wiki:noc2018/agenda/TransparentProxy

Squid as a Transparent Proxy on pfSense

Proxy servers can be very useful for improving the speed of an internet connection by caching, logging internet usage, or filtering the traffic. The proxy server will store local copies of HTML pages, images, and other files in its cache.

Caching proxy servers can greatly improve the internet performance of corporate networks where many users may be requesting similar pages.

Transparent proxys route the clients traffic through the proxy server automatically, unlike traditional proxys which require configuration changes on the client systems.

Following is how to install popular proxy server application squid as a transparent proxy.

Step 1:

The first thing you'll need to do is install the squid package in pfSense. Goto Package Manager from drop down System menu

Select Available Packages and search for Squid. Then locate the Squid package and click the + symbol next to it and confirm the setup to begin the installation. The installation process normally takes a few minutes to complete, make sure you do not leave the package installer page while it is installing.

Step 2:

Once the installation is completed goto Squid Proxy Server on Services menu.

Select Local Cache and configure following:

  • Cache Replacement Policy : Heap LFUDA
  • Low-Water Mark in %: 90
  • High-Water Mark in %: 95
  • Hard Disk Cache Size: 1024
  • Level 1 Directories: 16
  • Hard Disk Cache Location: /var/squid/cache
  • Minimum Object Size: 0
  • Maximum Object Size: 4
  • Memory Cache Size: 64
  • Maximum Object Size in RAM: 256
  • Memory Replacement Policy: Heap GDSF
  • and Save

Step 3:

Configure General tab settings as follows:

  • Check/tick Enable Squid Proxy option
  • Tick Keep Settings/Data
  • As we need to enable proxy for the internal users select LAN from Proxy Interface(s)
  • Keep other Squid General Settings as it is.

Step 4:

Setup the Transparent Proxy Settings as follows:

  • Enable transparent mode by checking Transparent HTTP Proxy
  • Select LAN on Transparent Proxy Interface(s)

If you have any specific sources or destinations that needs to be bypassed from getting cached you may use Bypass Proxy for These Source IPs and Bypass Proxy for These Destination IPs in production.

Step 5:

Logging Settings:

  • Check Enable Access Logging, keep in mind about the warning!!!
  • Rotate Logs: 1

Step 6:

Headers Handling, Language and Other Customizations:

  • Visible Hostname: pf01.instxy.ac.lk
  • Administrator's Email: you@…
  • X-Forwarded Header Mode: transparent
  • Disable VIA Header: set
  • URI Whitespace Characters Handling: strip
  • Suppress Squid Version: set
Last modified 12 months ago Last modified on Nov 29, 2018, 1:42:35 PM