It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Set Up and Configure the HTTP Proxy

  • Last updated on

To set up and configure the HTTP Proxy, follow the steps provided in this article. After setting up the HTTP Proxy, you can configure log settings for the service. Because the integrated proxy service of the Barracuda CloudGen Firewall is based on Squid, you can also add generic squid.conf entries for configurations such as client IP forwarding, closing redundant client sessions, and customized HTTP and HTTPS ports. From the command line, you can verify the HTTP Proxy server configuration.

Step 1. Enable the HTTP Proxy Service

To enable the HTTP Proxy:

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP-Proxy > Service Properties.
  2. Click Lock.

  3. From the Enable Service list, select Yes.

    The remaining settings on the page were configured when the HTTP Proxy service was created. For more details on these general service IP address settings, see How to Assign Services.

  4. Click Send Changes and Activate.

Step 2. Configure the Connection Settings

Specify the settings for connecting your system to the Internet.

  1. Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings.
  2. From the Configuration menu in the left navigation pane, select HTTP Proxy
  3. Click Lock.
  4. From the Connection Type list, select how your system is connected to the Internet. You can select one of these options:
    • Direct Access – Your Barracuda CloudGen Firewall is directly connected to the Internet.
    • HTTP/S Proxy Your Barracuda CloudGen Firewall is connected through an HTTP or HTTPS Proxy.
  5. Specify the rest of the settings in the System HTTP Proxy Settings section.
  6. Click Send Changes and Activate.

Step 3. Specify the Operation and Network Settings

Select the operation mode for the HTTP Proxy and specify its network settings.

  1. Go to CONFIGURATION  > Configuration Tree > Box > Assigned Services >  HTTP-Proxy > HTTP Proxy Settings.
  2. Click Lock.
  3. In the left menu click Basic Settings and configure the following settings:
    • Contact Mail – The admin proxy email address. This address is the contact that will be displayed within upcoming error messages.

    • Visible Hostname – The hostname that will be displayed within error messages. The visible hostname must be formatted as: "host.domain.tld". Special characters are not allowed. If you are running a forwarding/caching DNS server, the hostname MUST NOT be identical to the system hostname.

    • Proxy Mode – The mode that specifies how the proxy service handles requests. You can select one of the following modes:

      ModeDescription
      ForwardProxyIf requests received from a client must be directed to another server, select this mode. The HTTP Proxy then acts as a client and generates further requests to the server.
      TransparentProxy

      All requests sent by clients are directed to the proxy server. With this mode, proxy authentication is only possible with the Barracuda DC Agent.

      With a transparent proxy, you must also create a forwarding firewall rule (App Redirect) or unblock the preconfigured TRANSPARENT-PROXY firewall rule to allow Internet access for your trusted LANs. For more details on configuring firewall rules, see Access Rules.

      ReverseProxy

      The reverse proxy directs incoming requests from other servers to clients without providing the origin details. With this mode, you must also configure additional settings for the reverse proxy. For more details, see How to Set Up a Reverse Proxy.

      With the Transparent Proxy and Reverse Proxy modes, the proxy modes and access control lists for the proxyauthentication type are deleted.

  4. In the left menu, click IP Configuration.
  5. In the Network Settings section, specify the IP addresses and ports that you want to use. You can also configure SNMP monitoring. For more details on these settings, see HTTP Proxy Settings.
  6. Click Send Changes and Activate.

Step 4. Configure Log Settings

To specify the log settings for the HTTP Proxy:

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP-Proxy > HTTP Proxy Settings.
  2. In the left navigation pane, expand Configuration Mode and click Switch to Advanced View.
  3. Click Lock.
  4. In the Log Settings section, specify the log settings for the service. For more details on these settings, see HTTP Proxy Settings.
  5. Click Send Changes and Activate.

Step 5. (Optional) Configure Miscellaneous (Misc.) Settings

If required, you can configure these miscellaneous settings for the HTTP Proxy:

  • Use of extended passive FTP
  • Number of CPU cores
  • Use of the X-Forwarded-For header for requests
  • Cache settings
  • Size limit for files that will be processed

To configure these settings:

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services >  HTTP-Proxy > HTTP Proxy Settings.
  2. In the left navigation pane, expand Configuration Mode and click Switch to Advanced View.
  3. In the Misc. Settings section, configure the miscellaneous settings. For more details on these settings, see HTTP Proxy Settings.
  4. Click Send Changes and Activate.

Step 6. (Optional) Enable TLS Inspection

To apply web filter policies or to use virus scanning for HTTPS traffic enable TLS Inspection. To use TLS Inspection the Feature Level of the Forwarding Firewall must be set to 7.2 or higher. For more information, see TLS Inspection in the Firewall.

