SRX Services Gateway
SRX Services Gateway

SRX - redirect web traffic to squid proxy

[ Edited ]
10.06.11   |  
‎10-06-2011 11:01 AM

I'm trying to setup filter so all port 80 traffic is redirected to a squid proxy.  I've read a bunch of messages on this forum and found a couple of tutorials (including the Juniper Bluecoat KB article) but it doesn't seem to be working.  I have the forwarding routing-instance and everything.  On the proxy, I've configured iptables to log all the packets that hit it and it seems like nothing is making it to the proxy.  I can connect to port 80 on the proxy from the trust side, and from the SRX itself, it just appears to be the redirect that's not working. 

 

Below is the config (minus a bunch of VPN stuff, and I changed the internet IP to 20.20.20.20.  The proxy is at 192.168.12.10 and is reachable from the lan (10.1.0.0/16).

 

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 20.20.20.20/27;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/4 {
        description "Connected to HTTP Proxy";
        unit 0 {
            family inet {
                address 192.168.12.2/24;
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family inet {
                address 192.168.130.2/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/32;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
        unit 1 {
            family inet;
        }
    }
    vlan {
        unit 0 {
            family inet {
                filter {
                    input http-proxy;
                }
                address 10.1.0.2/16;
            }
        }
    }
}

routing-options {
    interface-routes {
        rib-group inet fbf-group;
    }
    static {
        route 0.0.0.0/0 next-hop 20.20.20.20;
        route 10.0.0.0/16 next-hop st0.0;
        route 172.18.20.0/22 next-hop st0.1;
    }
    rib-groups {
        fbf-group {
            import-rib [ inet.0 http1.inet.0 ];
        }
    }
}

policy-options {
    policy-statement proxy-interface {
        term allow {
            from {
                instance master;
                interface ge-0/0/4.0;
            }
            then accept;
        }
        term reject {
            then reject;
        }
    }
}

firewall {
    filter http-proxy {
        term passthrough {
            from {
                destination-address {
                    10.0.0.0/8;
                }
            }
            then accept;
        }
        term proxy {
            from {
                source-address {
                    192.168.12.0/24;
                }
            }
            then accept;
        }
        term http-redir {
            from {
                destination-port http;
            }
            then {
                count redirected-packet;
                routing-instance http1;
            }
        }
        term 2 {
            then {
                count allowed-packet;
                accept;
            }
        }
    }
}
routing-instances {
    http1 {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 192.168.12.10;
            }
            instance-import proxy-interface;
        }
    }
}

 

When I try this, if I try to connect to www.google.com on port 80 it times out:

 

$ telnet www.google.com 80
Trying 74.125.226.241...
telnet: connect to address 74.125.226.241: Operation timed out
Trying 74.125.226.243...
telnet: connect to address 74.125.226.243: Operation timed out
Trying 74.125.226.242...
telnet: connect to address 74.125.226.242: Operation timed out
Trying 74.125.226.244...
^C

 

Packet capture on the proxy shows nothing is hitting it.  Any help would be really appreciated.

12 REPLIES
SRX Services Gateway

Re: SRX - redirect web traffic to squid proxy

10.06.11   |  
‎10-06-2011 11:04 AM

I should mention this is JUNOS Software Release [10.4R3.4] on an SRX220.

Highlighted
SRX Services Gateway

Re: SRX - redirect web traffic to squid proxy

10.08.11   |  
‎10-08-2011 02:19 AM

I guess what you menetioned is FBF (over vlan interface) is not working ..

 

You could check at the related firewall counters and see whether there is an increment in the concerned counter (consistent with the test packets)

 

Other way of elimination is to use a physical interface instaed of vlan interface (for FBF) and see whether there is any difference .

 

Thanks

SRX Services Gateway

Re: SRX - redirect web traffic to squid proxy

10.10.11   |  
‎10-10-2011 01:08 PM

The counters are indeed incrementing, but the redirect doesn't appear to work.

