HTTP Transparent Proxy using a Cisco ASA firewall and a Squid proxy server Part Two

Part 2 - Squid Configuration

On your Ubuntu Linux servers, add the WCCP configuration. The ASA firewall sends the redirected traffic in an encapsulated GRE tunnel but sends the return traffic directly to the requesting computer or device without encapsulation. The Squid configuration file is located in /etc/squid3/squid.conf. It is a text file so you can edit it using a text editor such as nano or the rather more medieval vi)

So, on the first server, fire up your favourite Linux text editor and add the WCCP configuration. Note that because we are using an ASA firewall the WCCP router ID will be the IP address of the external interface (a.b.c.215)

wccp2_router a.b.c.215

wccp2_forwarding_method gre

wccp2_return_method gre

wccp2_service standard 0 password=strongpassword

wccp_assignment_method hash

Define the local networks

acl localnet src 192.168.1.0/24

acl localnet src 192.168.2.0/24

Tell Squid to process the traffic

http_access allow localnet

http_access allow localhost

http_access allow all

Set up the ports. Squid can function as both a conventional and a transparent proxy at the same time. Since this will aid future diagnostic requirements, use port 3128 as the conventional proxy port and 8800 for the transparent proxy.

http_port 3128

http_port 8800 intercept

In this scenario, all web traffic has to be forwarded to an upstream proxy server

cache_peer proxy.webfiltering.ja.net parent 8080 no-query default

There is little performance benefit in doing so but, for the sake of completeness, add a small local cache.

cache_dir ufs /var/spool/squid3 2048 16 256

Save squid.conf

Now move on to edit /etc/sysctl.conf and ensure the following lines are present. If not, add them and save the file.

net.ipv4.ip_forward=1

net.ipv6.conf.all.forwarding=1

Next, from the command line, create a logical interface for the GRE encapsulated WCCP traffic that will come from the ASA firewall and bring the interface up.

sudo ip tunnel add wccp0 mode gre remote x.x.x.215 local x.x.x.152 dev eth0

sudo ifconfig wccp0 192.168.41.80 netmask 255.255.255.255 up

Since we will be redirecting traffic to the transparent proxy port on 8800, add an iptables entry and save it so that you can load it on server start-up

sudo iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j DNAT --to-destination x.x.x152:8800

sudo iptables-save

sudo iptables-save > /etc/iptables/rules.v4

Experience has found that adding the iptables-persistent package is the best way of ensuring that your iptables rules survive a reboot. If you have not done so then run the following command.

sudo apt-get install iptables-persistent

Now you can reboot your server and perform the same configuration steps on the other Squid server.

Once that is done, check the ASA firewall and you should see both Squid servers listed when you run the following command.

sh wccp

In the scenario, there was a block on HTTP traffic from both source networks. This can now be removed as a drop rule would take precedence over redirection. You should now be able to test the solution.