To set up and configure the HTTP Proxy, follow the steps provided in this article. After setting up the HTTP Proxy, you can configure log settings for the service. Because the integrated proxy service of the Barracuda CloudGen Firewall is based on Squid, you can also add generic squid.conf
entries for configurations such as client IP forwarding, closing redundant client sessions, and customized HTTP and HTTPS ports. From the command line, you can verify the HTTP Proxy server configuration.
Step 1. Enable the HTTP Proxy Service
To enable the HTTP Proxy:
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP-Proxy > Service Properties.
Click Lock.
From the Enable Service list, select Yes.
- Click Send Changes and Activate.
Step 2. Configure the Connection Settings
Specify the settings for connecting your system to the Internet.
- Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings.
- From the Configuration menu in the left navigation pane, select HTTP Proxy.
- Click Lock.
- From the Connection Type list, select how your system is connected to the Internet. You can select one of these options:
- Direct Access – Your Barracuda CloudGen Firewall is directly connected to the Internet.
- HTTP/S Proxy – Your Barracuda CloudGen Firewall is connected through an HTTP or HTTPS Proxy.
- Specify the rest of the settings in the System HTTP Proxy Settings section.
- Click Send Changes and Activate.
Step 3. Specify the Operation and Network Settings
Select the operation mode for the HTTP Proxy and specify its network settings.
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP-Proxy > HTTP Proxy Settings.
- Click Lock.
- In the left menu click Basic Settings and configure the following settings:
Contact Mail – The admin proxy email address. This address is the contact that will be displayed within upcoming error messages.
Visible Hostname – The hostname that will be displayed within error messages. The visible hostname must be formatted as: "host.domain.tld". Special characters are not allowed. If you are running a forwarding/caching DNS server, the hostname MUST NOT be identical to the system hostname.
Proxy Mode – The mode that specifies how the proxy service handles requests. You can select one of the following modes:
Mode Description ForwardProxy If requests received from a client must be directed to another server, select this mode. The HTTP Proxy then acts as a client and generates further requests to the server. TransparentProxy All requests sent by clients are directed to the proxy server. With this mode, proxy authentication is only possible with the Barracuda DC Agent.
ReverseProxy The reverse proxy directs incoming requests from other servers to clients without providing the origin details. With this mode, you must also configure additional settings for the reverse proxy. For more details, see How to Set Up a Reverse Proxy.
- In the left menu, click IP Configuration.
- In the Network Settings section, specify the IP addresses and ports that you want to use. You can also configure SNMP monitoring. For more details on these settings, see HTTP Proxy Settings.
Click Send Changes and Activate.
Step 4. Configure Log Settings
To specify the log settings for the HTTP Proxy:
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP-Proxy > HTTP Proxy Settings.
- In the left navigation pane, expand Configuration Mode and click Switch to Advanced View.
- Click Lock.
- In the Log Settings section, specify the log settings for the service. For more details on these settings, see HTTP Proxy Settings.
- Click Send Changes and Activate.
Step 5. (Optional) Configure Miscellaneous (Misc.) Settings
If required, you can configure these miscellaneous settings for the HTTP Proxy:
- Use of extended passive FTP
- Number of CPU cores
- Use of the X-Forwarded-For header for requests
- Cache settings
- Size limit for files that will be processed
To configure these settings:
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP-Proxy > HTTP Proxy Settings.
- In the left navigation pane, expand Configuration Mode and click Switch to Advanced View.
- In the Misc. Settings section, configure the miscellaneous settings. For more details on these settings, see HTTP Proxy Settings.
- Click Send Changes and Activate.
Step 6. (Optional) Enable TLS Inspection
To apply web filter policies or to use virus scanning for HTTPS traffic enable TLS Inspection. To use TLS Inspection the Feature Level of the Forwarding Firewall must be set to 7.2 or higher. For more information, see TLS Inspection in the Firewall.
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP-Proxy > HTTP Proxy Settings.
- In the left menu, select SSL Settings.
- Click Lock.
- Select Enable SSL Inspection.
- Import your root CA Certificate in PKCS12 format:
- Click on Ex/Import for the Root CA Certificate.
- Select Import from PKCS12 File and select your root CA certificate file on your computer.
- (optional) In the SSL Inspection section, enter the Excluded Domains.
- (optional) In the SSL Inspection section, enter domains that should always be trusted to the Allow List.
- Click Send Changes and Activate.
