 Howto - Transparent Proxy Using Squid |
|
|
|
|
  |
 Nov 29 2007, 06:15 AM
Post
#1
|
|
|
Newbie [ Level 1 ]  Group: Members Posts: 7 Joined: 29-November 07 Member No.: 26,526  |
this is a quick and dirty how-to to set up a working transparent proxy for small office use. this one is a custom install note. it is NOT compatible with the default RPM packages provided by your linux vendors. use it at your own risk. also note that all the values provided here should be modified according to your specifications. DO NOT use the values as is!
overview you have an internet gateway in your office: a. eth0 - external interface (ISP-provided IP) b. eth1 - internal interface (192.168.0.1) you want to place advantages such as web access speed-up, web access monitoring and filtering capabilities to this gateway. i use squid 2.6 in this case and the setup here wouldn't work for versions prior to 2.6. here are the steps. 1. download source from squid-cache.org; create necessary directories; as root: mkdir -p /usr/local/var/squid /usr/local/var/squid/cache /usr/local/var/squid/logs chown -R nobody:nobody /usr/local/var/squid chmod 750 /usr/local/var/squid /usr/local/var/squid/cache /usr/local/var/squid/logs exit 2. ./configure with the following options (this was based on Fedora Core, with modifications) CODE ./configure --prefix=/usr/local \ --sysconfdir=/etc/squid \ --enable-epoll \ --enable-snmp \ --enable-removal-policies="heap,lru" \ --enable-storeio="aufs,coss,diskd,null,ufs" \ --enable-ssl \ --with-openssl=/usr/kerberos \ --enable-delay-pools \ --enable-linux-netfilter \ --with-pthreads \ --enable-ntlm-auth-helpers="SMB,fakeauth" \ --enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_group" \ --enable-auth="basic,digest,ntlm" \ --enable-digest-auth-helpers="password" \ --with-winbind-auth-challenge \ --enable-useragent-log \ --enable-referer-log \ --disable-dependency-tracking \ --enable-cachemgr-hostname=localhost \ --enable-underscores \ --enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL" \ --enable-cache-digests \ --enable-ident-lookups \ --enable-follow-x-forwarded-for \ --enable-wccpv2 \ --enable-fd-config \ --with-maxfd=16384 3. make 4. sudo make install 5. put the following in /etc/squid.conf (minimum configuration only, see squid.conf.default for more details): CODE http_port 127.0.0.1:3128 http_port 192.168.0.1:3128 transparent cache_dir ufs /usr/local/var/squid/cache 100 16 256 pid_filename /usr/local/var/squid/logs/squid.pid visible_hostname gw.office.intern cache_mgr bl00d@gw.office.intern logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh access_log /usr/local/var/squid/logs/access.log squid cache_log /usr/local/var/squid/logs/cache.log cache_store_log /usr/local/var/squid/logs/store.log useragent_log /usr/local/var/squid/logs/useragent.log referer_log /usr/local/var/squid/logs/referer.log acl localhost src 127.0.0.1/255.255.255.255 acl intern src 192.168.0.0/24 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 1025-65535 acl CONNECT method CONNECT http_access allow intern http_access allow localhost http_access deny !Safe_ports http_access deny all acl QUERY urlpath_regex cgi-bin \? asp jsp php cache deny QUERY follow_x_forwarded_for deny all http_reply_access allow all 6. put the follong in /etc/sysconfig/squid: CODE # default squid options # -D disables initial dns checks. If you most likely will not to have an # internet connection when you start squid, uncomment this SQUID_OPTS="-D" # Time to wait for Squid to shut down when asked. Should not be necessary # most of the time. SQUID_SHUTDOWN_TIMEOUT=100 7. put the following in /etc/logrotate.d/squid: CODE /usr/local/var/squid/logs/access.log { weekly rotate 5 copytruncate compress notifempty missingok } /usr/local/var/squid/logs/cache.log { weekly rotate 5 copytruncate compress notifempty missingok } /usr/local/var/squid/logs/useragent.log { weekly rotate 5 copytruncate compress notifempty missingok } /usr/local/var/squid/logs/referer.log { weekly rotate 5 copytruncate compress notifempty missingok } /usr/local/var/squid/logs/store.log { weekly rotate 5 copytruncate compress notifempty missingok # This script asks squid to rotate its logs on its own. # Restarting squid is a long process and it is not worth # doing it just to rotate logs postrotate /usr/local/sbin/squid -k rotate endscript } [/quote] 8. put the following in /etc/rc.d/init.d/squid: [code] #!