squidproxy

This repository contains squid proxy patch to make it work with the decryption broker feature. This repo also has a brief documentation about how to make squid proxy work with decryption broker feature in order to send traffic to an ICAP server for inspection.

Squid Proxy patch to run tproxy preserve the 5 tuple of client traffic

By default squid proxy changes the source port number of the client traffic while handling connections in tproxy mode. This patch will make squid to not change the source port number so that uses the same five tuple as incoming connection and it can work with the decryption broker feature of Palo Alto Networks Firewalls. This readme also has pointers to configure squid proxy as ICAP client and talk to to a DLP for content scanning. (in this case clamav via c-icap and squidclamav plugin for c-icap).

More information about how to configure Decryption Broker Feature can be found here at https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/decryption-broker

Installation of required packages:

There are two packages required for installing squid with tproxy patch:

Build tools like gcc compiler and make etc.

libcap devel rpm

Here is how to install these on centos and ubuntu:

CentOS:

yum groupinstall "Development Tools"

yum install libcap-devel

Ubuntu:

sudo apt-get update

sudo apt-get install build-essential

sudo apt-get install libcap-dev

Downloading the source code and applying the patch:

The patch should work with squid version 4.1 to 4.9

curl -o squid-4.1.tar.gz http://www.squid-cache.org/Versions/v4/squid-4.1.tar.gz

tar xzvf squid-4.1.tar.gz

cd squid-4.1

patch -p1 < ~/squid.patch

Compilation:

Configure with a prefix for installation folder and check for warnings in config.log to make sure tproxy feature has no warning:

./configure --prefix=/opt/squid/ --enable-linux-tproxy --enable-linux-netfilter

grep WARNING config.log

#Check that there are no warnings for tproxy

make -j12

make install

cd /opt/squid/

#By default squid uses "nobody" linux user for running

chown -R nobody:nobody var

Configuration:

Please follow this guide for more details:

https://wiki.squid-cache.org/Features/Tproxy4

Here is a script which can be run at the bootup time to configure the tproxy settings: (Note: Some of these settings can be added to linux config files to make them permanent)

Routing for outgoing traffic

#this can go to /etc/rc.local

ip -f inet rule del fwmark 1 lookup 100

ip -f inet route del local default dev lo table 100

ip -f inet rule add fwmark 1 lookup 100

ip -f inet route add local default dev lo table 100

#this can go to /etc/sysctl.conf

sysctl -w net.ipv4.ip_forward=1

sysctl -w net.ipv4.conf.default.rp_filter=0

sysctl -w net.ipv4.conf.all.rp_filter=0

IPTABLE rules

iptables -t mangle -N DIVERT

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables -t mangle -A DIVERT -j MARK --set-mark 1

iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

iptables -I INPUT -j ACCEPT

Selinux setting

#This can be made persistent with setsebool -P boolean-name

setsebool squid_connect_any=1

setsebool squid_use_tproxy=1

Squid settings in squid.conf:

ACL:

Add all the client subnets in the acl so that squid can accept the connections from those subnets.

cd /opt/squid/etc

vi squid.conf

add client subnets to the acl localnet. Config format is acl src <ip range/subnet>

TPROXY Port:

Add the port 3129 for tproxy:

http_port w.x.y.z:3129 tproxy # Where w.x.y.z is the broker chain first ip and assigned on squid proxy machine

ICAP setting:

Here is a sample configuration which works with c-icap and clamav DLP. Please check following url for more configuration options https://wiki.squid-cache.org/Features/ICAP

For clamav please check following link (its easier to install on Ubuntu)

http://squidclamav.darold.net/documentation.html#documentation

icap_enable on

adaptation_send_client_ip on

icap_client_username_header X-Authenticated-User

icap_service service_req reqmod_precache bypass=1 icap://192.168.101.1:1344/squidclamav

adaptation_access service_req allow all

icap_service service_resp respmod_precache bypass=1 icap://192.168.101.1:1344/squidclamav

adaptation_access service_resp allow all

Routing configuration:

There should be 4 interfaces on the squid proxy machine:

  • Management interface

  • Interface to connect to Icap server

  • Broker chain IN interface

  • Broker chain OUT interface

Routes:

The default route of the squid machine should point to the Broker out interface on the machine so that all the client traffic going to internet is sent back to firewall.

There need to be a route for connecting to management interface from local clients for ssh

A route need to be present for the DLP Icap server, so that squid can connect to ICAP server

Starting squidproxy

squid can be configured as service, here is how to run squid manually

To run in foreground:

sudo /usr/local/squid/sbin/squid -N

To run in background:

sudo /usr/local/squid/sbin/squid

Stopping squidproxy:

sudo /usr/local/squid/sbin/squid -k shutdown

once started logs can be seen in /opt/squid/var/log/

Other notes:

IP in the subnet 100.64.0.0/10 may not work with tproxy

It is recommended to disable the Ubnutu/Centos advanced firewall service delete all iptable rules then configure squid iptable rules with an allow all in INPUT table. Once tproxy is working then add IP table rules manually to avoid any conflicts.

If it comes to debugging tproxy then following kernel logs may be enabled and seen via dmesg (Reference: https://www.kernel.org/doc/html/v4.19/admin-guide/dynamic-debug-howto.html) This option requires kernel to be compiled with dynamic debugging enabled.

sudo su

cd /sys/kernel/debug

grep tproxy dynamic-debug/control

for each file listed execute following command:

echo 'filepath/filename:line-number +p' > dynamic-debug/control

for e.g.

echo 'net/netfilter/xt_TPROXY.c:186 +p' > dynamic-debug/control

send some traffic and check debugs with command "sudo dmesg"

/ Feel free to provide me feedback to improve this documentation via opening an issue. /

Developer Sites

Social


Copyright © 2021 Palo Alto Networks, Inc. All rights reserved.