How To Configure A Transparent Proxy Using PFSense

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and welcome to another tech tip by the UH nerd our tech topic for today is how to configure a squid proxy server from the pfSense package repository the goal is to configure squid for web and SSL traffic for all clients on the land you'll walk through the following build a network layout diagram test proxy detection on a client before proxy installation configure a basic CA for split to utilize download and install the squid PSN's package configure squids a storage location configure squid as a transparent proxy test proxy detection run client after proxy installation tighten security by enabling a firewall rule that allows only land to land traffic disable everything else block a couple of sites like MSN calm and Yahoo calm so you guys can see the error message from the blog traffic and as a note I want to mention that we will not be configuring the HVAC antivirus SPS which still considers as unstable and with that let's get started alright let's go ahead and do what we do best let's do a network diagram so that way you guys can see what the configuration looks like before we get into actually building this proxy configuration okay so we do have an internet section so we will create one called on Anton your is your in it ok and from the internet connection we have a gateway for our mini network here to communicate with so we'll create a label there called gateway and it is linked together ok and then from here we have two different things we have proxy which is actually a PSN ok and we also have our management machine ok this machine is labeled manager which is the Visio diagrams that we are currently working on okay so we'll call him the imager and we also have a client tool is behind our proxy server okay and he is labeled client one okay let me go ahead and do some connections here so he connects to the Gateway the manager also connects to the Gateway and he has the capability of going directly to the proxy server and we have a client to leverage the proxy okay so let me go ahead and zoom in so you guys can see what we are working with here so we have our internet connection we have a gateway which connects us to the Internet we have the management box which is where we're doing in Lauren Visio and where we'll be configuring the PS sense proxy server and then of course we have a client that lives behind the proxy server that will be doing demonstrations on okay all right so let's go ahead and log into our proxy server okay so our proxy server is actually in proxy and does resolve as proxy okay so we'll go ahead and accept always wonderful Estes admin and the password is PSN s-- ultra cultures I'll just secure anyways no we should I always recommend you should change those when you get your opportunity but for what we're doing this is perfectly fine I will be copying and pasting this name I will be using it more than once so I plan to keep from having to type that in kind of control okay so let's go ahead and create our basic CA or squid to utilize so we will create one and internal one of course and what we'll call this one proxy - nay nothing fancy names simple from California blossom you organization is VN nerd to save myself go type in side one belly in there anyways Rox yeah you know all these items here if I figure goal feel free to do it however you see fit but these are the settings that I plan to put it at least for this video I'm going to click Save and now we have our basic certificate authority that proxy or the squid component world leverage okay so the next thing you want to do is let's go ahead and test before we install proxy let's just go ahead and test our client so this is our client workstation as you can see the background kind of tells us that and let's go test to make sure that we don't have any proxy okay no proxy new configurations pre enabled so we'll do test prompt server ok and I found this proxy of Tesla nama I she thought is useful and it pretty much spelled it out so right here it says this request is not appears to not come from the app proxy and the way you do that is you're just going to be looking for how the headers come through at least with the web server sees as it's going through the site okay as it's going through it checks and it's actually looking for these types of things and that just kind of kind of gives it a clue as to whether it's behind a proxy or not okay so let's go back to our management machine and let's go to package manager and we will go to the available packages then let's go ahead and just type in I guess you can take proxy to work and we are looking for squid okay now there are some other options out there but for the purposes of this video we're just going to stick this in by itself okay this is really all we need for our transparent proxy okay let's now so we can figure our CA so the next thing we're going to do is go to squid proxy server and we will actually start by configuring the local cache now we don't want to enable this yet because we'll end up getting an error message and we can save ourselves the grief of dealing with that so code and click local cache and let's make some just minor tweaks here this system has about 20 gigs of space so for the hard disk cache size we'll do about two gigs not a big deal and the other setting I like to set here is the memory cache and this really just allows objects to stay in memory so this machine here has about forgetting so we use two half of that just so that way it's available for things that are in and out just do they make things a little bit faster okay that's all we really have to set here then click Save and pfSense we'll do it stay when it's ready okay so let's go ahead and go to general and go ahead and take the check box that says enable squid but now we need to actually go down and do some configuration so we go here we'll go ahead and configure 3128 okay so we're going to go ahead and enable this as a transparent proxy so that way we don't need to set up a W pad server or anything like that that could be another video later and how to do something like that it's kind of cool we want to go ahead and enable SSL filtering and a couple options in here but I prefer the splice all and basically what this is saying is that you're going to allow the SSL to come through you're not going to really filter it what it's going to do is actually intercept the the common name that are actually inside the certificate and determine whether that's a legitimate site or not based on the parameters okay and this will prevent SSL airs from coming up from people that actually don't have your CA installed which most people might not okay so we'll go ahead and select land we will have to set the CA to the one we created I actually like to bump this up a little bit it helps as a proxy goes through and accepts requests it just allows it to be able to process many different requests at a time I don't mess with these just yet but technically you can you can accept the search errors you can check them you can adapt most of this really is for when you're doing your mam in the middle SSL which in this case here because we're actually splicing we're not really doing much with that so okay now we will need some logs not rotate the logs however you see fit but