SafeSquid as Reverse Proxy

From Secure Web Gateway

Overview

 

What is a Reverse Proxy?

A reverse proxy server is a type of proxy server that usually exists behind the firewall of a private network. It directs any client requests to the appropriate server on the backend. Reverse proxies are also used as a means of caching common content and compressing inbound and outbound data, resulting in a faster and smoother flow of traffic between clients and servers. Furthermore, the reverse proxy can handle other tasks, such as SSL encryption, further reducing the load on web servers.

There are many scenarios and use cases in which having a reverse proxy can make all the difference to the speed and security of your corporate network. By providing you with a point at which you can inspect traffic and route it to the appropriate server, or even transform the request, a reverse proxy can be used to achieve a variety of different goals.

Problem Statement

 

Prerequisites

  • Deploy SafeSquid Secure web gateway (SAB) IP: 192.168.249.130
  • DNS Server installed on IP: 192.168.249.160
  • Local Website cloudcms.safesquid.local is hosted with IP: 192.168.249.194
  • Make sure IP tables-persistent package is installed (to save IP table policies)

STEP 1: Change Bind Configuration on system where SafeSquid is installed

Local website: cloudcms.safesquid.local is hosted with IP : 192.168.249.194

  • To resolve the Actual Webserver, you have to edit bind configuration.
<tbody>
root@sabproxy: ~#vim /etc/bind/named.conf.local
</tbody>

Add below lines and Save the file

<tbody>

zone "cloudcms.safesquid.local" {

                type forward;

                forwarders { 192.168.249.160; };

};

</tbody>
  • Restart bind service using the below command
<tbody>
root@sabproxy:~#/etc/init.d/bind9 restart
</tbody>

STEP 2: Changes to be made to the Website Certificate Pair [Certificate & Key]

  • Created a directory to place website Certificate and Key
<tbody>
root@sabproxy:~#mkdir webcert/
</tbody>
<tbody>
root@sabproxy:~#/usr/local/src/webcert # ls -lh

total 8.0K

-rw-r--r-- 1 root root 1.6K Feb  9 19:01 cloudcms-safesquid-local-Server.crt

-rw-r--r-- 1 root root 1.7K Feb  9 18:59 cloudcms-safesquid-local-Server.key

</tbody>
  • Check if the Private Key is a Passphrase Protected or Not. If the below command prompts for a passphrase then the key is passphrase protected.
<tbody>
root@safesquid-swg:/usr/local/src/webcert # openssl rsa -in cloudcms-safesquid-local-Server.key
</tbody>
  • Convert the passphrase protected private key to Safesquid Private Key Format
<tbody>
root@safesquid-swg:/usr/local/src/webcert # openssl pkcs8 -topk8 -in cloudcms-safesquid-local-Server-protected.key -out cloudcms-safesquid-local-Server-passphraseprotected.key
</tbody>

Enter pass phrase for cloudcms-safesquid-local-Server-protected.key:

Enter Encryption Password: (You can enter any password)

Verifying - Enter Encryption Password: (Repeat the above password for verification)

  • View the Contents for verification
<tbody>
root@safesquid-swg:/usr/local/src/webcert # cat cloudcms-safesquid-local-Server-passphraseprotected.key
</tbody>

 


BEGIN ENCRYPTED PRIVATE KEY-----

MIIE6TAbBgkqhkiG9..............................................

...............................................................

...............................................................

......................................sVqfdAibE8HWx9HqOY5Fm/zGS

ayQ89fvZS/r9Acaoug==

END ENCRYPTED PRIVATE KEY-----


  • Merge both the file, the Newly created passphrase protected private key and server certificate into one file

(Note: Name of file should be same as that of the website

<tbody>

root@safesquid-swg:/usr/local/src/webcert # cat cloudcms-safesquid-local-Server-passphraseprotected.key cloudcms-safesquid-local-Server.crt > cloudcms.safesquid.local

</tbody>
<tbody>

root@safesquid-swg:/usr/local/src/webcert # mkdir /var/db/safesquid/ssl/certs/safesquid.local

</tbody>
  • Copy the File to /var/db/safesquid/ssl/certs/safesquid.local/
<tbody>
root@safesquid-swg:/usr/local/src/webcert # openssl rsa -in cloudcms-safesquid-local-Server.key
</tbody>
  • After Successfully copying the file you need to change the ownership(permission) of the directory.
<tbody>
root@safesquid-swg:/usr/local/src/ webcert # chown -R ssquid:root /var/db/safesquid/ssl/certs/safesquid.local/
</tbody>

 

STEP 3: Redirect the SafeSquid port 80 and 443 traffic to 8080 and 8443 respectively 

