destination address of the redirected connection. The latter approach requires the proxy to run on the firewall itself, otherwise the proxy can run on a separate host.
The howto can find the howto on the www.benzedrine.cx website.
Posted by Administrator on Saturday, October 21, 2006
