Transparent Squid Proxy with SRX

This post is showing a simple destination NAT rule in which how you can use a transparent squid proxy to which you redirect your clients’ HTTP requests.

squid_proxy_srx

Our client device’s HTTP requests will be redirected to our Squid Proxy server on this topology i.e hostF won’t need any config for its requests to be proxied.

First we create source NAT rules for squid proxy itself and our clients for them to reach Internet.

root@srx> show configuration security nat source 
rule-set SERVERS-INTERNET {
    from zone SERVERS;
    to zone INTERNET;
    rule squid_internet {
        match {
            source-address 192.7.1.2/32;
        }
        then {
            source-nat {
                interface;
            }
        }
    }
}
rule-set HOSTS-INTERNET {
    from zone HOSTS;
    to zone INTERNET;
    rule hosts-net-access {
        match {
            source-address 192.6.1.2/32;
        }
        then {
            source-nat {
                interface;
            }
        }
    }
}

We need security policies to allow traffic from HOSTS zone to SERVERS zone and from these zones towards Internet as well.
What we do is that we allow HOSTS to reach DNS resources only.

root@srx> show configuration security policies 
from-zone SERVERS to-zone INTERNET {
    policy squid_access {   <<<<<<--------THIS IS TO ALLOW SQUID SERVER TO REACH INTERNET RESOURCES
        match {
            source-address hostG;
            destination-address any;
            application [ junos-http junos-dns-udp junos-dns-tcp junos-ping ];
        }
        then {
            permit;
        }
    }
}
from-zone HOSTS to-zone SERVERS {
    policy allow-hosts-servers {     <<<<<<-------Because HOSTS access SERVERS, we also need a policy here
        match {
            source-address hostF;
            destination-address hostG;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone HOSTS to-zone INTERNET {
    policy allow-hosts-to-internet {   <<<<<<<---------HOSTS also need DNS resolution
        match {
            source-address hostF;
            destination-address any;
            application [ junos-dns-udp junos-dns-tcp ];
        }
        then {
            permit;
        }
    }
}

and now the real redirection comes in here. We redirect all requests for port 80 to squid server.

root@srx> show configuration security nat destination 
pool squid_pool {
    address 192.7.1.2/32 port 8080;
}
rule-set from_HOSTS_to_PROXY {
    from zone HOSTS;
    rule forward_to_squid {
        match {
            destination-address 0.0.0.0/0;
            destination-port {
                80;
            }
        }
        then {
            destination-nat {
                pool {
                    squid_pool;
                }
            }
        }
    }
}

In my test I am using squid 2.7 on debian with the following config so that it listens on 8080 and allows my HOSTS network.

http_port 8080 transparent
acl hosts_net src 192.6.1.0/24
http_access allow hosts_net

Let’s access to rtoodtoo.net from hostF.

root@hostF:~# telnet rtoodtoo.net 80
Trying 91.203.212.8...
Connected to rtoodtoo.net.
Escape character is '^]'.
GET /index.html HTTP/1.1
Host: rtoodtoo.net

If we get the flow session (ID: 1250) at the same time, we can see that request to port 80 is actually forwarded to 192.7.1.2:8080 (squid server)

root@srx> show security flow session destination-port 80 
Session ID: 1250, Policy name: allow-hosts-servers/5, Timeout: 2, Valid
  In: 192.6.1.2/51999 --> 91.203.212.8/80;tcp, If: ge-0/0/0.961, Pkts: 13, Bytes: 732
  Out: 192.7.1.2/8080 --> 192.6.1.2/51999;tcp, If: ge-0/0/0.971, Pkts: 17, Bytes: 14239

Session ID: 1257, Policy name: squid_access/4, Timeout: 2, Valid
  In: 192.7.1.2/40638 --> 91.203.212.8/80;tcp, If: ge-0/0/0.971, Pkts: 10, Bytes: 736
  Out: 91.203.212.8/80 --> 192.5.1.2/24134;tcp, If: ge-0/0/0.952, Pkts: 14, Bytes: 13942

As it is seen in the output, we have two 80 port sessions. The other one is from squid proxy itself for the same request.

If we check our squid access log, we can also see the request

/var/log/squid/access.log

1403020555.532    484 192.6.1.2 TCP_MISS/404 13347 GET https://rtodto.net/index.html - DIRECT/91.203.212.8 text/html

About: rtoodtoo

Genco has worked for more than 10 years as a Network/Support Engineer. He is also interested in Python, Linux, Security and SD-WAN, currently lives in the Netherlands and works as a Network Support Engineer at Tesla Inc. // JNCIE-SEC #223 / RHCE / PCNSE


3 thoughts on “Transparent Squid Proxy with SRX”

  1. Hi, thanks for you post, but i have a question, why not work on my topology. I have the same configuration but squid rejects me the connections with NONE / 400Invalid URL Error. The NAT forwarding traffic http works, but my squid dont permit redirect packet to Internet. appreciate your help. Regards

  2. That looks like a squid config issue Jorge. Not sure why you are getting that. I used 2.7 squid in my tests. Better to double check the config.

  3. HI! As started in version 3.1 squid handles the packets different that before. Now destination nat is only accepted on the squidbox self. however use routing to get the orginal source and destination traffic at the squid box.

You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.