HTTP Transparent Proxy using a Cisco ASA firewall and a Squid proxy server Part Two
Part 2 - Squid Configuration
On your Ubuntu Linux servers, add the WCCP configuration. The ASA firewall sends the redirected traffic in an encapsulated GRE tunnel but sends the return traffic directly to the requesting computer or device without encapsulation. The Squid configuration file is located in /etc/squid3/squid.conf. It is a text file so you can edit it using a text editor such as nano or the rather more medieval vi)
So, on the first server, fire up your favourite Linux text editor and add the WCCP configuration. Note that because we are using an ASA firewall the WCCP router ID will be the IP address of the external interface (a.b.c.215)
wccp2_router a.b.c.215
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0 password=strongpassword
wccp_assignment_method hash
Define the local networks
acl localnet src 192.168.1.0/24
acl localnet src 192.168.2.0/24
Tell Squid to process the traffic
http_access allow localnet
http_access allow localhost
http_access allow all
Set up the ports. Squid can function as both a conventional and a transparent proxy at the same time. Since this will aid future diagnostic requirements, use port 3128 as the conventional proxy port and 8800 for the transparent proxy.
http_port 3128
http_port 8800 intercept
In this scenario, all web traffic has to be forwarded to an upstream proxy server
cache_peer proxy.webfiltering.ja.net parent 8080 no-query default
There is little performance benefit in doing so but, for the sake of completeness, add a small local cache.
cache_dir ufs /var/spool/squid3 2048 16 256
Save squid.conf
Now move on to edit /etc/sysctl.conf and ensure the following lines are present. If not, add them and save the file.
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
Next, from the command line, create a logical interface for the GRE encapsulated WCCP traffic that will come from the ASA firewall and bring the interface up.
sudo ip tunnel add wccp0 mode gre remote x.x.x.215 local x.x.x.152 dev eth0
sudo ifconfig wccp0 192.168.41.80 netmask 255.255.255.255 up
Since we will be redirecting traffic to the transparent proxy port on 8800, add an iptables entry and save it so that you can load it on server start-up
sudo iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j DNAT --to-destination x.x.x152:8800
sudo iptables-save
sudo iptables-save > /etc/iptables/rules.v4
Experience has found that adding the iptables-persistent package is the best way of ensuring that your iptables rules survive a reboot. If you have not done so then run the following command.
sudo apt-get install iptables-persistent
Now you can reboot your server and perform the same configuration steps on the other Squid server.
Once that is done, check the ASA firewall and you should see both Squid servers listed when you run the following command.
sh wccp
In the scenario, there was a block on HTTP traffic from both source networks. This can now be removed as a drop rule would take precedence over redirection. You should now be able to test the solution.