SafeSquid as Reverse Proxy
- 1 Overview
- 2 What is a Reverse Proxy?
- 3 Problem Statement
- 4 Prerequisites
- 5 STEP 1: Change Bind Configuration on system where SafeSquid is installed
- 6 STEP 2: Changes to be made to the Website Certificate Pair [Certificate & Key]<o:p></o:p>
- 7 STEP 3: Redirect the SafeSquid port 80 and 443 traffic to 8080 and 8443 respectively
- 8 STEP 4: Change DNS on the user’s system
- 9 How to Test?
Proxy servers are used as intermediaries between a client and a website or online service. By routing traffic through a proxy server, users can disguise their geographic location and their IP address. Reverse proxies, in particular, can be configured to provide a greater level of control and abstraction, thereby ensuring the flow of traffic between clients and servers remains smooth.
This makes them a popular tool for individuals who want to stay hidden online, but they are also widely used in enterprise settings, where they can improve security, allow tasks to be carried out anonymously, and control the way employees are able to use the internet.
What is a Reverse Proxy?
A reverse proxy server is a type of proxy server that usually exists behind the firewall of a private network. It directs any client requests to the appropriate server on the backend. Reverse proxies are also used as a means of caching common content and compressing inbound and outbound data, resulting in a faster and smoother flow of traffic between clients and servers. Furthermore, the reverse proxy can handle other tasks, such as SSL encryption, further reducing the load on web servers.
There are many scenarios and use cases in which having a reverse proxy can make all the difference to the speed and security of your corporate network. By providing you with a point at which you can inspect traffic and route it to the appropriate server, or even transform the request, a reverse proxy can be used to achieve a variety of different goals.
- Deploy SafeSquid Secure web gateway (SAB) IP: 192.168.249.130
- DNS Server installed on IP: 192.168.249.160
- Local Website cloudcms.safesquid.local is hosted with IP: 192.168.249.194
- Make sure IP tables-persistent package is installed (to save IP table policies)
STEP 1: Change Bind Configuration on system where SafeSquid is installed
Local website: cloudcms.safesquid.local is hosted with IP : 192.168.249.194
- To resolve the Actual Webserver, you have to edit bind configuration.
Add below lines and Save the file
- Restart bind service using the below command
STEP 2: Changes to be made to the Website Certificate Pair [Certificate & Key]<o:p></o:p>
- Created a directory to place website Certificate and Key
- Check if the Private Key is a Passphrase Protected or Not. If the below command prompts for a passphrase then the key is passphrase protected.
- Convert the passphrase protected private key to Safesquid Private Key Format
Enter pass phrase for cloudcms-safesquid-local-Server-protected.key:
Enter Encryption Password: (You can enter any password)
Verifying - Enter Encryption Password: (Repeat the above password for verification)
- View the Contents for verification
BEGIN ENCRYPTED PRIVATE KEY-----
END ENCRYPTED PRIVATE KEY-----
- Merge both the file, the Newly created passphrase protected private key and server certificate into one file
(Note: Name of file should be same as that of the website
- Copy the File to /var/db/safesquid/ssl/certs/safesquid.local/
- After Successfully copying the file you need to change the ownership(permission) of the directory.
STEP 3: Redirect the SafeSquid port 80 and 443 traffic to 8080 and 8443 respectively
- To flush the IP tables rules
- Enable IP forwarding in file /etc/sysctl.conf on system where SafeSquid is installed
- To reload, run the below command to reflect the changes
- Run the command to redirect request for PORT 80 to 8080.
- Now to redirect requests for port 443 to 8443, Run (for SSL transparent proxy)
- Verify the IP table policies using blow command
- Finally, to save IP table
Note : Redirection policies will not flush even you reboot proxy server.
Go to Configure Page
Enable policy from Network settings
Restart SafeSquid Service
STEP 4: Change DNS on the user’s system
The Client should be able to resolve cloudcms.safesquid.local as 192.168.249.130 [SafeSquid-IP]
- For IP-to-DomainName mapping edit file C:\Windows\System32\drivers\etc\hosts and add below lines.
And save the file
Verify ping utility that the resolution works as defined in the hosts file.
How to Test?
In the above command you should verify the changes which are reflected and while trying to ping cloudcms.safesquid.local resolves to 192.168.249.130
After completing all the 4 steps access https://cloudcms.safesquid.local/ from browser where hosts file is edited.
Remove Proxy settings from browser
Open browser to access https://cloudcms.safesquid.local/
SafeSquid will fetch the cloudcms.safesquid.local certificate from the location : /var/db/safesquid/ssl/certs/safesquid.local/ and return to the browser
Keeping in mind that the CA who signed the certificate for cloudcms.safesquid.local is present in the browser else it will give you SSL error.
You can see that the Client request goes to the Proxy-Server at PORT 443 which is then redirected to PORT 8443
Then SafeSquid does the DNS look up for the request which resolves it to the webserver
It fetches the resources and gives the response to the users.