Enforce using proxy in all browsers

Question

I've configured squid with squid with squidguard and when using proxy in browser it works fine. But I want to enforce using proxy (probably in iptables) in all browsers. Now it can be disabled in the browser settings by user.

My setup is: one standalone pc with ubuntu running the squid and squidguard and on this very same device I want to somehow enforce using the proxy. Squid conf file has set:

http_port 3128 transparent

THX

Any reason you wouldn't just block outbound port 80 and 443 traffic at the firewall from systems other than the squid device? — Shane Madden, Nov 05 '12 at 02:26
I don't want to block traffic I'd like to filter it according to blacklists in squid (squidquard) — Petr Marek, Nov 08 '12 at 09:51

score 1 · Answer 1 · answered Nov 05 '12 at 02:50

What you're looking for is a transparent proxy. Last I checked there were two ways to do this with Squid:

Leverage WCCP, which Squid supports.
Route all Internet traffic through the Squid box and intercept traffic through IPTables. Squid calls this an Intercept cache.

The first option requires support from your routing infrastructure. As that's a Cisco protocol, support outside of Cisco is not strong. This works, I've done it, if you have the infrastructure.

The second option is much more doable. In order for this to work, you need to set up your routing infrastructure to send all Internet traffic through the Squid box. Squid can be compiled with intercept support, and may come that way through the Apt repos.

If I understand it well this solution requires separate squid box (proxy router). But my intention is to get this working like this: client box is also a squid box. With root I set up squid and user on the very same system is controlled by squid. Is that possible? — Petr Marek, Nov 06 '12 at 23:10

score 0 · Answer 2 · answered Nov 05 '12 at 03:06

Following iptables recipe routes transparently all HTTP traffic on eth1 (our internal network device on the router) to Squid (and vv).

-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.110.0.1:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

If you happen to use ufw (as we do), you can add the line into /etc/ufw/after.rules:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.110.0.1:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT

You can find more examples and detailed information from this article.

additional question under the first answer... – Petr Marek Nov 06 '12 at 23:46 — Petr Marek, Nov 06 '12 at 23:46

Enforce using proxy in all browsers

2 Answers2