Transparent proxying (a.k.a. forcing everyone to use proxy)
Transparent proxying intercepts all web requests on port 80 that would otherwise pass through the NetManager to the Internet. It passes on the request to the local proxy. There are couple of limitations:
- It is incompatible with proxy authentication
- The NetManager must be connected in-line so that it sees web traffic going out to the Internet. In practice, this usually means using NAT and having the NetManager connected directly to the router.
|Direct attach, transparent proxying will NOT work||In-line, transparent proxying WILL work|
Enabling transparent proxying
You need to determine three things:
- Which network interface you want to intercept the traffic on (e.g. wm0)
- Which port number should be intercepted (generally 80 for http)
- A free port for the web proxy to use (e.g. 3200)
Then create a line like the following in the NetManager configuration file:
And then run
build_server from the command line
Transparent proxying for HTTPS
To intercept and filter https (port 443), you will need to have the HTTPS inspection module for your NetManager. This will allow you add a configuration such as:
You will also need to have enabled the NetManager to be a certificate authority. N.B. you must have an Internet connection that does not block direct HTTPS connections. By enabling transparent proxying for HTTPS, any upstream proxies you configure will be ignored for HTTPS traffic. This is because NetManager needs to be able to speak directly to the origin server on your client's behalf to determine what site you are attempting to access.
There are 3 operations that you can do with an intercepted HTTPS connection. You can configure these using normal proxy filters (except that you cannot use filters that require access to the raw HTTP such as URL path or User Agent)
- Forward on - connects the client to the origin server, but logs that the site has been accessed
- Block - terminates the connection which will give a browser error (not a friendly NetManager block page)
- Intercept - NetManager will decrypt the connection and log the encapsulated HTTP traffic. This allows you to block and log search engine queries, for example. To do this, you will need to install the NetManager CA cert as trusted on your clients.
nat_transparent is a space-separated list of interfaces and ports to intercept. Within each entry, the sections are colon separated. Minimal format is:
Flags made be added as extra sections on the end. Currently supported flags are:
- src - comma-separated list of client IP addresses to intercept (with optional netmask)
- fwd - IP address to forward to (default is localhost)
CaveatsIf doing HTTPS interception, you may find some sites (or parts of sites) fail to display correctly. You may see SSL related errors in the browser and the proxy logs show errors along the lines of the following:
SECURITY ALERT: Host header forgery detected on ... (local IP does not match any domain IP)
This happens if the client computer is using different DNS servers from your NetManager. It is particularly prevalent if you use the public Google DNS servers (184.108.40.206 and 220.127.116.11); in this case it may even happen if used on both NetManager and clients. The problem occurs because the client looks up an IP address for the website, tries to connect (which is intercepted by NetManager) and then when NetManager tries to connect to the same website, it gets a different IP address.
For full details, see https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery