Setting up proxy with private to public

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Setting up proxy with private to public

Chris Bidwell - NOAA Federal
Hi all,

Very new to squid and am looking to setup several internal subnets to access external network (internet) through squid on a separate interface. 

Server has two IP's.  One private internal and one public.  Can someone point me in the right direction to get this setup?  Running RHEL7. 

Do I need to create static routes?  Do I need firewalld rules in place? 

Thanks!

Chris

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Setting up proxy with private to public

Antony Stone
On Monday 13 April 2020 at 21:19:04, Chris Bidwell - NOAA Federal wrote:

> Hi all,
>
> Very new to squid and am looking to setup several internal subnets to
> access external network (internet) through squid on a separate interface.

What are you trying to achieve by using Squid?  What is your objective,
compared to giving clients direct access to the Internet?

> Server has two IP's.  One private internal and one public.  Can someone
> point me in the right direction to get this setup?  Running RHEL7.

Firstly, install Squid and look at its configuration file.  It is *very* well
commented / documented, and there is *very* little you need to change in order
to get it working on your network.

For more details, see:

https://wiki.squid-cache.org/SquidFaq/BinaryPackages

https://wiki.squid-cache.org/SquidFaq/ConfiguringSquid
https://wiki.squid-cache.org/SquidFaq
https://wiki.squid-cache.org/ConfigExamples

https://www.packtpub.com/squid-proxy-server-31-beginners-guide/book
http://www.oreilly.com/catalog/squid/

(All the above available from http://www.squid-cache.org )


> Do I need to create static routes?

Provided the machine you want install Squid on can reach (a) arbitrary web
servers on the Internet, and (b) the client machines on your internal
networks, then no.

If not, then yes, you will need to add suitable routes so that the Squid
server can find both origin servers and clients.

> Do I need firewalld rules in place?

A firewall is always a good idea, however Squid imposes no special requirement
of its own here.

A very good starting point for firewalls is "allow the traffic you know you want,
block the traffic you know you do not want, and log and block the traffic you're
not sure about - then look at the logs and adjust the rules as necessary to
keep the log entries minimal".


Finally, if you run into problems, come back here and tell us:

 - what you want to achieve
 - what you did to try to achieve it
 - how you tested whether it worked
 - what you found which told you it didn't work

Basically, give us enough information to understand what you're trying to do,
what you've done to get there, and what went wrong (such that we could
reproduce the problem for ourselves if need be), and people here will happily
help out.


Regards,


Antony.

--
Pavlov is in the pub enjoying a pint.
The barman rings for last orders, and Pavlov jumps up exclaiming "Damn!  I
forgot to feed the dog!"

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Setting up proxy with private to public

Chris Bidwell - NOAA Federal
Sure.  So we have a few internal networks that aren't meant to have direct internet access without access through a proxy so that it can be better regulated and monitored. 

That being said, we've previously used a microsoft product that is EOL and I thought I could do much of what it's wanting with Linux and squid and nginx for reverse proxy. 

We've got several internal subnets that need to be able to talk through squid (I've chosen tcp/8080) to connect to from internally and want to translate that to an external IP address that does have access to the outside world.  Using the acl's that squid provides and allowing for various ports (80/443, etc) I'd like to use this functionality. 

Once again, the squid server has two IP addresses.  One internal, and one external.  The outbound traffic would be accessible through that external ip.

I hope I'm making some sense.  :)

Thanks

On Mon, Apr 13, 2020 at 3:38 PM Antony Stone <[hidden email]> wrote:
On Monday 13 April 2020 at 21:19:04, Chris Bidwell - NOAA Federal wrote:

> Hi all,
>
> Very new to squid and am looking to setup several internal subnets to
> access external network (internet) through squid on a separate interface.

What are you trying to achieve by using Squid?  What is your objective,
compared to giving clients direct access to the Internet?

> Server has two IP's.  One private internal and one public.  Can someone
> point me in the right direction to get this setup?  Running RHEL7.

Firstly, install Squid and look at its configuration file.  It is *very* well
commented / documented, and there is *very* little you need to change in order
to get it working on your network.

For more details, see:

https://wiki.squid-cache.org/SquidFaq/BinaryPackages

https://wiki.squid-cache.org/SquidFaq/ConfiguringSquid
https://wiki.squid-cache.org/SquidFaq
https://wiki.squid-cache.org/ConfigExamples

https://www.packtpub.com/squid-proxy-server-31-beginners-guide/book
http://www.oreilly.com/catalog/squid/

(All the above available from http://www.squid-cache.org )


> Do I need to create static routes?