Add Squid Configurations
To configure client IP forwarding, close redundant client sessions, and customize HTTP and HTTPS ports, add squid.conf
entries in the advanced settings for the HTTP Proxy.
To add squid.conf
entries:
First, enable expert settings for the Barracuda CloudGen Firewall:
- Click the Options tab on the top left of Barracuda Firewall Admin and select Settings.
- Expand Admin and CC Settings and select the Show Expert Settings check box.
- To activate the settings, restart Barracuda Firewall Admin.
The squid.conf
settings are visible in Barracuda Firewall Admin now. Continue with the following steps:
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP-Proxy > HTTP Proxy Settings.
- In the left navigation pane, expand Configuration Mode and click Switch to Advanced View.
- Click Lock.
- From the Configuration menu in the left navigation pane, click Advanced.
- In the Generic squid.conf Entries field, add the required
squid.conf
entries. - Click Send Changes and Activate.
More information on how to configure the required squid.conf
entries are provided in these sections:
Client IP Forwarding
To grant access to web servers that do not accept anonymous HTTP requests from proxies, you can add a squid.conf
entry Barracuda CloudGen Firewall HTTP Proxy uses the forwarded_for
option to add the X-Forwarded-For
option in the HTTP header for such requests. If the option is set to unknown
, the web server may block the request. To grant access to this web server, you must enable client IP address forwarding or delete the entire X-Forwarded-For
entry from the HTTP header.
To configure client IP forwarding, enter one of the following options:
Forwarding Option | Description |
---|---|
forwarded_for on | Adds the actual client IP address to the HTTP header. |
forwarded_for off | Adds To maintain anonymity, Barracuda Networks recommends that you use the |
forwarded_for delete | Deletes the entire X-Forwarded-For entry from the HTTP header. |
forwarded_for transparent | Does not alter the X-Forwarded-For entry in the HTTP header in any way. |
forwarded_for truncate | Removes all existing X-Forwarded-For entries and adds itself as the sole entry. |
Close Client Sessions
After a certain number of established sessions, the firewall engine blocks new sessions until the HTTP Proxy and the Virus Scanner service are restarted. As a result, the number of antivirus file descriptors increases when using the HTTP Proxy, and firewall authentication via HTTPS may not work. To close redundant client sessions, enter the following two parameters:
pconn_timeout 10 seconds
half_closed_clients off
Customized HTTP and HTTPS Ports
If required, you can add customized ports with squid.conf
entries. Some environments require customized ports for HTTP Proxy. For example, http://www.intranet.com:81 or >https://www.intranet.com:81. If the ports are not automatically accepted by the proxy, you can allow these ports via an ACL.
By default, the Squid proxy only accepts HTTP and HTTPS requests on the following ports:
Accepted Port | Service |
---|---|
443 / 563 | HTTPS |
80 | HTTP |
21 | FTP |
70 | Gopher |
210 | WAIS |
280 | HTTP-MGMT |
488 | GSS-HTTP |
591 | FileMaker |
777 | Multiling HTTP |
Add Ports to the ACL
To add ports to the ACL, enable expert settings for the Barracuda CloudGen Firewall and then add the squid.conf
entries for the ports.
- Enable expert settings for the Barracuda CloudGen Firewall.
- Click the Options tab on the top left of Barracuda Firewall Admin and select Settings.
- Expand Admin and CC Settings and select the Show Expert Settings check box.
- To activate the settings, restart Barracuda Firewall Admin.
- Log back into the Barracuda CloudGen Firewall and open the HTTP Proxy Settings - Advanced page in advanced configuration mode.
Add the
squid.conf
entries for the required ports. Depending on the protocol, use the following syntax:Protocol Syntax HTTP acl Safe_ports port <portnumber>
HTTPS acl SSL_ports port <portnumber>
For example, to add port 81:
Protocol Example HTTP acl Safe_ports port 81 # http customized
HTTPS acl SSL_ports port 81 # https customized
Verify the HTTP Proxy Configuration
From the command line, you can verify your HTTP Proxy server configuration.
- At the command line, log in as root.
- Enter the following:
squid -N -f /var/phion/preserve/proxy/<servername_servicename>/root/squid.conf
If there are any errors in your configuration, the number of the row that contains the error is printed.
HTTP Proxy Settings
These sections provide more detailed descriptions of the networking, log, and miscellaneous settings that you can configure for the HTTP Proxy: