Nethserver squid proxy and file server

webproxy
v7
(Vuk Cetkovic) #1

NethServer Version: NethServer release 7.5.1804 (final)
Module: web proxy

Dear friends,

I am Vuk and I am new to nethserver. I have found that nethserver offers many functionalities so I decided to install it. However, a linux installation without any problems wouldn’t be a linux installation. :smiley:

I would like to make a web proxy filter and a file server. My first installation worked as a web proxy and web content filter but when I changed the IP address of it, everything messed up so I decided to install it again and start over. The new installations are not working because squid proxy is listening only on TCP-V6 (when I set it to be gateway and dns on the user computer then it blocks everything). Editing the squid.conf doesn’t help.

My installation steps and after installation steps were absolutely the same as first time but the functionality differs. Im a bit confused…

Setup:

  1. mikrotik as a gateway
  2. nethserver squid is dns and proxy

Anyone knows why is this happening and how it can be solved?

Best Regards

(Markus Neuberger) #2

Hi Vuk,

welcome to Nethserver community.

Do you use transparent proxy? In this case Nethserver has to be gateway for the clients. Do you use Nethserver in gateway mode (red and green interface) behind the Microtik?

Nethserver in gateway mode allows clients to connect to the internet by default, so it should just work without proxy. Maybe there’s a network config error?

By entering following commands you can check the network config:

ip a
db networks show

Be careful when editing config files directly, Nethserver uses a template system and your changes will be overwritten.

Proxy documentation:

http://docs.nethserver.org/en/v7/web_proxy.html

(Vuk Cetkovic) #3

Helo mrmarkuz,

Thanks for this detailed and prompt reply!

It is in transparent mode and I would like mikrotik to remain to be gateway in the network. I will configure it to redirect the 80 and 443 traffic to nethserver. Gateway for nethserver is also mikrotik so, it means only green interface. If necessary, I can make a dedicated subnet for nethserver. Is it possible this way? Let me tell you that in my first installation squid antivirus worked where the proxy was set on the host PC. Https reported wrong certificate but that was my secondary concern.

here is ip a result:

[root@nethsever ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s4f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:21:5a:99:a9:bc brd ff:ff:ff:ff:ff:ff
inet 172.16.202.31/24 brd 172.16.202.255 scope global enp3s4f0
valid_lft forever preferred_lft forever
inet6 fe80::221:5aff:fe99:a9bc/64 scope link
valid_lft forever preferred_lft forever
3: enp3s4f1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 00:21:5a:99:a9:bd brd ff:ff:ff:ff:ff:ff

and here is db networks show

[root@nethsever ~]# db networks show
enp3s4f0=ethernet
FwInBandwidth=
FwOutBandwidth=
bootproto=none
gateway=172.16.202.1
ipaddr=172.16.202.31
netmask=255.255.255.0
role=green
enp3s4f1=ethernet
role=
ppp0=xdsl-disabled
AuthType=auto
FwInBandwidth=
FwOutBandwidth=
Password=
name=PPPoE
provider=xDSL provider
role=red
user=

I will also read the documentation but if You have something to suggest, please post it.

Best Regards

(Markus Neuberger) #4

Maybe first try if manual proxy works from a client.

It should work only with green interface too but to get the full function set out of Nethserver gateway mode is recommended and clients should use NS as DHCP/DNS server and gateway.

(Vuk Cetkovic) #5

Hello again,

So, manual mode works… ok, so if I want it in transparent mode, then it needs to be the gateway in the network. No problem, I can do it. I need to keep DHCP on MikroTik.DHCP will tell clients where the gateway is.
Can this work that way?

INTERNET–>MikroTik(gateway for NS)–>NS(gateway for clients)
(In this scenario I get only “ERROR The Requested URL could not be retrieved” for every website)

Best Regards

(Markus Neuberger) #6

Yes, this should work.

(Vuk Cetkovic) #7

Hey Markus,

I have edited mu previous post…
In this scenario I get only “ERROR The Requested URL could not be retrieved” for every website :frowning:

(Markus Neuberger) #8

“Internet - microtik wan - microtik lan - nethserver red - nethserver proxy green - clients” should work.

Please check if the clients use Nethserver as dns/gateway/proxy and if Internet is working on Nethserver, like NS has tu use Mikrotik as gateway/DNS.

EDIT:

The gateway Nethserver uses has to be entered in red interface.

