Transparent Proxy HTTPS & HTTP Squid Ubuntu 16.04 With Mikrotik

Transparent Proxy https ubuntu ~ Sebelum masuk ke inti pembahasan mari kita mengetahui apa itu proxy , proxy adalah sebuah layanan server yang meneruskan setiap permintaan user terhadap server yang berada di internet , fungsi dari proxy sendiri bisa sebagai filtering ,connecting sharing dan caching,

sedangkan untuk transparent proxy adalah sebuah konfigurasi server proxy yang dimana pada sisi client tidak perlu setting browser agar menggunakan server proxy tersebut jadi biasanya jika menggunakan server proxy biasa maka pada sisi client harus di setting ip server proxy pada browsernya namun jika menggunakan transparent proxy maka tidak perlu repot setting pada sisi client.

Nah kita masuk ke dalam inti pembahasan , disini saya akan memberikan tutorial konfigurasi transparent proxy https dan https squid ubuntu 16.04 dengan mikrotik sebagai forwading , untuk lebih jelas nya mari kita lihat topologi nya dibawah ini :
Jadi saat user mengakses website menggunakan browser maka aliran data nya dari mikrotik akan di arahkan terlebih dahulu ke server proxy lalu dikembalikan lagi ke mikrotik kemudian baru ke server web tersebut atau internet.

Detail Topologi
Mikrotik
Eth 1 = 10.120.30.36 (Internet)
Eth 2 = 192.168.2.1 (Untuk Server Proxy)
Eth 3 = 192.168.1.1 (Untuk Client)

Server
IP Address = 192.168.2.2
OS = Ubuntu 16.0.4
Squid Version = 3.5.28

Cara Transparent Proxy Squid Ubuntu

Disini saya menganggap kalian telah berhasil menginstall ubuntu server 16.04 , langkah pertama adalah menginstall package yang akan dibutuhkan saat konfigurasi squid 
apt-get install -y sysv-rc-conf devscripts build-essential openssl libssl-dev fakeroot libcppunit-dev libsasl2-dev cdbs ccze libfile-readbackwards-perl libcap2 libcap-dev libcap2-dev
Kemudian download squid versi 3.5.28
cd /usr/src
wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.28.tar.gz
tar zxvf squid-3.5.28.tar.gz
cd squid-3.5.28
melakukan compile pada squid (copy semua jgn ada yg dilewat)
./configure \
--prefix=/usr \
--bindir=/usr/bin \
--sbindir=/usr/sbin \
--libexecdir=/usr/lib/squid \
--sysconfdir=/etc/squid \
--localstatedir=/var \
--libdir=/usr/lib \
--includedir=/usr/include \
--datadir=/usr/share/squid \
--infodir=/usr/share/info \
--mandir=/usr/share/man \
--disable-dependency-tracking \
--disable-strict-error-checking \
--enable-async-io=32 \
--with-aufs-threads=32 \
--with-pthreads \
--enable-storeio=ufs,aufs,diskd \
--enable-removal-policies=lru,heap \
--with-aio \
--with-dl \
--enable-icmp \
--enable-esi \
--enable-icap-client \
--disable-wccp \
--disable-wccpv2 \
--enable-kill-parent-hack \
--enable-cache-digests \
--disable-select \
--enable-http-violations \
--enable-linux-netfilter \
--enable-follow-x-forwarded-for \
--disable-ident-lookups \
--enable-x-accelerator-vary \
--enable-zph-qos \
--with-default-user=proxy \
--with-logdir=/var/log/squid \
--with-pidfile=/var/run/squid.pid \
--with-swapdir=/var/spool/squid \
--with-large-files \
--with-openssl \
--enable-ltdl-convenience \
--with-filedescriptors=65536 \
--enable-ssl \
--enable-ssl-crtd \
--disable-auth

make && make install && make install-pinger
kemudian melakukan konfigurasi pada file squid.conf atau bisa replace saja file squid.conf dengan yang dibawah ini , file nya berada di /etc/squid/squid.conf

# WELCOME TO SQUID 3.5.28
# ----------------------------
#
#

# Rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines


# Safe ports
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 980 # httpd-admin (server-manager)
acl CONNECT method CONNECT


# Allow access from localhost
http_access allow localhost

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

#
# Skip URL rewriter for local addresses
#
acl self_port port 80
acl self_port port 443
url_rewrite_access deny localnet self_port


