Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Tutorials and FAQs
»
[Tutorial] How to Route / Load balance squid proxy's traffic.
« previous
next »
Print
Pages: [
1
]
Author
Topic: [Tutorial] How to Route / Load balance squid proxy's traffic. (Read 4554 times)
Amr
Jr. Member
Posts: 78
Karma: 4
[Tutorial] How to Route / Load balance squid proxy's traffic.
«
on:
February 23, 2023, 01:40:12 pm »
Use Cases:
You want to route Proxy traffic through a different gateway other than the system’s default.
You want to route proxy traffic through a VPN tunnel.
You want to load balance the proxy traffic.
Requirements:
A working transparent intercepting proxy. [1]
Virtualization environment or a bare-metal server depending on your use case.
Knowledge about how gateways work (single or group).
Knowledge about certificate authorities and how to issue a certificate for a server. [2]
Allow default gateway switching (System: Settings: General).
Approach summarized:
The idea behind this guide is simple, if you have your proxy on the LAN subnet with its own IP address, then you can easily add a firewall rule for that IP to route it through whatever gateway you like.
Install and configure a separate proxy box.
Configure your working squid instance to use the proxy in step 1 as the Parent proxy.
Use firewall rules to route the proxy traffic through whatever you like.
Alternative approaches:
Although you could probably get one the following approaches working, I on the other hand decided not to, because in most cases it was cumbersome to and meant I had to maintain it, I wanted something I was familiar with and trustworthy like OPNsense to do the heavy lifting.
also note that this guide is for transparent proxy, if you configure your clients’ browser to point to the proxy then you can eliminate the second step and your setup would be less complex.
Anyway here’s a couple of approaches I thought about but never got to try any:
Use squid’s tcp_outgoing_address configuration directive and dump the conf file in /usr/local/etc/squid /pre-auth: This the only Exception in these alternatives that I got ‘working’ for two of the above mentioned use cases (to use another gateway other than the system’s default like VPN) and it survives updates, I also tried to set an IP alias (Virtual IP) as the outgoing address, squid itself worked but when I tried to load balance that IP it failed, long story short if you just want to route traffic through a single gateway this method works.
Install a modified FreeBSD system that supports tproxy and configure squid to use tproxy. [3]
Install privproxy alongside squid and let it handle original destination IP spoofing. [4]
Setup:
For this guide I’ll use a domain named example.com.
LAN subnet: 192.168.1.0/24
LAN gateway (OPNsense): 192.168.1.1 (fw.example.com)
Proxy box: 192.168.1.10 (proxy.example.com)
Detailed Steps:
Install and configure a separate proxy box:
Install another instance of OPNsense either virtualized or bare-metal.
Configure the interface as LAN and assign it a static IP [192.168.1.10] but don’t enable DHCP on the interface for obvious reasons.
Make sure you use your main LAN gateway (192.168.1.1) as the new system’s gateway (System: Gateways: Single).
Configure system’s name, domain, DNS and time zone (System: Settings: General).
[Optional] disable unbound DNS service and use your main instance’s DNS.
Import your CA (System: Trust: Authorities) and make a server certificate for proxy.example.com.
Use your newly created certificate as the system’s SSL cert (System: Settings: Administration).
Add a firewall rule on LAN interface allowing LAN net access to squid ports (3128 & 3129).
Configure NTP (Services: Network Time: General).
Proxy Config:
Choose LAN as the proxy interface (Services: Web Proxy: Administration: General forward settings).
[optional] Enable transparent proxy and SSL inspection and enable caching.
Add the Child proxy (192.168.1.1) in Unrestricted IP addresses list (Services: Web Proxy: Administration: Access Control List).
Enable the proxy.
Hit apply.
Reboot the system
Configure your working squid instance to use the proxy in step 1 as the Parent proxy:
Goto (Services: Web Proxy: Administration: General Proxy Settings: Parent Proxy).
In the Host type in [proxy.example.com], port: 3128 and don’t enable authentication.
Check Enable Parent Proxy and hit apply.
Use firewall rules to route the proxy traffic through whatever you like:
On [fw.example.com] go to (Firewall: Rules: LAN).
Add A firewall rule to route any traffic from [192.168.1.10/32] through whatever gateway you like.
Hit apply.
Notes:
ACL works at the child proxy (that’s the proxy on your firewall machine).
You could probably turn off caching on the parent proxy or on the child depending on your use case or have both suit yourself. [5]
You can also turn off intercepting traffic on the parent proxy (if you don’t want it to cache traffic), it’ll be intercepted on the child anyway.
Ideally make sure both systems are running the same version.
If you get SSL handshake error when talking to parent, make sure both systems got the same CA and have proper server certificate configured that match DNS name.
Feel free to correct any mistake or add to the guide.
References:
https://docs.opnsense.org/manual/how-tos/proxytransparent.html[1]
https://docs.opnsense.org/manual/certificates.html[2]
https://wiki.squid-cache.org/SquidFaq/InterceptionProxy[3]
https://dominikrys.com/posts/transparently-proxy-spoofed-ip/[4]
http://www.squid-cache.org/Doc/config/cache_peer/[5]
https://forum.opnsense.org/index.php?topic=26484.0
Edits:
Added link to a relevant post, plus some formatting.
«
Last Edit: August 01, 2023, 08:53:18 am by Amr
»
Logged
Disclaimer: All advice presented is "AS IS", no warranties.
I'm not part of the opnsense team, just trying to help.
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Tutorials and FAQs
»
[Tutorial] How to Route / Load balance squid proxy's traffic.