for this demo we'll just do seven days and we need a visible hostname this goes back to what I decided to do a copy and paste and here I'll do support hope I can get rid of approximately you really pull ever you want but technically it's kind of nice to have something friendly and the other thing I like to do here is I like to suppress the squid version because if people are getting errors you don't might not necessarily want them to know what version you're using so then click Save you will give it a moment to do its thing okay alright so here's what we're going to do or now that we have this thing can configure it at least at a transparent state we're going to go to the client let's just go ahead and get some sites okay and then what is we'll go back and we'll actually test to make sure that we're going through them so okay so let's start let's go to google.com actually I'll just go straight there this way okay so if you look right here technically we are going through it but I want you guys to see this we have to go here to developers developer the unfortunately change this on me some of this stuff I like to see here security yeah I really I personally like to see these security sections that show allow you to view the certificate and this just shows that this is a legitimate google.com SSL cert okay um and you know let's go to pick another side will Silva MSN calm right now we haven't put any blocks or anything so technically it should go through and when we go back to these sites they should get a little quicker so Chaka Khan sir fun sites so do it a moment while students thing let's go to listen calm should be a little faster this time yeah well quicker now you know this is a virtual environment so I'm not expecting too much end of it not from a performance perspective that is okay so now let's go ahead and let's go back to our website here what we're going to do I'm show it and close us out so you know when we did this test earlier it said that we did not go through a proxy but I want to paste that URL here really don't want to type it out and we will do that and we should actually get so it appears to come through a proxy so tech people we are going through the proxy here's the proxy name that we defined and it is good okay so here's all the information this is what I was talking about earlier about the exhorted and these little things down here it basically gives it away for these sites to determine whether you're going through a proxy or not okay so now that we know that we're behind a proxy we know things are going well now let's go ahead and tighten up security because right now we have a any any rule that allows us directly the Internet well lambda e but it's good enough to get my point across so let's go ahead inside let's go back to the manager we'll go to the firewall we'll check the rules and as of now we have a land roll let's go ahead and turn this off I really don't need that one anyways ipv6 ok we'll apply that and then here's the rule I was talking about so by default we have land to any any destination what we're going to do just to tighten things up a little bit is we're actually only going to allow land it to land that communication okay and basically what this is going to do is just going to prevent these clients from reaching the internet without going through the proxy especially a transparent proxy that we have configured okay so let's go ahead and go back and in theory normally the role if we didn't have a transparent proxy we wouldn't even be able to get to the internet just how it works I mean you know the rule technically no not going to happen but because of the fact that we are communicating through a proxy we can't we can still continue to get to the Internet and it is actually a better thing from a security perspective for you the devices on your network it keeps them from I guess exposing things it's just safer you know overall you know you can actually block sites and do stuff like that although it's out of scope for this video there are additional options that you can potentially enable other packages and whatnot that can actually allow you to get more granular as far as what you can and can't do with squid Thanks so let's go back to the manager and now that we did that let's go back to our squid proxy server and let's go ahead and set that's an ACL here yep this is what I want to do so what we're going to do here is we are going to blacklist two sites and one being msn.com because that is going to be our HTTP and here's our HTTP and the reason why I wanted to show you an HTTP and HTTPS is I want you to see the error messages that happen okay so one save okay let's go back to the clump and let's obviously Google will come up so which is good that means are still connecting to the proxies you see fit and let's go ahead can go to NS n calm okay and if you see we're here we got an error message because of the fact that we told squid not to allow this particular URL it will not go through okay and let's do the same thing with Yahoo should okay there we go yeah proceed to Yahoo unsafe okay and basically it's the same thing it's just saying you're not allowed now earlier show you what the SSL chain kind of look like for a site that was working so let's go back and let's take a look at what this Yahoo one is so right here we got a broken SSL and really the reason why is because of the fact that we define a proxy CA in squids configuration it performed a man-in-the-middle type event well I know I mentioned early on about the man and the little component but when it comes to ACLs or your black listing of websites it's going to generate an SSL cert as the proxy server itself does not have the ability to go in and inspect the packets as those packets are encrypted so says it since there is an ACL the only thing it could do is use the local CA that we've defined and it created a SSL on behalf of the website since you don't have access and if you notice there in the URL bar it's actually using the IP address as opposed to the common name or hostname and that had to do with the fact that the URL that we specified was not really allowed through proxy server and this will conclude our video on how to configure a squid proxy server from the PF sense package repository we built a network layout diagram we tested the proxy detection on the client before the proxy installation we configured it basic CA for squid to utilize we downloaded and installed the squid pfsense package we configure squids stores location we configured squid as a transparent proxy we've tested the proxy detection after proxy configuration we tightened up the security by enabling a firewall rule that allows only land to land traffic we've blocked a couple of sites and I was able to show you some of the error messages thank you for watching and have a great day don't forget to check out our youtube channel for more tech tips you can also visit our website at www.att.com/biz
Info
Channel: VMNerd
Views: 50,277
Rating: undefined out of 5
Keywords: How To, Howto, VMNerd, DIY, Do It Yourself, Tech, Tech Tips, Proxy, Squid, pFSense, pFSense 2.3.4, Test Proxy, Blocked Websites, Certificate Authority, CA, Transparent Proxy
Id: 5FeEwVx6qUs
Channel Id: undefined
Length: 18min 48sec (1128 seconds)
Published: Fri Jun 30 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.