  • To flush the IP tables rules
<tbody>
iptables -F -t nat
</tbody>
  • Enable IP forwarding in file /etc/sysctl.conf on system where SafeSquid is installed
<tbody>
vim /etc/sysctl.conf
</tbody>
<tbody>
net.ipv4.ip_forward=0 to net.ipv4.ip_forward=1
</tbody>
  • To reload, run the below command to reflect the changes
<tbody>
sysctl -p
</tbody>
  • Run the command to redirect request for PORT 80 to 8080.
<tbody>
iptables -A PREROUTING -t nat -p tcp --dport 80  -j REDIRECT --to 8080
</tbody>
  • Now to redirect requests for port 443 to 8443, Run (for SSL transparent proxy)
<tbody>
iptables -A PREROUTING -t nat -p tcp --dport 443  -j REDIRECT --to 8443
</tbody>
  • Verify the IP table policies using blow command
<tbody>
iptables -L -v -t  nat
</tbody>
  • Finally, to save IP table
<tbody>
apt-get install iptables-persistent
</tbody>
<tbody>
iptables-save >> /etc/iptables/rules.v4
</tbody>

Note : Redirection policies will not flush even you reboot proxy server.

Access the SafeSquid interface

Go to Configure Page

<tbody>
<img alt="Transparent Proxy.png" class="fck_mw_border fck_mw_center" src="/images/5/5e/Transparent_Proxy.png" style="vertical-align:middle" title="Transparent Proxy.png" />  
<img alt="Slide3.png" class="fck_mw_border fck_mw_center" src="/images/a/a4/Slide3.png" style="vertical-align:middle" title="Slide3.png" />

Enable policy from Network settings

 
<img alt="Slide4.png" class="fck_mw_border fck_mw_center" src="/images/5/5b/Slide4.png" style="vertical-align:middle" title="Slide4.png" />

Restart SafeSquid Service

<a href="Restart%20the%20SafeSquid%20Service%20from%20Interface">Restart the SafeSquid Service from Interface</a>

</tbody>

STEP 4: Change DNS on the user’s system

The Client should be able to resolve cloudcms.safesquid.local as 192.168.249.130 [SafeSquid-IP]

  • For IP-to-DomainName mapping edit file C:\Windows\System32\drivers\etc\hosts and add below lines.
<tbody>
192.168.249.130 cloudcms.safesquid.local
</tbody>

And save the file

Verify ping utility that the resolution works as defined in the hosts file.

<tbody>

C:\>ping cloudcms.safesquid.local

Pinging cloudcms.safesquid.local [192.168.249.130] with 32 bytes of data:

Reply from 192.168.249.130: bytes=32 time<1ms TTL=64

Reply from 192.168.249.130: bytes=32 time<1ms TTL=64

Reply from 192.168.249.130: bytes=32 time<1ms TTL=64

Reply from 192.168.249.130: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.249.130:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

</tbody>

 

How to Test?

In the above command you should verify the changes which are reflected and while trying to ping cloudcms.safesquid.local  resolves to 192.168.249.130

After completing all the 4 steps access <a href="https://cloudcms.safesquid.local/" title="https://cloudcms.safesquid.local/">https://cloudcms.safesquid.local/</a> from browser where hosts file is edited.

Remove Proxy settings from browser

<tbody>
<img alt="Slide5.png" class="fck_mw_border fck_mw_center" src="/images/a/a0/Slide5.png" style="vertical-align:middle" title="Slide5.png" />  
<img alt="Slide7.png" class="fck_mw_border fck_mw_center" src="/images/9/9c/Slide7.png" style="vertical-align:middle" title="Slide7.png" />  
<img alt="Slide8.png" class="fck_mw_border fck_mw_center" src="/images/e/eb/Slide8.png" style="vertical-align:middle" title="Slide8.png" />  
<img alt="Slide9.png" class="fck_mw_border fck_mw_center" src="/images/1/1d/Slide9.png" style="vertical-align:middle" title="Slide9.png" />  

Open browser to access <a href="https://cloudcms.safesquid.local/" title="https://cloudcms.safesquid.local/">https://cloudcms.safesquid.local/</a>

NOTE:

SafeSquid will fetch the cloudcms.safesquid.local certificate from the location : /var/db/safesquid/ssl/certs/safesquid.local/ and return to the browser

Keeping in mind that the CA who signed the certificate for cloudcms.safesquid.local is present in the browser else it will give you SSL error.

 
</tbody>

You can see that the Client request goes to the Proxy-Server at PORT 443 which is then redirected to PORT 8443

Then SafeSquid does the DNS look up for the request which resolves it to the webserver

It fetches the resources and gives the response to the users.