SafeSquid as Reverse Proxy

From Secure Web Gateway
Share/Save/Bookmark
Jump to: navigation, search

Overview

Proxy servers are used as intermediaries between a client and a website or online service. By routing traffic through a proxy server, users can disguise their geographic location and their IP address. Reverse proxies, in particular, can be configured to provide a greater level of control and abstraction, thereby ensuring the flow of traffic between clients and servers remains smooth.

This makes them a popular tool for individuals who want to stay hidden online, but they are also widely used in enterprise settings, where they can improve security, allow tasks to be carried out anonymously, and control the way employees are able to use the internet.

What is a Reverse Proxy?

A reverse proxy server is a type of proxy server that usually exists behind the firewall of a private network. It directs any client requests to the appropriate server on the backend. Reverse proxies are also used as a means of caching common content and compressing inbound and outbound data, resulting in a faster and smoother flow of traffic between clients and servers. Furthermore, the reverse proxy can handle other tasks, such as SSL encryption, further reducing the load on web servers.

There are many scenarios and use cases in which having a reverse proxy can make all the difference to the speed and security of your corporate network. By providing you with a point at which you can inspect traffic and route it to the appropriate server, or even transform the request, a reverse proxy can be used to achieve a variety of different goals.

Problem Statement

 

Prerequisites

  • Deploy SafeSquid Secure web gateway (SAB) IP: 192.168.249.130
  • DNS Server installed on IP: 192.168.249.160
  • Local Website cloudcms.safesquid.local is hosted with IP: 192.168.249.194
  • Make sure IP tables-persistent package is installed (to save IP table policies)

STEP 1: Change Bind Configuration on system where SafeSquid is installed

Local website: cloudcms.safesquid.local is hosted with IP : 192.168.249.194

  • To resolve the Actual Webserver, you have to edit bind configuration.
root@sabproxy: ~#vim /etc/bind/named.conf.local

Add below lines and Save the file

zone "cloudcms.safesquid.local" {

                type forward;

                forwarders { 192.168.249.160; };

};

  • Restart bind service using the below command
root@sabproxy:~#/etc/init.d/bind9 restart

STEP 2: Changes to be made to the Website Certificate Pair [Certificate & Key]<o:p></o:p>

  • Created a directory to place website Certificate and Key
root@sabproxy:~#mkdir webcert/
root@sabproxy:~#/usr/local/src/webcert # ls -lh

total 8.0K

-rw-r--r-- 1 root root 1.6K Feb  9 19:01 cloudcms-safesquid-local-Server.crt

-rw-r--r-- 1 root root 1.7K Feb  9 18:59 cloudcms-safesquid-local-Server.key

 

  • Check if the Private Key is a Passphrase Protected or Not. If the below command prompts for a passphrase then the key is passphrase protected.
root@safesquid-swg:/usr/local/src/webcert # openssl rsa -in cloudcms-safesquid-local-Server.key
  • Convert the passphrase protected private key to Safesquid Private Key Format
root@safesquid-swg:/usr/local/src/webcert # openssl pkcs8 -topk8 -in cloudcms-safesquid-local-Server-protected.key -out cloudcms-safesquid-local-Server-passphraseprotected.key

Enter pass phrase for cloudcms-safesquid-local-Server-protected.key:

Enter Encryption Password: (You can enter any password)

Verifying - Enter Encryption Password: (Repeat the above password for verification)

  • View the Contents for verification
root@safesquid-swg:/usr/local/src/webcert # cat cloudcms-safesquid-local-Server-passphraseprotected.key

 


BEGIN ENCRYPTED PRIVATE KEY-----

MIIE6TAbBgkqhkiG9..............................................

...............................................................

...............................................................

......................................sVqfdAibE8HWx9HqOY5Fm/zGS

ayQ89fvZS/r9Acaoug==

END ENCRYPTED PRIVATE KEY-----


  • Merge both the file, the Newly created passphrase protected private key and server certificate into one file

(Note: Name of file should be same as that of the website

root@safesquid-swg:/usr/local/src/webcert # cat cloudcms-safesquid-local-Server-passphraseprotected.key cloudcms-safesquid-local-Server.crt > cloudcms.safesquid.local

root@safesquid-swg:/usr/local/src/webcert # mkdir /var/db/safesquid/ssl/certs/safesquid.local

  • Copy the File to /var/db/safesquid/ssl/certs/safesquid.local/
root@safesquid-swg:/usr/local/src/webcert # openssl rsa -in cloudcms-safesquid-local-Server.key
  • After Successfully copying the file you need to change the ownership(permission) of the directory.
root@safesquid-swg:/usr/local/src/ webcert # chown -R ssquid:root /var/db/safesquid/ssl/certs/safesquid.local/

 

STEP 3: Redirect the SafeSquid port 80 and 443 traffic to 8080 and 8443 respectively 

  • To flush the IP tables rules
iptables -F -t nat
  • Enable IP forwarding in file /etc/sysctl.conf on system where SafeSquid is installed
vim /etc/sysctl.conf
net.ipv4.ip_forward=0 to net.ipv4.ip_forward=1
  • To reload, run the below command to reflect the changes
sysctl -p
  • Run the command to redirect request for PORT 80 to 8080.
iptables -A PREROUTING -t nat -p tcp --dport 80  -j REDIRECT --to 8080
  • Now to redirect requests for port 443 to 8443, Run (for SSL transparent proxy)
iptables -A PREROUTING -t nat -p tcp --dport 443  -j REDIRECT --to 8443
  • Verify the IP table policies using blow command
iptables -L -v -t  nat
  • Finally, to save IP table
apt-get install iptables-persistent
iptables-save >> /etc/iptables/rules.v4

Note : Redirection policies will not flush even you reboot proxy server.

Access the SafeSquid interface

Go to Configure Page

Transparent Proxy.png
 
Slide3.png

Enable policy from Network settings

 
Slide4.png

Restart SafeSquid Service

Restart the SafeSquid Service from Interface

STEP 4: Change DNS on the user’s system

The Client should be able to resolve cloudcms.safesquid.local as 192.168.249.130 [SafeSquid-IP]

  • For IP-to-DomainName mapping edit file C:\Windows\System32\drivers\etc\hosts and add below lines.
192.168.249.130 cloudcms.safesquid.local

And save the file

Verify ping utility that the resolution works as defined in the hosts file.

C:\>ping cloudcms.safesquid.local

Pinging cloudcms.safesquid.local [192.168.249.130] with 32 bytes of data:

Reply from 192.168.249.130: bytes=32 time<1ms TTL=64

Reply from 192.168.249.130: bytes=32 time<1ms TTL=64

Reply from 192.168.249.130: bytes=32 time<1ms TTL=64

Reply from 192.168.249.130: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.249.130:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

 

How to Test?

In the above command you should verify the changes which are reflected and while trying to ping cloudcms.safesquid.local  resolves to 192.168.249.130

After completing all the 4 steps access https://cloudcms.safesquid.local/ from browser where hosts file is edited.

Remove Proxy settings from browser

Slide5.png
 
Slide7.png
 
Slide8.png
 
Slide9.png
 

Open browser to access https://cloudcms.safesquid.local/

NOTE:

SafeSquid will fetch the cloudcms.safesquid.local certificate from the location : /var/db/safesquid/ssl/certs/safesquid.local/ and return to the browser

Keeping in mind that the CA who signed the certificate for cloudcms.safesquid.local is present in the browser else it will give you SSL error.

 

You can see that the Client request goes to the Proxy-Server at PORT 443 which is then redirected to PORT 8443

Then SafeSquid does the DNS look up for the request which resolves it to the webserver

It fetches the resources and gives the response to the users.