You are not logged in.

Pages: 1

#1 2020-04-23 19:49:12

light9876
Member
Registered: 2020-01-05
Posts: 137

[SOLVED] Local transparent proxy to filter https adult content squid

I want to filter all of my internet (http & https) connections using a whitelist.

I heard about squid, so I started trying to run it. I found two main tutorials:
https://wiki.squid-cache.org/ConfigExam … mpExplicit
https://docs.diladele.com/tutorials/tra … ps-traffic (video: https://www.youtube.com/watch?v=Bogdplu_lsE)

First I install the squid4 AUR package, I build it with enabling 

--with-openssl \
--enable-ssl-crtd \

I edit the config file (/etc/squid/squid.conf) and I add:

# add a custom blocking rule:
acl block_websites dstdomain .org .io
http_access deny block_websites

http_port 3128 intercept
https_port 3129 intercept ssl-bump \
	cert=/etc/squid/ssl_cert/myCA.pem \
	generate-host-certificates=on \
	dynamic_cert_mem_cache_size=4MB
http_port 3127 ssl-bump \
	cert=/etc/squid/ssl_cert/myCA.pem \
	generate-host-certificates=on \
	dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

To generate the SSL certificates (for https filtering), I'm doing:

cd /etc/squid/ssl_cert
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem -out myCA.pem
openssl x509 -in myCA.pem -outform DER -out myCA.der
# now add myCA.der to firefox certificates
sudo /usr/lib/squid/security_file_certgen -c -s /var/lib/ssl_db -M 4MB

Then I use iptables to divert everything:

sudo iptables -A INPUT -j ACCEPT -p tcp --dport 3128
sudo iptables -A INPUT -j ACCEPT -p tcp --dport 3129
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3128
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 127.0.0.1:3129

Corresponding iptables-save:

*filter
:INPUT DROP [8:936]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3129 -j ACCEPT
COMMIT

*nat
:PREROUTING ACCEPT [8:936]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination :3128
-A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination :3129
COMMIT

Note that all ipv6 traffic is dropped.

Finally I enable squid:

sudo systemctl enable squid

But this does not work (Firefox says 'we can't connect to server at...'). I tried putting PREROUTING rules in OUTPUT to no avail. What am I doing wrong?

Last edited by light9876 (2023-08-10 08:54:26)

Offline

#2 2023-08-10 08:53:57

light9876
Member
Registered: 2020-01-05
Posts: 137

Re: [SOLVED] Local transparent proxy to filter https adult content squid

Solution: Use e2guardian.

Offline

#3 2023-08-10 14:00:31

mama
Member
Registered: 2023-08-10
Posts: 4

Re: [SOLVED] Local transparent proxy to filter https adult content squid

I recommend taking a look at MITMProxy  it is easier to configure and supports https

sudo pacman -S mitmproxy

Documentation:
https://docs.mitmproxy.org/stable/

HTTPS:
https://docs.mitmproxy.org/stable/conce … tificates/

Transparrency:
https://docs.mitmproxy.org/stable/howto-transparent/

Filtering:
https://docs.mitmproxy.org/stable/concepts-filters/

Last edited by mama (2023-08-10 14:05:49)

Offline

Pages: 1

Board footer

Powered by FluxBB