Provided the machine you want install Squid on can reach (a) arbitrary web
servers on the Internet, and (b) the client machines on your internal
networks, then no.

If not, then yes, you will need to add suitable routes so that the Squid
server can find both origin servers and clients.

> Do I need firewalld rules in place?

A firewall is always a good idea, however Squid imposes no special requirement
of its own here.

A very good starting point for firewalls is "allow the traffic you know you want,
block the traffic you know you do not want, and log and block the traffic you're
not sure about - then look at the logs and adjust the rules as necessary to
keep the log entries minimal".


Finally, if you run into problems, come back here and tell us:

 - what you want to achieve
 - what you did to try to achieve it
 - how you tested whether it worked
 - what you found which told you it didn't work

Basically, give us enough information to understand what you're trying to do,
what you've done to get there, and what went wrong (such that we could
reproduce the problem for ourselves if need be), and people here will happily
help out.


Regards,


Antony.

--
Pavlov is in the pub enjoying a pint.
The barman rings for last orders, and Pavlov jumps up exclaiming "Damn!  I
forgot to feed the dog!"

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


--

Chris Bidwell, CISSP
Space Weather Prediction Center
National Oceanic Atmospheric Administration
email: [hidden email][hidden email]
office: 303-497-3204
mobile: 720-496-3126

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Setting up proxy with private to public

Antony Stone
On Monday 13 April 2020 at 23:46:46, Chris Bidwell - NOAA Federal wrote:

> Sure.  So we have a few internal networks that aren't meant to have direct
> internet access without access through a proxy so that it can be better
> regulated and monitored.

Okay, that's a useful starting point.

> We've got several internal subnets that need to be able to talk through
> squid (I've chosen tcp/8080) to connect to from internally and want to
> translate that to an external IP address that does have access to the
> outside world.

That sounds perfectly straightforward, provided your Squid server has routing
to connect back to those internal networks.

> Once again, the squid server has two IP addresses.  One internal, and one
> external.  The outbound traffic would be accessible through that external
> ip.

So, you configure your internal clients to connect to the internal address of
the Squid machine, and tell them that the proxy is listening on port 8080.

Add the subnet definitions (if they are not 10.0.0.0/8, 172.16.0.0/12 or
192.168.0.0/16) to Squid's configuration file.  If you *are* using such RFC1918
addresses, these are automatically supported by Squid and you do not need to
configure for your internal network ranges.

You don't need to do anything special to get Squid to use its external address
for the connections out to the Internet - that's handled by the Linux
networking stack.

> I hope I'm making *some* sense.  :)

I think so.

My suggestion from here on is: install Squid, configure a test client to use
it, and see if it works.

If not, give us enough information to understand what you've done (both the
setup and the testing) so we could reproduce it for ourselves, and we'll try
to help further.


Best wishes,


Antony.

--
Warum können Seeräuber nicht den Umfang eines Kreises berechnen?
Weil sie Piraten...


                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Setting up proxy with private to public

Matus UHLAR - fantomas
In reply to this post by Chris Bidwell - NOAA Federal
On 13.04.20 13:19, Chris Bidwell - NOAA Federal wrote:
>Very new to squid and am looking to setup several internal subnets to
>access external network (internet) through squid on a separate interface.

squid does not use interfaces, squid uses IP addresses.
interfaces are up to underlying OS.

>Server has two IP's.  One private internal and one public.  Can someone
>point me in the right direction to get this setup?  Running RHEL7.

this way all internal clients must connect to SQUID's internal IP and squid
will connect to the net using extenral IP.

>Do I need to create static routes?

maybe, however this is unrelated to squid

> Do I need firewalld rules in place?

no, unless you want to use HTTP interception.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Setting up proxy with private to public

Chris Bidwell - NOAA Federal

Okay, so I think I'm starting to get somewhere but the connection isn't completing.  I can see the connection come through my firewall, but the handshake doesn't appear to be happening. 

My squid access log is saying:  TCP_MISS/503.

On Tue, Apr 14, 2020 at 5:28 AM Matus UHLAR - fantomas <[hidden email]> wrote:
On 13.04.20 13:19, Chris Bidwell - NOAA Federal wrote:
>Very new to squid and am looking to setup several internal subnets to
>access external network (internet) through squid on a separate interface.

squid does not use interfaces, squid uses IP addresses.
interfaces are up to underlying OS.

