Reply
Highlighted
New Member
Posts: 13
Registered: a month ago

Routing all HTTP traffic through a local proxy?

I've been trying to piece together how to route HTTP (and HTTPS) traffic through a proxy I'm running locally (i.e. behind the router). Typically this could be configured in a web browser but in this case I'd like all HTTP traffic to go through the proxy before it's routed to its final destination.

 

It seems like DNAT might help with this but because this is a local server I'm unsure how to route things properly.

 

Any help is appreciated.

SuperUser
Posts: 7,354
Registered: ‎01-05-2012
Kudos: 1938
Solutions: 961

Re: Routing all HTTP traffic through a local proxy?

Take a look here, is for DNS, but if you change to tcp and dport 80 ....

Cheers,

jonatha

New Member
Posts: 13
Registered: a month ago

Re: Routing all HTTP traffic through a local proxy?

[ Edited ]

Thank you!

 

Unfortunately I've tried a number of configurations based on the threads you linked but so far I've only succeeded in locking myself out of the router and making it such that all HTTP/HTTPS traffic is blocked.

 

To make things a little more concrete, I've got an EdgeRouter X where eth0 is the WAN and eth1 is connected to my NAS where Privoxy is running. I'm able to proxy an arbitrary device on my network through this Privoxy by setting the HTTP and HTTPS proxy configuration in say my browser to point to 192.168.1.59:8118.

 

However when I set up the dNAT (e.g. following along with the previously linked threads) I'm no longer able to access the router or any webpages. I've attached a screenshot of my most recent attempt which failed utterly--I was able to connect to the router again after manually setting the proxy settings to point to 192.168.1.59:8118 and then removing the dNAT rule.

 

 

Screen Shot 2018-10-21 at 10.39.03 AM.png
Veteran Member
Posts: 7,023
Registered: ‎03-24-2016
Kudos: 1819
Solutions: 802

Re: Routing all HTTP traffic through a local proxy?

Easiest is to change ER https port, so GUI access isn't affected by your messing with NAT rules.  (Alternatively, add a dNAT exlude rule before proxy redirect, excluding NAT, so packet goes unaltered to ER webserver.)

 

I doubt this proxy forcing redirect will work for https.  And nowadays , most browsers will use https by default.  Try forcing http, by specifiying it in the URL.

And run tcpdump on WAN interface of ER, to see what goes on

New Member
Posts: 13
Registered: a month ago

Re: Routing all HTTP traffic through a local proxy?

I’ll try excluding the router explicitly as you said, thanks. I’m not sure why that didn’t occur to me before. 

 

Privoxy explicitly asks you to proxy HTTPS traffic through it—is there some other reason why that wouldn’t work?

Veteran Member
Posts: 7,023
Registered: ‎03-24-2016
Kudos: 1819
Solutions: 802

Re: Routing all HTTP traffic through a local proxy?

Proxy and https don't team up well:

The idea behind https is end-to-end encryption

The idea behind proxy is being some kind of man in the middle.

 

Prepare for certificate errors in browser (or import proxy certificate in browser)

New Member
Posts: 13
Registered: a month ago

Re: Routing all HTTP traffic through a local proxy?

Having used Privoxy directly, I can tell you that I don’t have issues with certificate errors when the browser is configured to pass through both HTTP and HTTPS traffic. However I have yet to pass through all traffic on the LAN and I guess I’m wondering if that’s the specific case you anticipate problems?

(More on Privoxy here: https://www.privoxy.org/user-manual/quickstart.html)
New Member
Posts: 13
Registered: a month ago

Re: Routing all HTTP traffic through a local proxy?

I've now setup a dNAT to exclude the router and then established a similar set of rules as I had before. However it doesn't seem like the rules are picking up any traffic. I've attached some screenshots for context.

 

 

Screen Shot 2018-10-21 at 4.30.42 PM.png
Screen Shot 2018-10-21 at 4.30.58 PM.png
Screen Shot 2018-10-21 at 4.31.17 PM.png
Veteran Member
Posts: 7,023
Registered: ‎03-24-2016
Kudos: 1819
Solutions: 802

Re: Routing all HTTP traffic through a local proxy?

Configuring proxy in browsers differs from transparent proxy, like your setting up now.

 

Do some troubleshooting.

From a client I'd run "telnet www.google.com 80"  while looking into conntrack and tcpdump on switch0 interface.

 

Post your config  "show configuration | cat"  as it might reveal more than a few screenshots

New Member
Posts: 30
Registered: ‎11-09-2015
Kudos: 2

Re: Routing all HTTP traffic through a local proxy?

Agree with 16Again.  You cannot use a simple transparent HTTPS proxy without getting certificate errors. That's unless you are deploying something that has a man-in-the-middle TLS decryption capability, which gets even more complicated.

New Member
Posts: 13
Registered: a month ago

Re: Routing all HTTP traffic through a local proxy?

Right that makes sense--I guess I had assumed Privoxy was capable of terminating SSL a la MITMProxy.

 

Below is my config. I have to head to work, but I'll do some experimentation when I'm back with telnet and tcpdump (it's a bit disruptive for the rest of the house so I've tried to be intentional about what I'm testing).

 

Thanks for all the help!

 

Spoiler
firewall {
    all-ping enable
    broadcast-ping disable
    group {
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        poe {
            output pthru
        }
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        config-file /config/openvpn/<snip>.ovpn
    }
    switch switch0 {
        address 192.168.1.1/24
        description Local
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.38 {
                    stop 192.168.1.243
                }
                static-mapping glasshouse {
                    ip-address 192.168.1.59
                    mac-address 00:11:32:8e:7c:e4
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5000 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5001 {
            description "masquerade for VPN"
            log disable
            outbound-interface vtun0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
    upnp2 {
        listen-on switch0
        nat-pmp enable
        secure-mode enable
        wan vtun0
    }
}
system {
    host-name ubnt
    login {
        user max {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    name-server 192.168.1.59
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
Veteran Member
Posts: 7,023
Registered: ‎03-24-2016
Kudos: 1819
Solutions: 802

Re: Routing all HTTP traffic through a local proxy?

For sure that config won't work....as it lacks all required NAT rules

New Member
Posts: 13
Registered: a month ago

Re: Routing all HTTP traffic through a local proxy?

What specific NAT rules do you suggest?

Veteran Member
Posts: 7,023
Registered: ‎03-24-2016
Kudos: 1819
Solutions: 802

Re: Routing all HTTP traffic through a local proxy?

Previous screenshots did show those NAT rules

New Member
Posts: 13
Registered: a month ago

Re: Routing all HTTP traffic through a local proxy?

[ Edited ]

Sorry about that--I had removed the NAT rules completely Sunday night and hastily pasted that configuration this morning.

 

I've re-added the rules and this should be the updated configuration:

 

Spoiler
firewall {
    all-ping enable
    broadcast-ping disable
    group {
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        poe {
            output pthru
       }
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        config-file /config/openvpn/<snip>.ovpn
    }
    switch switch0 {
        address 192.168.1.1/24
        description Local
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.38 {
                    stop 192.168.1.243
                }
                static-mapping glasshouse {
                    ip-address 192.168.1.59
                    mac-address 00:11:32:8e:7c:e4
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 1 {
            description "LAN Router"
            exclude
            inbound-interface switch0
            inside-address {
                address 192.168.1.1
                port 80
            }
            log disable
            protocol tcp
            type destination
        }
        rule 2 {
            description "Force LAN Privoxy"
            destination {
                address !192.168.1.59
                port 80
            }
            inbound-interface switch0
            inside-address {
                address 192.168.1.59
                port 8118
            }
            log disable
            protocol tcp
            source {
                address !192.168.1.59
            }
            type destination
        }
        rule 5000 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5001 {
            description "masquerade for VPN"
            log disable
            outbound-interface vtun0
            type masquerade
        }
        rule 5002 {
            description "Privoxy Masquerade"
            destination {
                address 192.168.1.59
                port 80
            }
            log disable
            outbound-interface switch0
            protocol tcp
            source {
                address !192.168.1.59
            }
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
    upnp2 {
        listen-on switch0
        nat-pmp enable
        secure-mode enable
        wan vtun0
    }
}
system {
    host-name ubnt
    login {
        user max {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    name-server 192.168.1.59
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
Veteran Member
Posts: 7,023
Registered: ‎03-24-2016
Kudos: 1819
Solutions: 802

Re: Routing all HTTP traffic through a local proxy?

NAT still lacks 443 rules. Peivoxy masquerade should look like this.  Wrong port breaks the rule, the source part is cosmetic.

 

Spoiler
        rule 5002 {
            description "Privoxy Masquerade"
            destination {
                address 192.168.1.59
                port 8118
            }
            log disable
            outbound-interface switch0
            protocol tcp
            source {
                address 192.168.1.0/24
            }
            type masquerade
        }
New Member
Posts: 13
Registered: a month ago

Re: Routing all HTTP traffic through a local proxy?

Here's my updated NAT rules:

 

Spoiler
    nat {
        rule 1 {
            description "LAN Router"
            exclude
            inbound-interface switch0
            inside-address {
                address 192.168.1.1
                port 443
            }
            log disable
            protocol tcp
            type destination
        }
        rule 2 {
            description "Force LAN Privoxy"
            destination {
                address !192.168.1.59
                port 80,443
            }
            inbound-interface switch0
            inside-address {
                address 192.168.1.59
                port 8118
            }
            log disable
            protocol tcp
            source {
                address !192.168.1.59
            }
            type destination
        }
        rule 5000 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5001 {
            description "masquerade for VPN"
            log disable
            outbound-interface vtun0
            type masquerade
        }
        rule 5002 {
            description "Privoxy Masquerade"
            destination {
                address 192.168.1.59
                port 8118
            }
            log disable
            outbound-interface switch0
            protocol tcp
            source {
                address 192.168.1.0/24
            }
            type masquerade
        }
    }

Nothing seems to be going into these rules, the counts show as 0.

New Member
Posts: 4
Registered: ‎05-07-2018

Re: Routing all HTTP traffic through a local proxy?

In the past, when I have done this (routing web traffic through a transparent/intercepting proxy w/o any client config) on other vendors products, I've used "policy based routing" (not DNAT).

 

It seems there's already an example posted on this site using PBR:

https://community.ubnt.com/t5/EdgeRouter/Transparent-Proxy-Off-host-with-Policy-Based-Routing/td-p/6...

New Member
Posts: 13
Registered: a month ago

Re: Routing all HTTP traffic through a local proxy?

It's not clear to me how you can route to a proxy that's running on a different port with that PBR approach. For instance, Priovxy is running on 192.168.1.42:8118. Is it possible to direct all HTTP traffic to it with PBR?

New Member
Posts: 4
Registered: ‎05-07-2018

Re: Routing all HTTP traffic through a local proxy?

In that case, I've tended to use PBR to direct appropriate traffic to the proxy, and iptables (on the proxy server) to redirect port 80 to the appropriate port (8118 in this case), although DNAT on the router could be equally effective at redirecting port 80 to 8118.

Reply