RedWood filtering proxy server

v7

(Eliezer Croitoru) #1

I started packaging redwood for CentOS 7 and was wondering about adding it to nethserver since it’s has couple advantages over squid-cache (while it’s a filtering service compared to a squid for caching).
The source code of the server is public at:

And for now I am prebuilding the GoLang binary and then package it with couple examples.
The package at:
http://ngtech.co.il/repo/centos/7/x86_64/redwood-0.1.2-1.el7.centos.x86_64.rpm
The SRPM at:
http://ngtech.co.il/repo/centos/7/SRPMS/redwood-0.1.2-1.el7.centos.src.rpm

I have seen that ClearOS are using it in their paid solution.


(Rob Bosch) #2

What would this mean for system load? Is it comparable with squid-cache?


(Ralf Jeckel) #3

IIUC redwood uses MITM. Nethserver changed from squidguard to ufdbguard with ns7, because ufdb doens’t need MITM.

Please see this discusion:


(Giacomo Sanchietti) #4

I read the RedWood doc last night and I quite like it.

It has really many featured and should cover almost any current NS configuration.
As far as I understand, RedWood can replace squid or it can be used as squid parent proxy. Am I right?

If someone want to give it a shot, I will gladly help :wink:


(Alessio Fattorini) #5

@elico could you please provide use more details?


(Eliezer Croitoru) #6

@alefattorini and evrybody Sorry for the delayed response, I have some personal good things going.
@robb Yes it means the ability to balance the load over multiple CPU’s much efficiently.
@flatspin see below but it(squid) has the same basic bottle necks.
@giacomo For most systems it can replace squid in many scenarios and can do even better.

Compared to Squid-Cache RedWood is a filtering only proxy and not a caching one.
Squid is based on design from the early 1980’s and there for is more “low level” then other languages such as ERLANG or GOLANG(which redwood is built in).
RedWood was tested on an environment of about 200Mbps and was found more resource friendly and also very efficient in couple other aspects.
However it has couple bugs and most of them are due to some GoLang bugs which are expected to be resolved in the far future(Brad Fitz words…).
It can be a squid parent proxy or a stand alone proxy.
SquidGuard and UFDB are acting the same role but in other forms and still requires from squid to be the MITM and squid does it job pretty well.
However squid doesn’t support websockets at all and is quite complex to patch compared to RedWood.
The version I released is a beta version and also due to the basic fact that there are some bugs in GoLang which are related to this and similar proxies.
RedWood can be used as:

  • Forward proxy(defined in the browser)
  • Intercept proxy(On the Gateway)
  • SSL-BUMP (for either intercept or forward proxy)

(Giacomo Sanchietti) #7

Redwood seems very promising.

Searching the documentation, I see there is no “peek and splice” feature in Redwood. This is a major blocking point for me right now (with the huge work we should do to replace squid).
Am I right?

Maybe we need to wait a little time to see how the project grows :wink:


#8

This is the problem… I see RedWood as the same fonction as the Privoxy one.
They are good, but without caching… So the only possibility for some who want to filter finely and a proxy cache is to chain the two proxies this way:
LAN -> PROXY CACHE -> PROXY FILTER ( Privoxy or Redwood ) -> WAN


(Eliezer Croitoru) #9

@Jim Depens on your network you either need or do not need caching.
RedWood is a filtering proxy… if you want for some reason caching use a cahing solution the meets your needs.


(Eliezer Croitoru) #10

@giacomo Indeed the docs are a bit confusing compared to squid but everything is there.
In my package there is a script that initialize the ssl-bump function with an exception\bypass option.
There are things in squid that do not work as they are supposed to be so it’s not about “peek and splice” only but the over whole.
If you need to bypass the proxy it’s there and you just need to learn what is there for you and choose if it fits your environment or not.
There is nothing about maturity in RedWood, it’s a “perfect” product but since it’s based on GoLang and not C or C++ it has another nature.


(Alessio Fattorini) #11

@elico why don’t you try to integrate it on NethServer? Looks you have a lot of expertise about that


(Eliezer Croitoru) #12

@alefattorini I have some experience with RPM packaging (packing squid-cache and other) but NethServer is a new thing for me.
if my wife will allow me to devote more time to the subject I will gladly do so but for now I my hands a re a bit full\busy.
So it will wait for me and if others are willing to help I am here to answer what I can.


(Alessio Fattorini) #13

I would start from installing it on NethServer and making it work :slight_smile:


(Eliezer Croitoru) #14

@alefattorini I would appreciate for any test.
Making it work is great and there is bundled script that adds ssl-bump so it should be pretty easy.


(Eliezer Croitoru) #15

OK so who is going to help with it?
I started an issue on the project github repository:

If the Squid-Cache module author is known he might be able to help.


(Filippo Carletti) #16

I really appreciate this effort. I wish I had more time, I’d really like to help.
Looking at github stats, I’d say that @giacomo is the one who worked more on squid.


I may be able to help, too, but I can’t lead this project right now.


(Giacomo Sanchietti) #17

I can guide you to the creation of new module, feel free to ask any support here :slight_smile:


(Joel Clendineng) #18

Looks awesome, squid has never worked well for me, to many issues with ssl sites and of course steam doesnt work through squid.


(Eliezer Croitoru) #19

@Jclendineng RedWood is designed for networks which are behind NAT towards the Internet.
It is doable to patch RedWood to work with tproxy but I do not have enough free time to write the code.

Squid-4(beta) has a nice feature that can allow specific “unknown” connections such as non HTTP\TLS to not be intercepted.
However if you know that a specific software traffic needs to be bypassed RedWood is not the solution(while it will work for websocket connections).
If you can resolve issues before they “happen” ie before the connections are intercepted ie in the firewall level, then it’s better be done there.
There is a nice option to use a set of scripts and tools which can in turn run queries against whois and maybe another DB that will automatically identify and bypass traffic by ASN or another characteristics of the connection.
The nDPI sources might give you a clue to what and how things can be identified.
They have a list of protocols or service providers such as netflix and I think steam is one of them.


(Eliezer Croitoru) #20

@giacomo I will try to be in touch with you but still I am missing free time these days(good things).