>Server has two IP's.  One private internal and one public.  Can someone
>point me in the right direction to get this setup?  Running RHEL7.

this way all internal clients must connect to SQUID's internal IP and squid
will connect to the net using extenral IP.

>Do I need to create static routes?

maybe, however this is unrelated to squid

> Do I need firewalld rules in place?

no, unless you want to use HTTP interception.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Setting up proxy with private to public

Antony Stone
On Tuesday 14 April 2020 at 16:03:19, Chris Bidwell - NOAA Federal wrote:

> Okay, so I think I'm starting to get somewhere but the connection isn't
> completing. I can see the connection come through my firewall, but the
> handshake doesn't appear to be happening.

Tell us more about your network setup.  Is the firewall between the clients and
Squid, between Squid and the Internet, or do you have both?

Can you do a simple Ping test from a client machine to the Squid server (and
get replies)?

Can you do the same from the Squid server to some Internet-based web server
(making sure it's one which replies to pings - some machines are badly
configured and don't do this).

> My squid access log is saying:  TCP_MISS/503.

I'm sure it says a lot more than that, but at least it's an indication that
your client is getting the request through to Squid okay.

Assuming the Ping test from Squid to an Internet web server works, what
happens if you try wget, lynx, curl or even telnet to port 80, from the Squid
server to some external web server?  Does it indicate that the Squid server
has "Internet access"?


Antony.

--
Programming is a Dark Art, and it will always be. The programmer is
fighting against the two most destructive forces in the universe:
entropy and human stupidity. They're not things you can always
overcome with a "methodology" or on a schedule.

 - Damian Conway, Perl God

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Setting up proxy with private to public

Chris Bidwell - NOAA Federal
Sure thing. 

On Tue, Apr 14, 2020 at 8:32 AM Antony Stone <[hidden email]> wrote:
On Tuesday 14 April 2020 at 16:03:19, Chris Bidwell - NOAA Federal wrote:

> Okay, so I think I'm starting to get somewhere but the connection isn't
> completing. I can see the connection come through my firewall, but the
> handshake doesn't appear to be happening.

Tell us more about your network setup.  Is the firewall between the clients and
Squid, between Squid and the Internet, or do you have both?

There is a firewall between my internal clients and squid.  There is a firewall rule allowing tcp/8080 from my clients to the squid server.  And from the squid server, it is allowed to the internet.  

Can you do a simple Ping test from a client machine to the Squid server (and
get replies)?

Can you do the same from the Squid server to some Internet-based web server
(making sure it's one which replies to pings - some machines are badly
configured and don't do this).

> My squid access log is saying:  TCP_MISS/503.

I'm sure it says a lot more than that, but at least it's an indication that
your client is getting the request through to Squid okay.

Here is the full output of my access.log:
1586873819.383      0 192.168.226.241 TAG_NONE/409 4108 CONNECT www.nginx.com:443 - HIER_NONE/- text/html

Assuming the Ping test from Squid to an Internet web server works, what
happens if you try wget, lynx, curl or even telnet to port 80, from the Squid
server to some external web server?  Does it indicate that the Squid server
has "Internet access"?


Antony.

So after looking further.  It looks like when I'm trying to wget from my squid server, which has the two nics (internal and public), it's trying to send it through the internal
connection.  It doesn't seem to want to route through the external nic. 

--
Programming is a Dark Art, and it will always be. The programmer is
fighting against the two most destructive forces in the universe:
entropy and human stupidity. They're not things you can always
overcome with a "methodology" or on a schedule.

 - Damian Conway, Perl God

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Setting up proxy with private to public

Antony Stone
Sorry, replying to the list this time - for some reason my previous reply went
to your private address.


On Wednesday 15 April 2020 at 15:08:36, Chris Bidwell - NOAA Federal wrote:

> So after looking further.  It looks like when I'm trying to wget from my
> squid server, which has the two nics (internal and public), it's trying to
> send it through the internal connection.  It doesn't seem to want to route
> through the external nic.

Okay, so not currently a Squid problem, then.

What does "route -n" tell you, and what do you think your default gateway
address to the Internet should be (ie: what's the address of the router which
you think Squid should be using from its external interface to get to the
Internet)?


Antony.

--
Python is executable pseudocode.
Perl is executable line noise.

                                                   Please reply to the list;
                                                         please don't CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users