mbox can support HTTP proxy service by integrating the most popular proxy engine squid. Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator and web access filtering engine. 

mbox installed with squid is typically deployed in two modes: transparent mode or explicit mode.

A transparent proxy, also known as an intercepting proxy, does not require any configuration changes on the client, since traffic is transparently sent to the proxy, redirected by mbox firewall DNAT rule. When the client sends packets, they are addressed to the destination server. Squid silently intercepts the URL requests, caches the contents and performs URL filtering (if any).

In transparent mode, mbox is deployed “in-line”, sitting in the data path, eg. as a gateway, running “transparently” to end users. This mode is good when we want to minimize disruptions to user experience.

A few key note on transparent mode:

• • mbox is deployed as a gateway for user network

  • Users’ PC default gateway must be mbox proxy LAN IP address

  • transparent mode does not intercept https connections

An explicit proxy is one in which the client is explicitly configured to use the proxy, and as such are aware of the existence of the proxy on the network. When the client sends packets to an explicit proxy, they are addressed to the proxy server listening address and port. Squid usually listens for explicit traffic on TCP port 3128 but TCP port 8080 is a common explicit proxy listening port. 

In explicitly mode deployment, mbox can be “in-line or “out-of-band”. This mode is typically used when we want to proxy or filter https traffic as well, or sometimes simply use mbox to redirect traffic (eg. users’ PC default gateway is not mbox).

A few key note on explicit mode:

• • mbox can be in-line as a gateway or out-of-band

  • Users’ PC browser must be configured to point to mbox IP as proxy with the correct proxy port

  • explicit mode supports https connections

CONFIGURING WEB PROXY

When configuring mbox as proxy, following preparations are needed:

• • determine which proxy mode to use first

  • determine proxy port number to be used. This is not required for transparent proxy (we use default TCP/3128); but for explicit proxy, it’s recommended to change the default to use TCP/8080.

  • determine which traffic is allowed or denied (eg. URL filtering, network filtering etc etc)

Main configuration steps:

1. configure proxy service

2. configure mbox to intercept user traffic (redirect http requests to proxy)

3. (optional) configure URL logging

1. CONFIGURE PROXY SERVICES

NOTES: we must explicitly permit accesses across mbox proxy, otherwise by default it blocks all access by default for security reasons. We use "proxy-access" command to define which traffic is permitted.

proxy-access <ACL Number> <actions> <filter>

• <ACL Number> defines sequence of actions for each access. It is like firewall rules, processed from top-down, once a traffic is matched with an upper rule, it will not be processed by lower rules. So it's important to plan the rules sequence when we have many rules.

• <actions> defines whether to permit or deny accesses for the matched traffic (specified in <options>). below is a list of actions available:

  • permit      Permit access from defined network. There's an implicit "deny" within mbox (anything not explicitly permitted are denied), so at minimum, we must permit hosts from local networks to go out. But if we are to deny access to certain domains/URLs, the permit rules should appear at the bottom of all other deny rules.

  • permit-log  Permit access and log accessed URLs. This option tracks all permitted URL access in syslog format (facility: local7.info), so that we can send to external syslog server for central logging.

  • deny        Deny access from defined network.

  • deny-log    Deny access and log accessed URLs. This option tracks all permitted URL access in syslog format (facility: local7.info), so that we can send to external syslog server for central logging.

• <filter> defines what traffic to permit/deny for this rules. below is a list of available options:

  • all     All accesses. This permit/deny all traffic (depending on the <action> option)

  • src     Filter by source IP-address or subnet.

  • dst     Filter by destination IP-address or subnet.

  • port    Filter by destination port (TCP ports only)

  • domain  Filter by destination domains (for example .xyz.com). This can be used for manual URL filtering.

NOTES:

• • if we’re running mbox as a transparent proxy, we will add optional command “transparent” when specify proxy-port

  • if we've changed proxy-port or proxy-access rules, we must restart proxy service (stop then start again).

  • typically we use proxy-port TCP/8080 when running explicit mode; use TCP/3128 when running transparent mode. (change the firewall rule port number to match the proxy-port no. used).

• after change of block-url (eg. using "block-url add" command), we need to stop and start proxy service.

2. CONFIGURE MBOX TO INTERCEPT HTTP TRAFFIC (HTTP REDIRECTION)

There are two main steps to configure:

1. configure firewall-dnat redirect/forward http (tcp/80) to proxy port (default tcp/3128)

2. configure firewall-input to allow incoming proxy requests (tcp/3128)

NOTE: If we're looking to enable proxy for a specific networks only, we need to specify src network in the redirect rule "firewall-dnat 9 redirect xxx", and this network usually needs to match with "proxy-access" src network config.

3. (OPTIONAL) CONFIGURE URL LOGGING

In many cases, when running proxy service, we will want to log the URL access details (URL logging) to a central logging server, for analysis and compliance purposes.

NOTES:

• we need to enable logging in the proxy-access rule (eg. proxy-access 19 permit-log xxxx), so that URL accesses are tracked as syslog (facility: local7.info).

• because mbox proxy only intercepts (therefore logs) http traffic, if we want to log complete accesses (eg. https), we have to enable firewall logging for https (tcp/443) traffic (for CMG, use firewall-access <acl> permit-log/deny-log for CMG; for HSG, use hotspot-access <acl> permit-log/deny-log)

• we need to configure log-out rules to export out facility local7 (for http URL logs) and message type "mboxfw" (for firewall logs) to external syslog server. More details on logging output is here.

COMPLETE CONFIG EXAMPLE