# No authentication on green and trusted networks
http_access allow localnet


# And finally deny all other access to this proxy
http_access deny all

cache_mem 256 MB

# Enable disk cache
minimum_object_size 0 KB
maximum_object_size 70 MB
cache_dir aufs /var/spool/squid 100 16 256


# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

# Always enable manual proxy
http_port 3128

# Enable transparent proxy
# http_port 3129 transparent
http_port 3129 tproxy

# Enable SSL transparent proxy
https_port 3127 tproxy ssl-bump generate-host-certificates=off cert=/etc/squid/ssl_cert/myCA.pem sslflags=NO_DEFAULT_CA options=NO_SSLv2,NO_SSLv3,No_Compression dynamic_cert_mem_cache_size=128KB


acl https_proto proto https
always_direct allow https_proto
ssl_bump none localhost
sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL


# TLS/SSL bumping definitions
acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3


# TLS/SSL bumping steps
ssl_bump peek tls_s1_connect all
ssl_bump splice all


# peek at TLS/SSL connect data
# splice: no active bumping



#
# 90options
#
forward_max_tries 25
shutdown_lifetime 1 seconds
buffered_logs on
max_filedesc 16384
logfile_rotate 0

# Http HIT
qos_flows tos local-hit=0x30

# END
kemudian membuat service squid pada linux (karna kita download squid secara manual tidak pakai apt-get maka perlu dibuat service nya secara manual)
touch /etc/init.d/squid
nano /etc/init.d/squid
chmod +x /etc/init.d/squid
update-rc.d squid defaults
isi file /etc/init.d/squid 

#! /bin/sh
#
# squid32012                Startup script for the SQUID HTTP proxy-cache.
#
# Version:      @(#)squid3.rc  1.0  07-Jul-2006  luigi@debian.org
#
### BEGIN INIT INFO
# Provides:          Squid 3.Head
# File-Location:     /etc/init.d/squid
# Required-Start:    $network $remote_fs $syslog
# Required-Stop:     $network $remote_fs $syslog
# Should-Start:      $named
# Should-Stop:       $named
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Squid HTTP/HTTPS
### END INIT INFO

NAME=squid
DESC="PROXY HTTP AND HTTPS"
DAEMON=/usr/sbin/squid
PIDFILE=/var/run/$NAME.pid
CONFIG=/etc/squid/squid.conf
SQUID_ARGS="-YC -f $CONFIG"
# RAMFS=/scripts/ramcache

[ ! -f /etc/default/squid ] || . /etc/default/squid

. /lib/lsb/init-functions

PATH=/bin:/usr/bin:/sbin:/usr/sbin

[ -x $DAEMON ] || exit 0

ulimit -n 65535

find_cache_dir () {
        w="     " # space tab
        res=`sed -ne '
                s/^'$1'['"$w"']\+[^'"$w"']\+['"$w"']\+\([^'"$w"']\+\).*$/\1/p;
                t end;
                d;
                :end q' < $CONFIG`
        [ -n "$res" ] || res=$2
        echo "$res"
}

find_cache_type () {
        w="     " # space tab
        res=`sed -ne '
                s/^'$1'['"$w"']\+\([^'"$w"']\+\).*$/\1/p;
                t end;
                d;
                :end q' < $CONFIG`
        [ -n "$res" ] || res=$2
        echo "$res"
}

start () {
#        $RAMFS clean
#        $RAMFS mount
#        $RAMFS restore

        cache_dir=`find_cache_dir cache_dir /cache`
        cache_type=`find_cache_type cache_dir ufs`

        #
    # Create spool dirs if they don't exist.
    #
        if [ "$cache_type" = "coss" -a -d "$cache_dir" -a ! -f "$cache_dir/stripe" ] || [ "$cache_type" != "coss" -a -d "$cache_dir" -a ! -d "$cache_dir/00" ]
        then
                log_warning_msg "Creating $DESC cache structure"
                $DAEMON -z
        fi

        umask 027
        ulimit -n 65535

        cd $cache_dir
        start-stop-daemon --quiet --start \
                --pidfile $PIDFILE \
                --exec $DAEMON -- $SQUID_ARGS < /dev/null
        return $?
}

stop () {

        PID=`cat $PIDFILE 2>/dev/null`
        start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
        #
        #       Now we have to wait until squid has _really_ stopped.
        #
        sleep 2
        if test -n "$PID" && kill -0 $PID 2>/dev/null
        then
                log_action_begin_msg " Waiting"
                cnt=0
                while kill -0 $PID 2>/dev/null
                do
                        cnt=`expr $cnt + 1`
                        if [ $cnt -gt 24 ]
                        then
                                log_action_end_msg 1
                                return 1
                        fi
                        sleep 5
                        log_action_cont_msg ""
                done
                log_action_end_msg 0
                return 0
        else
                return 0
        fi
}

case "$1" in
    start)
        log_daemon_msg "Starting $DESC" "$NAME"
        if start ; then
                log_end_msg $?
        else
                log_end_msg $?
        fi
        ;;
    stop)
        log_daemon_msg "Stopping $DESC" "$NAME"


        if stop ; then
                log_end_msg $?
        else
                log_end_msg $?
        fi
#        $RAMFS dump
#        $RAMFS umount
#        $RAMFS clean

