Bsd on mwclabshttps://mwclabs.net/tags/bsd/Recent content in Bsd on mwclabsHugoen<a href="https://creativecommons.org/licenses/by-nc/4.0/" target="_blank" rel="noopener">CC BY-NC 4.0</a>Fri, 17 Apr 2009 11:05:20 -0300Transparent proxy using Squid and PF on OpenBSDhttps://mwclabs.net/posts/2009/04/transparent-proxy-using-squid-and-pf-on-openbsd/Fri, 17 Apr 2009 11:05:20 -0300https://mwclabs.net/posts/2009/04/transparent-proxy-using-squid-and-pf-on-openbsd/<p>How to install and configure <a href="http://www.squid-cache.org/">Squid</a> on transparent mode and the necessary (<a href="http://www.openbsd.org/faq/pf/">PF</a>) rules.</p> <p><strong>1. Install</strong></p> <p>You can using the pre-compiled packages (pkg_add) or from the source using <a href="http://www.openbsd.org/ports.html">Ports</a>.</p> <p><strong>Via Package Manager (pkg_add)</strong></p> <p>Set the repository mirror:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>export PKG_PATH<span style="color:#f92672">=</span>ftp://ftp.das.ufsc.br/pub/OpenBSD/4.4/packages/i386/ </span></span></code></pre></div><p>Install the package:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>pkg_add -i -v squid </span></span></code></pre></div><p>Selected version was: <strong>squid-2.7.STABLE3-ldap</strong>.</p> <p><strong>Via Ports</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cd /usr/ports/www/squid </span></span><span style="display:flex;"><span>env FLAVOR<span style="color:#f92672">=</span>transparent make install </span></span></code></pre></div><p><strong>2. Configuration</strong></p> <p><strong>2.1. Squid</strong></p> <p>To make squid start on boot, edit the file <strong>/etc/rc.local</strong> and append the following files after <code># Add your local startup actions here</code>:</p> <pre tabindex="0"><code># Squid /usr/local/sbin/squid </code></pre><p>Now, edit the Squid configuration file <code>/etc/squid/squid.conf</code>, you can use a configuration like the following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-squid" data-lang="squid"><span style="display:flex;"><span><span style="color:#66d9ef">http_port</span> <span style="color:#ae81ff">3128</span> transparent </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">visible_hostname</span> neatproxy.myorg.corp </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>error_directory /usr/local/share/squid/errors/Portuguese </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Logs</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">cache_access_log</span> /var/log/squid/access.log </span></span><span style="display:flex;"><span><span style="color:#66d9ef">cache_log</span> /var/log/squid/cache.log </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># SVN</span> </span></span><span style="display:flex;"><span>extension_methods REPORT MERGE MKACTIVITY CHECKOUT PROPFIND </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># ACLs</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">acl</span> <span style="color:#66d9ef">all</span> <span style="color:#66d9ef">src</span> <span style="color:#ae81ff">0.0.0.0/0.0.0.0</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">acl</span> localnet <span style="color:#66d9ef">src</span> <span style="color:#ae81ff">192.168.1.0/24</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">acl</span> SSL_Ports <span style="color:#66d9ef">port</span> <span style="color:#ae81ff">443</span> <span style="color:#ae81ff">563</span> <span style="color:#ae81ff">2096</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">acl</span> Safe_ports <span style="color:#66d9ef">port</span> <span style="color:#ae81ff">80</span> <span style="color:#ae81ff">21</span> <span style="color:#ae81ff">443</span> <span style="color:#ae81ff">563</span> <span style="color:#ae81ff">70</span> <span style="color:#ae81ff">210</span> <span style="color:#ae81ff">1025-65535</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">acl</span> Safe_ports <span style="color:#66d9ef">port</span> <span style="color:#ae81ff">280</span> <span style="color:#75715e"># http-mgmt</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">acl</span> Safe_ports <span style="color:#66d9ef">port</span> <span style="color:#ae81ff">488</span> <span style="color:#75715e"># gss-http</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">acl</span> Safe_ports <span style="color:#66d9ef">port</span> <span style="color:#ae81ff">591</span> <span style="color:#75715e"># filemaker</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">acl</span> Safe_ports <span style="color:#66d9ef">port</span> <span style="color:#ae81ff">777</span> <span style="color:#75715e"># multiling http</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">acl</span> CONNECT <span style="color:#66d9ef">method</span> CONNECT </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Full access users</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">acl</span> vips arp &#34;/etc/squid/users.vips&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># BlackList</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">acl</span> blacklist <span style="color:#66d9ef">dstdomain</span> &#34;/etc/squid/domains.blacklist&#34; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">##</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Allow and deny rules</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">http_access</span> <span style="color:#66d9ef">deny</span> !Safe_ports </span></span><span style="display:flex;"><span><span style="color:#66d9ef">http_access</span> <span style="color:#66d9ef">deny</span> CONNECT !SSL_ports </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">http_access</span> <span style="color:#66d9ef">allow</span> vips </span></span><span style="display:flex;"><span><span style="color:#66d9ef">http_access</span> <span style="color:#66d9ef">deny</span> blacklist </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">http_access</span> <span style="color:#66d9ef">allow</span> localnet </span></span><span style="display:flex;"><span><span style="color:#66d9ef">http_access</span> <span style="color:#66d9ef">deny</span> <span style="color:#66d9ef">all</span> </span></span><span style="display:flex;"><span><span style="color:#75715e">##</span> </span></span></code></pre></div><p><em>Create the <code>/etc/squid/users.vips</code> e <code>/etc/squid/domains.blacklist</code> if used.</em></p> <p>Run Squid with the <code>-z</code> flag in order to init swap directories:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>/usr/local/sbin/squid -z </span></span></code></pre></div><p>Start the Squid service:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>/usr/local/sbin/squid </span></span></code></pre></div><p>After configuration changes, run the following command to reload rules:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>/usr/local/sbin/squid -k reconfigure </span></span></code></pre></div><p><strong>2.2. PF</strong></p> <p>Edit PF configuration file <code>/etc/pf.conf</code> and use/adapt the following rules:</p> <pre tabindex="0"><code class="language-pf" data-lang="pf">rdr on $int_if inet proto tcp from any to any port www -&gt; 127.0.0.1 port 3128 pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 pass out on $ext_if inet proto tcp from any to any port www </code></pre><p>Permissions for Squid to access <code>/dev/pf</code>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>chgrp _squid /dev/pf </span></span><span style="display:flex;"><span>chmod g+rw /dev/pf </span></span></code></pre></div><hr> <p><em>Reference:</em></p> <ul> <li><a href="http://www.openbsd-br.org/index.php?q=node/15">http://www.openbsd-br.org/index.php?q=node/15</a></li> </ul>