You must deploy the root certificate to the client browsers to avoid TLS errors.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP-Proxy > HTTP Proxy Settings.
  2. In the left menu, select SSL Settings.
  3. Click Lock.
  4. Select Enable SSL Inspection.
  5. Import your root CA Certificate in PKCS12 format:
    1. Click on Ex/Import for the Root CA Certificate.
    2. Select Import from PKCS12 File and select your root CA certificate file on your computer.
  6. (optional) In the SSL Inspection section, enter the Excluded Domains.
  7. (optional) In the SSL Inspection section, enter domains that should always be trusted to the Allow List.
  8. Click Send Changes and Activate.

Add Squid Configurations

To configure client IP forwarding, close redundant client sessions, and customize HTTP and HTTPS ports, add squid.conf entries in the advanced settings for the HTTP Proxy.

For more information about Squid proxy configuration, see the official Squid documentation at www.squid-cache.org. Note that changing advanced configuration parameters should only be done by an expert administrator. If you have any questions, contact Barracuda Networks Technical Support for assistance.

To add squid.conf entries:

First, enable expert settings for the Barracuda CloudGen Firewall:

  1. Click the Options tab on the top left of Barracuda Firewall Admin and select Settings.
  2. Expand Admin and CC Settings and select the Show Expert Settings check box.
  3. To activate the settings, restart Barracuda Firewall Admin.

The squid.conf settings are visible in Barracuda Firewall Admin now. Continue with the following steps:

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services >  HTTP-Proxy > HTTP Proxy Settings.
  2. In the left navigation pane, expand Configuration Mode and click Switch to Advanced View.
  3. Click Lock.
  4. From the Configuration menu in the left navigation pane, click Advanced.
  5. In the Generic squid.conf Entries field, add the required squid.conf entries.
  6. Click Send Changes and Activate.

More information on how to configure the required squid.conf entries are provided in these sections:

Client IP Forwarding

To grant access to web servers that do not accept anonymous HTTP requests from proxies, you can add a squid.conf entry Barracuda CloudGen Firewall HTTP Proxy uses the forwarded_for option to add the X-Forwarded-For option in the HTTP header for such requests. If the option is set to unknown, the web server may block the request. To grant access to this web server, you must enable client IP address forwarding or delete the entire X-Forwarded-For entry from the HTTP header.

To configure client IP forwarding, enter one of the following options:

Forwarding OptionDescription
forwarded_for on Adds the actual client IP address to the HTTP header.
forwarded_for off

Adds unknown as a value in the HTTP header.

To maintain anonymity, Barracuda Networks recommends that you use the delete option.

forwarded_for delete Deletes the entire X-Forwarded-For entry from the HTTP header.
forwarded_for transparent Does not alter the X-Forwarded-For entry in the HTTP header in any way.
forwarded_for truncate Removes all existing X-Forwarded-For entries and adds itself as the sole entry.
Close Client Sessions

After a certain number of established sessions, the firewall engine blocks new sessions until the HTTP Proxy and the Virus Scanner service are restarted. As a result, the number of antivirus file descriptors increases when using the HTTP Proxy, and firewall authentication via HTTPS may not work. To close redundant client sessions, enter the following two parameters:

  • pconn_timeout 10 seconds
  • half_closed_clients off
Customized HTTP and HTTPS Ports

If required, you can add customized ports with squid.conf entries. Some environments require customized ports for HTTP Proxy. For example, http://www.intranet.com:81 or >https://www.intranet.com:81. If the ports are not automatically accepted by the proxy, you can allow these ports via an ACL.

By default, the Squid proxy only accepts HTTP and HTTPS requests on the following ports:

Accepted PortService
443 / 563HTTPS
80HTTP
21FTP
70Gopher
210WAIS
280HTTP-MGMT
488GSS-HTTP
591FileMaker
777Multiling HTTP
Add Ports to the ACL

To add ports to the ACL, enable expert settings for the Barracuda CloudGen Firewall and then add the squid.conf entries for the ports.

  1. Enable expert settings for the Barracuda CloudGen Firewall.
    1. Click the Options tab on the top left of Barracuda Firewall Admin and select Settings.
    2. Expand Admin and CC Settings and select the Show Expert Settings check box.
    3. To activate the settings, restart Barracuda Firewall Admin.
  2. Log back into the Barracuda CloudGen Firewall and open the HTTP Proxy Settings - Advanced page in advanced configuration mode.
  3. Add the squid.conf entries for the required ports. Depending on the protocol, use the following syntax:

    ProtocolSyntax
    HTTPacl Safe_ports port <portnumber>
    HTTPSacl SSL_ports port <portnumber>

    For example, to add port 81:

    ProtocolExample
    HTTPacl Safe_ports port 81 # http customized
    HTTPSacl SSL_ports port 81 # https customized

Verify the HTTP Proxy Configuration

From the command line, you can verify your HTTP Proxy server configuration.

  1. At the command line, log in as root.
  2. Enter the following: 
    squid -N -f /var/phion/preserve/proxy/<servername_servicename>/root/squid.conf

If there are any errors in your configuration, the number of the row that contains the error is printed.

