Using Squid as the internal http proxy


I moved to a new building. In the old building I used to have a few Linux machines and virtual machines connected to internet directly. Now we are on a temporary network, all our machines and VMs are behind a firewall. To connect a machine to internet, I have to open the browser from that machine and load the login page, enter my username and password. This is fine with desktop PC’s.

The problem is my Linux machines and VMs don’t have graphical interface, and because that login page use Javascript to post-process login form before submitting, I can not use text-base browsers such as lynx or w3m. So I can not connect these machines and VM’s to internet.

To launch brower in a GUI on them I need to install X server and Firefox, but then again I need internet access to run apt to get and install any packages. Chicken and eggs.

I can inspect the Javascript on the login page and write a Python program the do the same processing then submit the form with curl, but that take too much time and the script will be useless when we have permanet network.

Squid to the rescue!

On my internet connected Linux desktop (which has ip: 10.16.18.25), I install Squid by:

sudo apt install squid
squid3 -v  # verify

Then configure Squid by editing /etc/squid/squid.conf:

Add:

acl lan src 10.16.18.0/24

at the end of TAG: acl block.

Add:

http_access allow lan

at the beginning of TAG: http_access. (before any other http_accesss)

Change:

http_port 3128

To:

http_port 3128 intercept

(Not sure these are all really needed) At TAG: request_header_access block, add:

request_header_access Referer deny all
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all
forwarded_for off

Put in a visible_hostname:

visible_hostname proxy01

We now finished editing squid.conf. Do:

cat /proc/sys/net/ipv4/ip_forward

If it’s 0, do:

sudo su  # as root
echo 1 > /proc/sys/net/ipv4/ip_forward

Then configure local iptables:

ifconfig  # shows my IP and network interface (enp3s0) 
iptables -t nat -A PREROUTING -i enp3s0 -p tcp --dport 80 -j DNAT --to 10.16.18.25:3128

Now Squid configuration is finished. My desktop now acts as an HTTP gateway. Restart Squid:

service squid restart  
# or systemctl restart squid.service  # on Ubuntu >=16.04

On my Linux machine that’s need to be connected to internet, look at /etc/network/interface, if it’s static IP, change it to dhcp, then restart network. This is to make sure it’s at least connected to local network. Do a ifconfig, get its automatically assigned IP, i.e. 10.16.18.158.

Now we change it back to use static IP and our desktop Linux machine as a gateway. Do sudo vi /etc/network/interfaces.

Comment out the dhcp line, add:

iface eth0 inet static
address 10.16.18.158
netmask 255.255.255.0
gateway 10.16.18.25

eth0 is the interface device name, it might be different on other machines, but should be the same as the now commented-out dhcp line.

Do a sudo /etc/init.d/networking restart, now the linux machine should be ‘connected’ to internet. I put quotes around ‘connected’ because technically it only connected with HTTP protocal (on port 80) but no others, I can do lynx, apt etc., but I still can’t ping internet or send email. This is fine with me for now as we are getting permanent networking in a few weeks.