SafeSquid as Reverse Proxy

From Secure Web Gateway
Revision as of 12:33, 2 March 2019 by Samidha12 (talk | contribs) (Created page with " = Prerequ = {| style="width: 100px" cellspacing="1" cellpadding="1" border="1" |- |   |} = isites = *Deploy SafeSquid Secure web gateway (SAB) IP: *D...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search




  • Deploy SafeSquid Secure web gateway (SAB) IP:
  • DNS Server installed on IP:
  • Local Website
  • Make sure IP tables-persistent package is installed (to save IP table policies)

STEP 1: Change Bind Configuration on system where SafeSquid is installed


Local website: cloudcms.safesquid.local is hosted with IP :

  • To resolve the Actual Webserver, you have to edit bind configuration.


root@sabproxy: ~#vim /etc/bind/named.conf.local

root@sabproxy: ~#vim /etc/bind/named.conf.local






zone "cloudcms.safesquid.local" {

                type forward;

                forwarders {; };



Add below lines







< >Created a directory to place website Certificate and Key

total 8.0K

-rw-r--r-- 1 root root 1.6K Feb  9 19:01 cloudcms-safesquid-local-Server.crt

-rw-r--r-- 1 root root 1.7K Feb  9 18:59 cloudcms-safesquid-local-Server.key

< >Check if the Private Key is a Passphrase Protected or Not. If the below command prompts for a passphrase then the key is passphrase protected.< >Enter pass phrase for cloudcms-safesquid-local-Server-protected.key:Merge both the file, the Newly created passphrase protected private key and server certificate into one file < >Copy the File to /var/db/safesquid/ssl/certs/safesquid.local/< >After Successfully copying the file you need to change the ownership(permission) of the directory. /var/db/safesquid/ssl/certs/safesquid.local/Make sure you flush all previous redirection rules. Enable IP forwarding on system where SafeSquid is installed and edit file /etc/sysctl.conf< >Run the command to make safesquid listen on PORT 80 and PORT 443 to 8080 and 8443 respectively.< >Go to safesquid.cfg -> Configure -> Application Setup -> Network Settings Enable the Rule for SSL_TRANSPARENTAfter Successful setup of iptables rules and Transparent SSL Save the policies using Save setting Tab from safesquid interface.https://cloudcms.safesquid.local/ from browser where hosts file is edited to resolve cloudcms.safesquid.local to

Open browser access https://cloudcms.safesquid.local/ (Do not set proxy inside browser)


NOTE: safesquid will fetch the cloudcms.safesquid.local certificate from the location : /var/db/safesquid/ssl/certs/safesquid.local/ and return to the browser[client]

keeping in mind that the CA who signed the certificate for cloudcms.safesquid.local is present in the browser else it will give you SSL error. ]


You can see that the Client request goes to the Proxy-Server at PORT 443 which is then redirected to PORT 8443 and then safesquid does a dnslookup for the request which resolves it to the webserver from where the resources are fetched and given to the user as response.

Over here the Certificate provided to Browser[client] on request is the certificate of the Site : cloudcms.safesquid.local and the request for resources made to the website is made by safesquid.