forward http request to proxy squid

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

forward http request to proxy squid

Not applicable

Hi ,

i try to forward my wifi mobile users http request to the proxy squid.

i have configured the proxy squid to transparant mode (port 80)

To the firewall i have 3 zone : LAN (port 1) , DMZ (port 3)  and INTERNET (port2)

the wifi mobile users are in zone "LAN" and my proxy squid is in zone "DMZ".

When the wifi mobile users want access to internet, the request must be forward to the proxy squid who must send the portal captive to the client for an authentication

How i can make this, i've read most posts but I do not manage to make what I want

the solution is to create PBF ? a NAT ?

Thanks for your help.

Best Regards

Nicolas

6 REPLIES 6

L5 Sessionator

Good Morning,

Is it that for the first time only that the wifi users will authenticate against the proxy squid, and once they are authenticated, will they talk on HTTP/ HTTPS with the other websites and bypass talking to the squid proxy? Or is the proxy squid server acting as a proxy server for any HTTP/ HTTPS requests that the mobile users attempt opening connections for?

If its the latter, then all you need is a policy from LAN to DMZ for the HTTP traffic to reach the proxy, and then a rule from the DMZ to the INTERNET for the proxy to open the connection on behalf of the mobile user. If the proxy server has a private IP address, and is on the same subnet as that of the firewalls DMZ interface, then we need not NAT traffic from LAN to DMZ. But we definitely require a source NAT (dynamic and port translation ) from DMZ to INTERNET for the outbound HTTP requests from the proxy server to the outside servers.

BR,

Karthik RP

L3 Networker

Like the last respondent, I would need to know what the intent is here to provide a truely educated response.  I would say this though - if you just need a captive portal, why not use the on buit into the Palo Alto?  If you are trying to use something like Cisco ISE for the captive portal, then the real solution involves WCCP on an intermediate switch, which will intercept the http request, forward it to the proxy server, then after authentication, the switch will redirect the user to the firewall for outbound internet.  Please let us know what technolgies you are trying to leverage, and what the end goal is, and we can make better recommendations.  Good luck.

-chadd.

Hi kprakash and cchristiansen,

First of all thanks for your answers

The proxy squid server is used as a proxy server for any HTTP/HTTPS request that the mobile users attempt opening connections.

the captive portal product is OLFEO (french solution) and the network contains switchs of brand Avaya (5530 and 2526T)

i created the following rules :

PBF :

source Zone : LAN

source adresse : WIFI

DestinationZone : any

service : http

action : forward

forwarding egress : 1/3

forwarding Next Hop : IP Proxy Squid

NAT :

sourceZone : DMZ

destination Zone : Internet

Destination Interface : any

sourceadress : any

destination adress : any

service : http

sourcetranslation : dynamic ip and port

destination translation : none

and i created a security rules from DMZ to INTERNET

i try to access in web . I see the resquest on the appliance OLFEO (tcpdump) but not in squid . the user does not receive the page of authentication

thanks for your help

Best Regards

Nicolas

Good Morning Nicolas,

Is Olfeo located on the DMZ too, or is it located on another zone? From what I understand the wifi users rely on the proxy to access the web. That being the case,do the guest users' browsers have the proxy setting to forward the web traffic "get" requests to the proxy server?

We do not need a PBF rule, and we can just have a security policy from LAN to DMZ ( and have interface Source NAT, if the proxy squid is not directly on the firewalls DMZ interface subnet ), so that the GET requests are routed from the wifi users to the proxy squid on DMZ.

As mentioned earlier, we also require the security policy from DMZ to Internet and a NAT from DMZ to internet.

Please let me know if that worked

BR,

Karthik

Hi,

for my long silence but me have of to leave the project for small moment.

Having some time at the moment I recovered on this project of portal

now in http.It works

on the proxy squid, I executed the following command /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 80

now I would like to make the same for https

Regards,

Nicolas

For HTTPS control, you will need SSL decryption on the proxy squid and you can find information on Bumping direct SSL connections here:  Features/HTTPS - Squid Web Proxy Wiki.  Then you will need modify the PBF rule on the PA to redirect port 443 traffic to the squid proxy similar to what you have for HTTP (port 80).

Are you using the squid proxy just for the captive portal authentication?  The PA also supports captive portal authentication and you can implementation authentication on the PA.

  • 5362 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!