SRX Services Gateway

Re: SRX - redirect web traffic to squid proxy

10.12.11   |  
‎10-12-2011 08:05 AM

In the absence of any other suggestions I tried removing the vlan and using a physical interface for the inside traffic.  Same result - nothing appears to be hitting the proxy server at all.  Counters are incrementing.

SRX Services Gateway

Re: SRX - redirect web traffic to squid proxy

10.14.11   |  
‎10-14-2011 11:15 AM

 

Hi,

 

Once FBF is done and the packets reaching the routing-instance , have you checked whether proper routes are there in the concerned routing-instance for the server reachability  ?

 

thanks

Nebu Thomas .

SRX Services Gateway

Re: SRX - redirect web traffic to squid proxy

10.14.11   |  
‎10-14-2011 11:25 AM

Here's what was in the routing-instance:

 

routing-instances {
    http1 {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 192.168.12.10;
            }
            instance-import proxy-interface;
        }
    }
}

 

192.168.12.10 was the IP of the proxy server.

 

SRX Services Gateway

Re: SRX - redirect web traffic to squid proxy

10.16.11   |  
‎10-16-2011 01:40 AM

hi ,

 

you can check "show route " and "show route forwarding-table" and check for the entry for the concerned ip address

in the right table ..

 

btw , which s/w version you are running ?

 

I would suggest you to open a JTAC case with all these outputs .

 

thanks ,.

SRX Services Gateway

Re: SRX - redirect web traffic to squid proxy

[ Edited ]
10.16.11   |  
‎10-16-2011 12:50 PM

[it is difficult to troubleshoot till you post iptables rules]

however, for simplicity, i recommend another method of doing this ..

Currently, you are configuring a transparent squid proxy by using iptables ...

 

IPTables are to be used when no SRX is in between, but now if you have one, you should instead configure non-transparent squid proxy. IPTables stuff will be handled by SRX. i.e.

1. get all internet requests from 10.0.0.0/16 (port 80)

2. do destination nat
new destination-address: 192.168.12.10
new port number: 3128 (squid default port)
new routing-instance: http

then it should be working.

 

Moreover, do you can go without routing instance ... if not any compulsion ...

 

if you ask, i can post the recommended config for you  ...

 

regards

Hafiz Muhammad Farooq
JNCIE-SEC, JNCIP-SEC, JNCIS-SEC, JNCIS-FWV
JNCIS-SP, JNCIS-SA, JNCIA-JUNOS
IBM Qradar Deployment Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

SRX Services Gateway

Re: SRX - redirect web traffic to squid proxy

11.21.11   |  
‎11-21-2011 04:16 PM

Hello Rasmus, this is exactly what I'm looking into configuring.  We want to use Dansguardian as a web filter.  I would like to use the SRX to redirect port 80 traffic to a proxy server running Dansguardian.  Could you provide a sample configuration that would make this possible? 

 

Thanks,

 

Michael

SRX Services Gateway

Re: SRX - redirect web traffic to squid proxy

05.15.12   |  
‎05-15-2012 05:55 AM

Hey guys, 

 

I had some issues getting Squid to work with both SRX and EX based forwarding rules. All worked perfectly with a Blue Coat ProxySG. 

 

For Squid, I needed to add some stuff to iptables - 

 

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

 

For anyone interested, theres a full blog entry on our company website for doing it all with EX or SRX - 

 

Transparent Redirect with JunOS

 

I used the WXC type redirect to make it work with the Blue Coat ProxySG. 

 

Cheers

Andy

SRX Services Gateway

Re: SRX - redirect web traffic to squid proxy

09.25.14   |  
‎09-25-2014 01:28 AM

i tried the DNAT method and the traffic went to the squid proxy sucessfully but the the http request reaches the squid missing the part of "get http//" and the other part remains which is not accetable for the squid i don't know what to do 

SRX Services Gateway

Re: SRX - redirect web traffic to squid proxy

11.18.14   |  
‎11-18-2014 08:44 PM

M.Kazzaz, having the same problem as you, did you find a solution?