SRX Services Gateway
Reply
Visitor
EvanH
Posts: 5
Registered: ‎10-06-2011
0

SRX - redirect web traffic to squid proxy

[ Edited ]

I'm trying to setup filter so all port 80 traffic is redirected to a squid proxy.  I've read a bunch of messages on this forum and found a couple of tutorials (including the Juniper Bluecoat KB article) but it doesn't seem to be working.  I have the forwarding routing-instance and everything.  On the proxy, I've configured iptables to log all the packets that hit it and it seems like nothing is making it to the proxy.  I can connect to port 80 on the proxy from the trust side, and from the SRX itself, it just appears to be the redirect that's not working. 

 

Below is the config (minus a bunch of VPN stuff, and I changed the internet IP to 20.20.20.20.  The proxy is at 192.168.12.10 and is reachable from the lan (10.1.0.0/16).

 

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 20.20.20.20/27;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/4 {
        description "Connected to HTTP Proxy";
        unit 0 {
            family inet {
                address 192.168.12.2/24;
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family inet {
                address 192.168.130.2/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/32;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
        unit 1 {
            family inet;
        }
    }
    vlan {
        unit 0 {
            family inet {
                filter {
                    input http-proxy;
                }
                address 10.1.0.2/16;
            }
        }
    }
}

routing-options {
    interface-routes {
        rib-group inet fbf-group;
    }
    static {
        route 0.0.0.0/0 next-hop 20.20.20.20;
        route 10.0.0.0/16 next-hop st0.0;
        route 172.18.20.0/22 next-hop st0.1;
    }
    rib-groups {
        fbf-group {
            import-rib [ inet.0 http1.inet.0 ];
        }
    }
}

policy-options {
    policy-statement proxy-interface {
        term allow {
            from {
                instance master;
                interface ge-0/0/4.0;
            }
            then accept;
        }
        term reject {
            then reject;
        }
    }
}

firewall {
    filter http-proxy {
        term passthrough {
            from {
                destination-address {
                    10.0.0.0/8;
                }
            }
            then accept;
        }
        term proxy {
            from {
                source-address {
                    192.168.12.0/24;
                }
            }
            then accept;
        }
        term http-redir {
            from {
                destination-port http;
            }
            then {
                count redirected-packet;
                routing-instance http1;
            }
        }
        term 2 {
            then {
                count allowed-packet;
                accept;
            }
        }
    }
}
routing-instances {
    http1 {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 192.168.12.10;
            }
            instance-import proxy-interface;
        }
    }
}

 

When I try this, if I try to connect to www.google.com on port 80 it times out:

 

$ telnet www.google.com 80
Trying 74.125.226.241...
telnet: connect to address 74.125.226.241: Operation timed out
Trying 74.125.226.243...
telnet: connect to address 74.125.226.243: Operation timed out
Trying 74.125.226.242...
telnet: connect to address 74.125.226.242: Operation timed out
Trying 74.125.226.244...
^C

 

Packet capture on the proxy shows nothing is hitting it.  Any help would be really appreciated.

Visitor
EvanH
Posts: 5
Registered: ‎10-06-2011
0

Re: SRX - redirect web traffic to squid proxy

I should mention this is JUNOS Software Release [10.4R3.4] on an SRX220.

Contributor
nebu
Posts: 16
Registered: ‎03-28-2010
0

Re: SRX - redirect web traffic to squid proxy

I guess what you menetioned is FBF (over vlan interface) is not working ..

 

You could check at the related firewall counters and see whether there is an increment in the concerned counter (consistent with the test packets)

 

Other way of elimination is to use a physical interface instaed of vlan interface (for FBF) and see whether there is any difference .

 

Thanks

Visitor
EvanH
Posts: 5
Registered: ‎10-06-2011
0

Re: SRX - redirect web traffic to squid proxy

The counters are indeed incrementing, but the redirect doesn't appear to work.

Visitor
EvanH
Posts: 5
Registered: ‎10-06-2011
0

Re: SRX - redirect web traffic to squid proxy

In the absence of any other suggestions I tried removing the vlan and using a physical interface for the inside traffic.  Same result - nothing appears to be hitting the proxy server at all.  Counters are incrementing.

Contributor
nebu
Posts: 16
Registered: ‎03-28-2010
0

Re: SRX - redirect web traffic to squid proxy

 

Hi,

 

Once FBF is done and the packets reaching the routing-instance , have you checked whether proper routes are there in the concerned routing-instance for the server reachability  ?

 

thanks

Nebu Thomas .

Visitor
EvanH
Posts: 5
Registered: ‎10-06-2011
0

Re: SRX - redirect web traffic to squid proxy

Here's what was in the routing-instance:

 

routing-instances {
    http1 {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 192.168.12.10;
            }
            instance-import proxy-interface;
        }
    }
}

 

192.168.12.10 was the IP of the proxy server.

 

Contributor
nebu
Posts: 16
Registered: ‎03-28-2010
0

Re: SRX - redirect web traffic to squid proxy

hi ,

 

you can check "show route " and "show route forwarding-table" and check for the entry for the concerned ip address

in the right table ..

 

btw , which s/w version you are running ?

 

I would suggest you to open a JTAC case with all these outputs .

 

thanks ,.

Recognized Expert
rasmus
Posts: 379
Registered: ‎02-28-2010
0

Re: SRX - redirect web traffic to squid proxy

[ Edited ]

[it is difficult to troubleshoot till you post iptables rules]

however, for simplicity, i recommend another method of doing this ..

Currently, you are configuring a transparent squid proxy by using iptables ...

 

IPTables are to be used when no SRX is in between, but now if you have one, you should instead configure non-transparent squid proxy. IPTables stuff will be handled by SRX. i.e.

1. get all internet requests from 10.0.0.0/16 (port 80)

2. do destination nat
new destination-address: 192.168.12.10
new port number: 3128 (squid default port)
new routing-instance: http

then it should be working.

 

Moreover, do you can go without routing instance ... if not any compulsion ...

 

if you ask, i can post the recommended config for you  ...

 

regards

Hafiz Muhammad Farooq
JNCIE-SEC, JNCIP-SEC, JNCIS-SEC, JNCIS-FWV
JNCIS-SP, JNCIS-SA, JNCIA-JUNOS
IBM Qradar Deployment Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

New User
mastaxmy
Posts: 1
Registered: ‎03-05-2010
0

Re: SRX - redirect web traffic to squid proxy

Hello Rasmus, this is exactly what I'm looking into configuring.  We want to use Dansguardian as a web filter.  I would like to use the SRX to redirect port 80 traffic to a proxy server running Dansguardian.  Could you provide a sample configuration that would make this possible? 

 

Thanks,

 

Michael

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.