        ;;
    reload|force-reload)
        log_action_msg "Reloading $DESC configuration files"
        start-stop-daemon --stop --signal 1 \
                --pidfile $PIDFILE --quiet --exec $DAEMON
        log_action_end_msg 0
        ;;
    restart)
        log_daemon_msg "Restarting $DESC" "$NAME"
        stop
        if start ; then
                log_end_msg $?
        else
                log_end_msg $?
        fi
        ;;
    *)
        echo "Usage: /etc/init.d/$NAME {start|stop|reload|force-reload|restart}"
        exit 3
        ;;
esac

exit 0
Untuk Selanjutnya adalah menyiapkan direktori log,cache dan spool yang nanti di gunakan untuk mencatat log proxy 
mkdir /var/log/squid
mkdir /var/log/squid
chown proxy:proxy /var/log/squid
chown proxy:proxy /var/spool/squid
chmod 0777 /var/spool/squid
Selanjutnya membuat Self SSL sertifikat , jika kalian mempunyai SSL resmi maka kalian bisa menyimpannya pada direktori ssl_cert namun jika kalian tidak ada SSL maka bisa kalian membuat self SSL sesuai dibawah ini
mkdir /etc/squid/ssl_cert
cd /etc/squid/ssl_cert
openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem
openssl x509 -in myCA.pem -outform DER -out myCA.der

mkdir /var/squid/ssl_db
chown -R nobody /var/squid/ssl_db/
/usr/lib/squid/ssl_crtd -c -s /var/squid/ssl_db/certs
chown -R proxy:proxy /var/squid/ssl_db/
Melakukan pengecekan pada konfigurasi squid
squid -k parse
Membuat squid cache
squid -z
Mengaktifkan service squid
service squid start
Melakukan transparent redirect , pada server ketikan perintah seperti ini
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING ! -d IP-SERVER-SQUID/32 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
iptables -t mangle -A PREROUTING ! -d IP-SERVER-SQUID/32 -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3127

  • Note : 
    • pada IP-SERVER-SQUID ubah sesuai ip address server squid kalian 
    • perintah iptables akan hilang jika server mengalami reboot/mati jadi sebaiknya pada perintah iptables -t mangle -F sampai paling bawah itu di masukan ke file /etc/rc.local

Konfigurasi Forwading Pada Router Mikrotik

Pastikan router mikrotik kalian sudah mendapatkan akses internet ya , pada mikrotik kalian buka terminal dan masukan perintah ini
/ip firewall mangle
add action=mark-connection chain=prerouting comment="HTTP + HTTPS TO PROXY" dst-port=80,443 new-connection-mark=to_proxy protocol=tcp src-address=192.168.1.0/24
add chain=prerouting src-mac-address=70:71:bc:6c:38:10
add action=mark-routing chain=prerouting connection-mark=to_proxy new-routing-mark=tproxy_route passthrough=no
/ip route
add distance=1 gateway=192.168.2.2 routing-mark=tproxy_route
  • Note : 
    • 192.168.1.0/24 = network client
    • 70:71:bc:6c:38:10 = mac address server squid , sesuaikan dengan mac address server kalian
    • 192.168.2.2 = ip address server squid 
Membuat mikrotik bypass squid cache HIT object
/ip firewall mangle
add action=mark-packet chain=forward comment="HIT TRAFFIC FROM PROXY" dscp=12 \
    new-packet-mark=HIT passthrough=no
Jika sudah mengikuti dari awal dengan benar maka seharusnya kalian sudah berhasil melakukan transparent proxy https pada ubuntu 16.04 , oh iya jika kalian memakai self ssl seperti pada tutorial ini jgn lupa download ssl myCA.der yang berada di /etc/squid/ssl_cert kemudian upload ssl tersebut ke browser yang kalian pakai untuk uji coba transparent proxy. Jika konfigurasi benar maka seharusnya saat melakukan browsing maka akan tercatat pada file log squid , sekian dari tutorial transparent proxy https ubuntu with mikrotik , see you 

Berlangganan update artikel terbaru via email:

0 Response to "Transparent Proxy HTTPS & HTTP Squid Ubuntu 16.04 With Mikrotik"

Post a Comment

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel