How to Configure a Transparent HTTP Proxy on FreeBSD Operating System
Categories:
4 minute read
Introduction
A transparent HTTP proxy intercepts web traffic without requiring client-side configuration, making it an efficient solution for caching, content filtering, and traffic monitoring. FreeBSD, with its robust networking capabilities, is an excellent choice for deploying such a proxy.
In this guide, we will walk through the process of configuring a transparent HTTP proxy on FreeBSD using Squid, a widely used caching proxy, and PF (Packet Filter), FreeBSD’s built-in firewall, to redirect traffic seamlessly.
Prerequisites
Before proceeding, ensure you have:
- A FreeBSD system (version 12 or later recommended) with root access.
- Basic knowledge of FreeBSD administration, including package management and firewall configuration.
- A working network interface connected to the internet.
Step 1: Install Squid Proxy
Squid is a powerful caching proxy that supports transparent proxying. Install it using FreeBSD’s package manager:
pkg update
pkg install squid
Enable and start the Squid service:
sysrc squid_enable=YES
service squid start
Verify that Squid is running:
sockstat -4 | grep squid
You should see Squid listening on port 3128 by default.
Step 2: Configure Squid for Transparent Proxy Mode
Edit Squid’s main configuration file:
ee /usr/local/etc/squid/squid.conf
Make the following changes:
1. Define the Local Network
Add your local subnet (e.g., 192.168.1.0/24) to the ACL (Access Control List):
acl localnet src 192.168.1.0/24
2. Allow HTTP Traffic
Ensure Squid permits HTTP traffic from your network:
http_access allow localnet
3. Enable Transparent Mode
Configure Squid to handle intercepted traffic:
http_port 3128 transparent
Save the file and restart Squid:
service squid restart
Step 3: Configure PF (Packet Filter) for Traffic Redirection
FreeBSD’s PF firewall will redirect HTTP traffic (port 80) to Squid (port 3128).
1. Enable PF
Edit /etc/rc.conf to enable PF at boot:
sysrc pf_enable=YES
2. Create PF Rules
Edit the PF configuration file:
ee /etc/pf.conf
Add the following rules (adjust em0 to match your network interface):
# Redirect HTTP traffic to Squid
rdr pass on em0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 3128
# Allow redirected traffic
pass in quick proto tcp from any to 127.0.0.1 port 3128
3. Load and Test PF Rules
Load the rules and check for errors:
pfctl -f /etc/pf.conf
pfctl -sr | grep rdr
You should see the redirection rule in place.
Step 4: Enable IP Forwarding
For the proxy to work correctly, FreeBSD must forward network traffic:
sysrc gateway_enable=YES
Apply the setting immediately:
sysctl net.inet.ip.forwarding=1
Step 5: Testing the Transparent Proxy
1. Verify Squid Logs
Check if Squid is processing requests:
tail -f /var/log/squid/access.log
2. Test from a Client
On a client machine in the same network, browse any HTTP website. The traffic should pass through Squid without requiring proxy settings.
3. Debugging Issues
If traffic isn’t redirected:
- Ensure PF rules are active (
pfctl -sr). - Check Squid’s logs for errors.
- Verify that the network interface in
pf.confis correct.
Step 6: Additional Optimizations
1. Enable Caching
To improve performance, configure Squid’s cache settings in squid.conf:
cache_dir ufs /var/squid/cache 1000 16 256
maximum_object_size 256 MB
Then create the cache directory:
squid -z
2. HTTPS Considerations
A transparent proxy only handles HTTP traffic. For HTTPS, consider:
- Using SSL bumping (complex, requires CA certificates).
- Deploying a MITM (Man-in-the-Middle) proxy like Squid with SSL support.
3. Bandwidth Management
Use dummynet (FreeBSD’s traffic shaper) to limit bandwidth:
kldload dummynet
Add rules to /etc/pf.conf:
altq on em0 hfsc bandwidth 100Mb queue { http_traffic }
queue http_traffic bandwidth 50Mb hfsc ( default )
Conclusion
Configuring a transparent HTTP proxy on FreeBSD involves setting up Squid for caching and PF for traffic redirection. This setup enhances network performance, enables content filtering, and simplifies client configurations.
For enterprise environments, consider:
- Logging and monitoring (e.g.,
sargfor Squid reports). - Security hardening (restricting proxy access via ACLs).
- Load balancing for high-traffic networks.
By following this guide, you’ve built a robust transparent proxy solution on FreeBSD, ready for production use.
Further Reading
This guide provides a solid foundation, but always test configurations in a controlled environment before full deployment.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.