Configure mbox web proxy

mbox can support HTTP proxy service by integrating the most popular proxy engine squid. Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator and web access filtering engine.

mbox installed with squid is typically deployed in two modes: transparent mode or explicit mode.

A transparent proxy, also known as an intercepting proxy, does not require any configuration changes on the client, since traffic is transparently sent to the proxy, redirected by mbox firewall DNAT rule. When the client sends packets, they are addressed to the destination server. Squid silently intercepts the URL requests, caches the contents and performs URL filtering (if any).

In transparent mode, mbox is deployed “in-line”, sitting in the data path, eg. as a gateway, running “transparently” to end users. This mode is good when we want to minimize disruptions to user experience.

A few key note on transparent mode:

    • mbox is deployed as a gateway for user network
    • Users’ PC default gateway must be mbox proxy LAN IP address
    • transparent mode does not intercept https connections

An explicit proxy is one in which the client is explicitly configured to use the proxy, and as such are aware of the existence of the proxy on the network. When the client sends packets to an explicit proxy, they are addressed to the proxy server listening address and port. Squid usually listens for explicit traffic on TCP port 3128 but TCP port 8080 is a common explicit proxy listening port.

In explicitly mode deployment, mbox can be “in-line or “out-of-band”. This mode is typically used when we want to proxy or filter https traffic as well, or sometimes simply use mbox to redirect traffic (eg. users’ PC default gateway is not mbox).

A few key note on explicit mode:

    • mbox can be in-line as a gateway or out-of-band
    • Users’ PC browser must be configured to point to mbox IP as proxy with the correct proxy port
    • explicit mode supports https connections

CONFIGURING WEB PROXY

When configuring mbox as proxy, following preparations are needed:

    • determine which proxy mode to use first
    • determine proxy port number to be used. This is not required for transparent proxy (we use default TCP/3128); but for explicit proxy, it’s recommended to change the default to use TCP/8080.
    • determine which traffic is allowed or denied (eg. URL filtering, network filtering etc etc)

Main configuration steps:

  1. configure proxy service
  2. configure mbox to intercept user traffic (redirect http requests to proxy)
  3. (optional) configure URL logging

1. CONFIGURE PROXY SERVICES

mbox> enablembox# configurembox(config-if)# security proxy-servermbox(config-if)# proxy-port 3128 (transparent)mbox(config-if)# proxy-access <ACL> <-- proxy rules to permit/deny accesses, see following section for detailsmbox(config-if)# startmbox(config-if)# exit

NOTES: we must explicitly permit accesses across mbox proxy, otherwise by default it blocks all access by default for security reasons. We use "proxy-access" command to define which traffic is permitted.

proxy-access <ACL Number> <actions> <filter>

  • <ACL Number> defines sequence of actions for each access. It is like firewall rules, processed from top-down, once a traffic is matched with an upper rule, it will not be processed by lower rules. So it's important to plan the rules sequence when we have many rules.
  • <actions> defines whether to permit or deny accesses for the matched traffic (specified in <options>). below is a list of actions available:
    • permit Permit access from defined network. There's an implicit "deny" within mbox (anything not explicitly permitted are denied), so at minimum, we must permit hosts from local networks to go out. But if we are to deny access to certain domains/URLs, the permit rules should appear at the bottom of all other deny rules.
    • permit-log Permit access and log accessed URLs. This option tracks all permitted URL access in syslog format (facility: local7.info), so that we can send to external syslog server for central logging.
    • deny Deny access from defined network.
    • deny-log Deny access and log accessed URLs. This option tracks all permitted URL access in syslog format (facility: local7.info), so that we can send to external syslog server for central logging.
  • <filter> defines what traffic to permit/deny for this rules. below is a list of available options:
    • all All accesses. This permit/deny all traffic (depending on the <action> option)
    • src Filter by source IP-address or subnet.
    • dst Filter by destination IP-address or subnet.
    • port Filter by destination port (TCP ports only)
    • domain Filter by destination domains (for example .xyz.com). This can be used for manual URL filtering.

NOTES:

    • if we’re running mbox as a transparent proxy, we will add optional command “transparent” when specify proxy-port
    • if we've changed proxy-port or proxy-access rules, we must restart proxy service (stop then start again).
    • typically we use proxy-port TCP/8080 when running explicit mode; use TCP/3128 when running transparent mode. (change the firewall rule port number to match the proxy-port no. used).
  • after change of block-url (eg. using "block-url add" command), we need to stop and start proxy service.

2. CONFIGURE MBOX TO INTERCEPT HTTP TRAFFIC (HTTP REDIRECTION)

There are two main steps to configure:

  1. configure firewall-dnat redirect/forward http (tcp/80) to proxy port (default tcp/3128)
  2. configure firewall-input to allow incoming proxy requests (tcp/3128)
!firewall-dnat 10 exempt all dst 49.128.58.64/28 remark "bypass proxy for SGNOC" firewall-dnat 11 exempt all dst 128.199.114.0/24 remark "bypass proxy for ads server"firewall-dnat 12 exempt all dst 2.1.2.1 remark "bypass proxy for local-hosted portal" firewall-dnat 13 redirect all tcp dport 80 rdport 3128 remark "Enable proxy for all others" ! firewall-input 10 permit all tcp dport 3128 remark "Accept proxy request"!

NOTE: If we're looking to enable proxy for a specific networks only, we need to specify src network in the redirect rule "firewall-dnat 9 redirect xxx", and this network usually needs to match with "proxy-access" src network config.


mbox# show security proxyProxy is running


3. (OPTIONAL) CONFIGURE URL LOGGING

In many cases, when running proxy service, we will want to log the URL access details (URL logging) to a central logging server, for analysis and compliance purposes.

NOTES:

  • we need to enable logging in the proxy-access rule (eg. proxy-access 19 permit-log xxxx), so that URL accesses are tracked as syslog (facility: local7.info).
  • because mbox proxy only intercepts (therefore logs) http traffic, if we want to log complete accesses (eg. https), we have to enable firewall logging for https (tcp/443) traffic (for CMG, use firewall-access <acl> permit-log/deny-log for CMG; for HSG, use hotspot-access <acl> permit-log/deny-log)
  • we need to configure log-out rules to export out facility local7 (for http URL logs) and message type "mboxfw" (for firewall logs) to external syslog server. More details on logging output is here.

COMPLETE CONFIG EXAMPLE

!hostname XYZ!interface eth 0 enable ip address 192.168.3.2/30!interface eth 1 enable ip address 192.168.2.1/24!interface vlan 1 4 description wifi@XYZ enable ip address 11.11.0.1/20!ip name-server 203.211.152.66 210.193.2.66!ip default-gateway 192.168.3.1!firewall-dnat 10 exempt all dst 49.128.58.64/28 remark "bypass proxy for SGNOC" firewall-dnat 11 exempt all dst 128.199.114.0/24 remark "bypass proxy for ads server"firewall-dnat 12 exempt all dst 1.1.1.1 remark "bypass proxy for local-hosted portal" firewall-dnat 13 redirect all tcp dport 80 rdport 3128 remark "Enable proxy for all others"!firewall-input 11 permit all tcp dport 80 remark "Accept local portal access via http"firewall-input 12 permit all tcp dport 443 remark "Accept local portal access via https"!firewall-access 11 permit outbound eth0!firewall-snat 10 overload outbound eth0!security proxy-server proxy-access 19 permit-log src 11.11.0.0/20 remark "proxy permit and log http access" start!security radius-server client 127.0.0.1 key testing123 name XYZ start!security hotspot vlan4 hotspot-id nas0devel location WIFI@XYZ hotspot-wan eth0 hotspot-server 11.11.0.1 ports 3990 4990 client-network 11.11.0.0 255.255.240.0 client-dhcp 11.11.0.10 255.255.240.0 lease 3600 client-dhcp-dns 203.211.152.66 210.193.2.66 hotspot-access 10 permit-log tcp dport 443 <-- firewall logging for https access allowed-url http://pagead2.googlesyndication.com redirect-url http://www.singaporecruise.com.sg radius-server localhost testing123 hotspot-online-page SGCRUISE-Tos start!log-output 18 host 49.128.58.68 msg mboxfw <-- export out mbox firewall logs (for https access)log-output 19 host 49.128.58.68 fac local7 <-- export out URL logging (for http access)!