HTTP Proxy Settings

These sections provide more detailed descriptions of the networking, log, and miscellaneous settings that you can configure for the HTTP Proxy:


Networking Settings
SettingsDescription

TCP Listening Port

The port on which the proxy service listens for incoming HTTP connections. By default, port 3128 is used. Be aware that if you change the default TCP listening port, you must also change the port number in the service object for the default HTTP proxy local firewall rule (OP-SRV-PX). Otherwise, all HTTP traffic is blocked. For more details on configuring service objects, see How to Create Service Objects.

TCP Outgoing Address

The IP address that is used by the proxy server when executing HTTP requests. You can select First-IP, Second-IP, or Dynamic. If you select Dynamic, an IP address is automatically selected from the available server address pool. To enter an explicit IP address, select Other.

UDP Incoming Address

The IP address that is used by the proxy server when responding to ICP queries. You can select First-IP, Second-IP, or None. Default: First-IP.

UDP Outgoing Address

The IP address that is used by the proxy server when executing ICP and DNS queries. You can select First-IP, Second-IP, or Dynamic.

ICP Port 

The port through which the proxy service handles ICP connections with its neighbor caches. By default, port 3130 is used. To disable this port, enter 0.

Neighbor Settings

In this table, specify how the proxy server treats neighboring proxies. For information on how to configure this section, see How to Configure Neighbor Proxies.

DNS Server IP addresses

In this table, add the DNS server IP addresses that are exclusively used by the HTTP Proxy service. If one of the defined DNS servers is unreachable, the HTTP Proxy will not use the globally defined servers of the Barracuda CloudGen Firewall unit itself.

You can only edit this table in Advanced Configuration Mode. In the left navigation pane, expand Configuration Mode and click Switch to Advanced View. Note that this setting overwrites system-wide DNS server settings.

SNMP Monitoring

To configure the SNMP monitoring settings, click Set. For more details, see SNMP Monitoring.

Log Settings

This table provides more detailed descriptions of the log settings that you can configure in Configure Log Settings.

SettingDescription
Write Cache-LogThe cache log file records debug and failure messages generated by Squid during operating time. This log file includes such information as service start and termination, and execution of ACLs.
Debug Level
The debug level defines the verbosity of the cache log file. You can select:
  • normal – Minimal logging. Errors will not be listed exhaustively; statistical information will not be generated.
  • verbose – Generates statistical information and logs most errors.
  • debug – Exhaustive logging of errors and statistical information.

    With the debug setting, more disk space is used by the service log.

Log via SyslogDetermines how to handle log files that are generated by the HTTP Proxy service. You can select:
  • Auto – Queries the Syslog-Proxy configuration before log data processing. If a streaming profile for HTTP Proxy log files is defined, it will be used to stream log files to a syslog server and generate a local log file as well.
  • Yes – Forwards logging data to the local Syslog proxy, where more data processing can be defined. For more details, see How to Configure Syslog Streaming.
  • No – Generates log files on the Barracuda CloudGen Firewall. If you are impacted by performance issues with remote logging to busy servers, select No.

IPFIX StreamingTo stream HTTP Proxy logs to an external IPFIX collector, select Yes. You must also configure the IPFIX streaming settings. For more details, see How to Configure Audit & Reporting With IPFIX.

Misc. Settings

This table provides more detailed descriptions for the log settings that you can configure in (Optional) Step 4. Configure Misc. Settings.

SettingDescription
Disable Extended Passive FTP

Control whether Squid uses EPSV extension for efficient NAT handling and IPv6 protocol support in FTP.

You cannot enable FTP on more than one proxy.

Number of WorkersDefines the number of CPU cores used by the HTTP Proxy engine. Auto allocates all available cores to the HTTP Proxy engine.
Follow X-Forwarded-For HeaderTo use the X-Forwarded-For header of HTTP requests for logging and ACLs, select yes.
Cache SettingsTo configure the cache settings, click Set.
  • Cache Type – Specifies the behavior of the HTTP Proxy cache. You can choose between the following options:
    • None – Disables the local cache (Proxy mode only).
    • Minimal – The system uses minimal disk space for caching.
    • Aggressive – The system uses up to half of the available hard disk for caching.
    • User-Defined – This option lets you define the cache settings manually and enables the following parameters:

  • Size in MB – The maximum size of the cache directory in MB. It is recommended that you set this limit to at least 100 MB. The cache is located in /var/phion/squid cache_SERVERNAME_SERVICE NAME.
  • Level1 Directories / Level2 Directories – These settings define the structural organization of the proxy service's cache directory. The default values (16 / 256) are the recommended minimum values for the Level1 and Level2 directories, respectively. Be aware that entering high values generates a vast number of subdirectories.
  • Max Object Size(kB) – Objects exceeding this limit will not be cached.
  • Mem Cache Size (MB) – The memory size of the lookup cache.
Limit SettingsTo specify the maximum size for files processed by the HTTP Proxy, click Set. In the Overall Maximum File Size field, enter the file size limit. Files that exceed this limit are dropped by the HTTP Proxy service. An equal limitation may also be set by using Proxy Access Control Lists.