Help Configuring Unifi Security Gateway with Squid Proxy Server

[Bee C]

Looking for assistance in setting up a Squid Proxy server.

Current setup includes:

5 Unifi AC Pro Access Points

Unifi Cloud-Key

Unifi Security Gateway (192.168.1.1)

Unif POE Switch

Rasperry Pi 3 Running Raspberrian 9, Diladele / Squid Proxy (192.168.1.2)

I assume I need to manually make some entries in the USG via CLI to redirect all HTTP/HTTPS traffic to the proxy server. Any guidance or advice would be greatly appreciated!

Thanks!!

[rafael....@diladele.com]

Hello Bee,

As far as I know in order to transparently redirect HTTP/HTTPS traffic from clients to Squid this needs do happen on the device that does the NAT.
So Squid need to run on your Unufy Security Gateway???

Another point is that RPI will not be able to handle the load. Imagine each client has a browser running on RPI - this is somehow comparabe with the workload required ;(

Raf

[Bee C]

Raf,

I setup Diladele to filter HTTP / HTTPS traffic for my home. Diladele site says it filters HTTP and HTTPS. How then should the proxy be accessed from the clients? I assume this means that it will be setup as a non-transparent proxy.

What are they best practices for this setup and do you have any experience with EdgeOS configuration required? I have an EdgeRouter Lite that has the full EdgeOS to swap out the USG if necessary.

Thanks for your help!

Trevor

[Rafael Akchurin]

Hello Trevor,

If you have proxy deployed in your LAN and your browsers are to be used it explicitly, then you need to configure proxy in each browser settings. Details of the hardware you use for router/access points do not matter.

If you are trying to "redirect" traffic using access points as you described in your previous mail - it usually means you desided to go "intercept" way and are not configuring each device browser with proxy. Then the details of the hardware vendor do not matter much - only the way that is used to redirect traffic matters.

Usually it is NAT redirecting proxy running on the gateway (on!!). It usually means it is not possible to put squid/web safety on the router (for sure on unify/edge).

Another option is WCCP that is the only tested by us way that works to redirect traffic to squid/websafety on another/non gateway machine.

The docs site explains each setup in "web filter tutorials" and compares two ways of deployment on https://docs.diladele.com/administrator_guide_6_0/https_filtering/how.html

Best regards,

Rafael Akchurin

--
You received this message because you are subscribed to the Google Groups "Diladele Web Safety" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web-safety+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Trevor Clopton]

Rafalel,

 

Thanks again for your assistance. I was able to configure the browser and load the  appropriate certificates to use the proxy. I can do this on the devices in the house for the time being.

 

I would however like an option to redirect and interscept so that if my kids get a new device or friends come into the house on the wifi everything is filtered. I also want to implement what I learn at home at our church. This would be impossible to configure all of the clients.

 

I will look into NAT redirecting to the RPI. Not sure If I can implement WCCP. Need to look into support on Unifi.

 

Thanks!!

 

Trevor

--
You received this message because you are subscribed to a topic in the Google Groups "Diladele Web Safety" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web-safety/w_nOmUTV2iI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to web-safety+...@googlegroups.com.

[Rafael Akchurin]

Hello Trevor,

WCCP is unfortunately a propietary technology of Cisco. But you can get old Cisco ASA on ebay very cheap. After having a hardware setting up WCCP isnot too complex  - see https://docs.diladele.com/tutorials/web_filter_https_squid_cisco_wccp/index.html

Of course you can always build your own Ubuntu router but that requires a spare PC and command line skills. See https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html


Please note if you need to filter HTTPS you anyway will need to install certificates on your devices :(

Without that our solution is pretty limited.

Best regards,

Rafael Akchurin

[Chris Teesdale]

Hi,

There's a thread here on unifi forums on how to re-direct traffic through a squid proxy on your LAN;

https://community.ubnt.com/t5/UniFi-Routing-Switching/USG-Redirecting-traffic-to-transparent-squid/td-p/1821942

This is something I'll be looking at doing in our deployments as like you say explicit proxy in a browser can be a pain.  The only thing to be aware of is you'll lose browsing accounting in the Unifi controller as all surfing will originate from your Squid Proxy (Raspberry Pi) so you'll be relying 100% on diladele's logs to view browsing behaviour.

[Trevor Clopton]

Chris,

 

That would be great! Can this work as transparent and not require the clients to have certificates?

 

Thanks

 

From: 'Chris Teesdale' via Diladele Web Safety [mailto:web-s...@googlegroups.com]
Sent: Thursday, January 11, 2018 3:47 AM
To: Diladele Web Safety <web-s...@googlegroups.com>
Subject: Re: Help Configuring Unifi Security Gateway with Squid Proxy Server

 

Hi,

--

[rafael....@diladele.com]

Hello Chris, Bee,

Do I understand correctly that unify device does a "policy routing" to the squid as explained in https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute ?

Best regards,
Rafael

[rafael....@diladele.com]

Hello Chris, Bee,

I have written a policy based routing tutorial on how to re-route the HTTP and HTTPS traffic to a *separate squid box* from default gateway running ubuntu 16 (iptables).
I presume the same idea can be used for unify/microtik gateway.

Please take a look and share your experience.
https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html

Best regards,
Rafael

[rafael....@diladele.com]

It also works on Mikrotik too - pretty straightforward mapping of ubuntu rules to through mikrotik winbox.
Cannot check on edge router because i do not have it :(