postauthproxy and security

[vsidou]

Hi,

I would like to use an upstream Squid proxy (for example on a dedicated server on the net). I would like to have multiple coova chilli (from different location on embedded boxes) use the postauthproxy option to point to that server.

I can't seem to find a way to add a "security layer" between my remote Squid Proxy and Coova Chilli. Apart from allowing the IP addresses (which are dynamics) of coova chilli boxes calling Squid and banning other IPs in Squid is there a built in function or trick to secure the connection between Coova Chilli and a remote Squid ?

Thanks

[nzamps]

Can you just setup a VPN?

[vsidou]

That was another idea though i have hundreds of thoses embedded boxes and they are quite limited cpu. Using VPN means i'll be using some resources which may slow down the boxes.

[Cool34000]

You can deny trafic without going through the proxy and enforce proxy with chilli. Then use the conup.sh scriot (which runs after successful login) to allow user's IP to use the proxy

[vsidou]

Good idea. I didn't thought of conup.sh script. But what do you mean by "enforce proxy with chilli" before conup.sh script ?

[Cool34000]

There is a config parameter for that... Something like "hs_post_auth_proxy". Look in /etc/chilli/functions and search "proxy"

[vsidou]

Oh you mean point Coova Chilli to my remote proxy using config and then authorize in SQUID using user IP with conup.sh.

This raises 2 questions :

• Should i use the global Internet IP address of the box
• Or use the local IP provided by Coova Chilli (ie : 192.168.182.x). Any example with that one particular situation would be helpfull.

Note that another user on another box may have this local IP provided by Coova Chilli. Is that an issue ?

[Cool34000]

It should be the public IP of your Squid server if you're not on the same LAN...

Can't tell you if clients from different sites with same IP with Squid is a problem or not, I never faced such situation. But I think that the IP which will be seen by Squid is not the local one but public address from your sites so this should be working...

[Cool34000]

Put this in up.sh (or better, in ipup.sh if you created it). It creates a new table called PROXY. Then it sends all trafic to port 3128 in this table. Finally it redirects all trafic from port 80 to port 3128 to force the Proxy use. iptables -N PROXY iptables -I INPUT 1 -p tcp --dport $HS_POSTAUTH_PROXYPORT -j PROXY iptables -I PREROUTING 1 -t nat -i $HS_LANIF -p tcp --dport 80 -j DNAT --to $HS_POSTAUTH_PROXY:$HS_POSTAUTH_PROXYPORT

Add this in conup.sh to allow authenticated users to use port 3128. iptables -A PROXY -i $DEV -s $FRAMED_IP_ADDRESS -p tcp --dport $HS_POSTAUTH_PROXYPORT -j ACCEPT

Add this in condown.sh to remove the rule when user disconnects. iptables -D PROXY -i $DEV -s $FRAMED_IP_ADDRESS -p tcp --dport 8080 -j ACCEPT

Don't forget to set needed variables in your config file: HS_POSTAUTH_PROXY=xxx.xxx.xxx.xxx (your Squid external IP) HS_POSTAUTH_PROXYPORT=3128

It works for me (but my Squid server is installed on the same server as chilli)

[vsidou]

Cool for the script. Indeed it seems to do the job.

Only thing now is to secure the remote Squid as it is always "open bar" as it is.

Thanks