(Rob Bosch) #9

Be aware that if Mikrotik is your gateway and you use NethServer as a proxy theoretically users can bypass your proxy by connecting directly to the mikrotik router.
You could force users to use the NethServer proxy by only allowing traffic from NethServer to your mikrotik router.

/edit: i just read mrmarkuz last post, using both mikrotik and nethserver as a router, effectively “double natting” your network. So my suggestion wouldn’t be the case.

(Vuk Cetkovic) #10

@mrmarkuz @robb

Dear friends,

If I understand You correctly, I need two physical interfaces on the nethserver (no problem, I have them). Means I need to insert nethserver between the internet and clients. Physically it is not going to happen because I will lose functionality of mikrotik (some users will have limited internet. I have more than one subnet to be filtered). However, I think You helped me a lot!
I will make a new subnet which will be NS RED and normal green subnet which will be available to all users. I can redirect 80 and 443 traffic to NS and also mangle the traffic and insert the NS this way. It means that I can even keep mikrotik to be the main gateway for users because NS will be the final gateway for them (done in mikrotik)
I will try it this evening or tomorrow and inform You what I achieved.
Yet, I don’t understand why it needs red interface if green interface has a place to enter gateway and it can access internet… :frowning:

Best Regards.

(Rob Bosch) #11

Slight correction: you dont have to use 2 interfaces for nethserver, only if you want to use nethserver as a gateway. If you want to keep mikrotik as a gateway, that is perfectly possible. NethServer can perfectly serve an accountprovider and other (network) services.
As soon you want to use NethServer as a gateway, you need the 2nd interface.
You mentioned that you want to use NethServer as a proxy. You can use a proxy with a simgle nic, but it would be easier to be sure the proxy is used, when you configure NethServer as a Gateway, so all trafic must go through NethServer. If you use NethServer as a proxy with only 1 interface, users could bypass your proxy and connect to the default gateway (in your case mikrotik) directly.

(Vuk Cetkovic) #12

Hmm…

Users will not be able to make any traffic unless they go via proxy as I will configure mikrotik firewall like that.
WHat am I doing wrong then? This is current configuration:

Mikrotik is the main device in the network, NS is in the same subnet as users and that is a green interface in NS. NS is the DNS to all users and I want to use it as a transparent proxy…
Is this enough or I need to make different setup?

Best Regards.

(Markus Neuberger) #13

It should generally work with only one green interface.

You wrote that manual proxy is working so the problem has to be about the forwarding from the microtik to the transparent NS proxy (I never tested if this works).

(Vuk Cetkovic) #14

Hello Markus…
Thanks for reply!

Actually only 3128 port work when I choose manual in the web proxy. If i set it as transparent or transparent with ssl and add these parameters in the client machine then it doesnt work. I get the same message from squid for every website I try to open and SSL doesnt work. Redirecting and mangling the traffic from mikrotik will give the same result for port 3128… :frowning:

I tried many things… didn’t help. Manual settings added in the proxy settings of the windows client also doesnt work… Please see the attachment. Thats what I get on 3129 port…
Any idea?

Best Regards.

Unnamed%20QQ%20Screenshot20180807002927
Unnamed QQ Screenshot20180807002927.jpg1366x736 81.1 KB

(Vuk Cetkovic) #15

Hello friends,

I made it. I just mangled the traffic from users in mikrotik and redirected it with a simple static route which means that NS is actually the gateway for them. Now, every user will access internet via proxy. It filters http traffic but not https… I dont even get wrong certificate warning. It doesnt even touch https… :frowning:

Best Regards.

(Rob Bosch) #16

Isn’t that default behavior with transparent proxy? If you want https to be filtered also, you have to switch to explicit proxy, right?

(Vuk Cetkovic) #17

Hello @robb

To be honest, I have no idea. I have configured it as transparent with SSL. I did also configured it once last year on pfSense and it filtered http and https…
Any directions?

Best Regards.

(Markus Neuberger) #18

SSL traffic is not inspected in transparent mode:

The daemon does not inspect SSL traffic, but visited sites can be processed using the web filter.

http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-squid.html#ssl-peek-and-splice

(Vuk Cetkovic) #19

Hmmm… Squid ClamAV was the main reason why I wanted to ise the proxy. It won’t inspect a lot of traffic actually. I think I will just try out nethservers file server for now and email server later. Thanks guys!

Best Regards.