/bin/bash # squid This shell script takes care of starting and stopping # Squid Internet Object Cache # # chkconfig: - 90 25 # description: Squid - Internet Object Cache. Internet object caching is \ # a way to store requested Internet objects (i.e., data available \ # via the HTTP, FTP, and gopher protocols) on a system closer to the \ # requesting site than to the source. Web browsers can then use the \ # local Squid cache as a proxy HTTP server, reducing access time as \ # well as bandwidth consumption. # pidfile: /usr/local/var/squid/logs/squid.pid # config: /etc/squid/squid.conf PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/bin:/usr/sbin export PATH # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 # check if the squid conf file is present [ -f /etc/squid/squid.conf ] || exit 0 if [ -f /etc/sysconfig/squid ]; then . /etc/sysconfig/squid fi # don't raise an error if the config file is incomplete # set defaults instead: SQUID_OPTS=${SQUID_OPTS:-"-D"} SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20} SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100} # determine the name of the squid binary [ -f /usr/local/sbin/squid ] && SQUID=/usr/local/sbin/squid && SQUID1=squid [ -z "$SQUID" ] && exit 0 prog="$SQUID" # determine which one is the cache_swap directory CACHE_SWAP=`sed -e 's/#.*//g' /etc/squid/squid.conf | \ grep cache_dir | awk '{ print $3 }'` [ -z "$CACHE_SWAP" ] && CACHE_SWAP=/usr/local/var/squid/cache RETVAL=0 start() { for adir in $CACHE_SWAP; do if [ ! -d $adir/00 ]; then echo -n "init_cache_dir $adir... " $SQUID -z -F -D >> /usr/local/var/squid/logs/squid.out 2>&1 fi done echo -n $"Starting $prog: " $SQUID $SQUID_OPTS >> /usr/local/var/squid/logs/squid.out 2>&1 RETVAL=$? if [ $RETVAL -eq 0 ]; then timeout=0; while :; do [ ! -f /usr/local/var/squid/logs/squid.pid ] || break if [ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]; then RETVAL=1 break fi sleep 1 && echo -n "." timeout=$((timeout+1)) done fi [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SQUID1 [ $RETVAL -eq 0 ] && echo_success [ $RETVAL -ne 0 ] && echo_failure echo return $RETVAL } stop() { echo -n $"Stopping $prog: " $SQUID -k check >> /usr/local/var/squid/logs/squid.out 2>&1 RETVAL=$? if [ $RETVAL -eq 0 ]; then $SQUID -k shutdown & rm -f /var/lock/subsys/$SQUID1 timeout=0 while :; do [ -f /usr/local/var/squid/logs/squid.pid ] || break if [ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; then echo return 1 fi sleep 2 && echo -n "." timeout=$((timeout+2)) done echo_success echo else echo_failure echo fi return $RETVAL } reload() { $SQUID $SQUID_OPTS -k reconfigure } restart() { stop start } condrestart() { [ -e /var/lock/subsys/squid ] && restart || : } rhstatus() { status $SQUID && $SQUID -k check } probe() { return 0 } case "$1" in start) start ;; stop) stop ;; reload) reload ;; restart) restart ;; condrestart) condrestart ;; status) rhstatus ;; probe) exit 0 ;; *) echo $"Usage: $0 {start|stop|status|reload|restart|condrestart}" exit 1 esac exit $? then issue the command: chmod 750 /etc/rc.d/init.d/squid 9. add the following rules in your existing iptables (nat section): CODE A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-ports 3128 if you have allowed only a selection of ports to be accepted in the INPUT section of iptables, make sure you also add te port 3128 in the allow list 10. now you can create startup and shutdown run level links to the squid run script: CODE as root: chkconfig --add squid chkconfig --level 345 squid on and run the service: CODE as root: service squid start it should initialize the cache directory and runs in background. that's all (see, it is simple isn't it? Wink). because the server is already the gateway of your internal network, all the web access from the internal network will be redirected to the squid port for processing.
Reason for edit: User needs to learn how to quote. Fixed all errors.
|
 |
 
|
|
Nov 29 2007, 02:42 PM
Post
#2
|
|
|
Way Out Of Control - You need a life :)  Group: [MODERATOR] Posts: 2,032 Joined: 16-August 05 Member No.: 7,896 |
Do I really have to type
service squid start </Quote> or are <Quote> and </Quote> mistyping for QUOTE service squid start ?Regards Yordan  |
|
|
|
|
Nov 30 2007, 04:59 PM
Post
#3
|
|
|
Premium Member  Group: [HOSTED] Posts: 393 Joined: 9-March 07 From: Tucson, AZ Member No.: 20,794 |
QUOTE(yordan @ Nov 29 2007, 07:42 AM)  Do I really have to type service squid start </Quote> or are <Quote> and </Quote> mistyping for ? Regards Yordan Yeah, you don't need the quote...he used the html quote tags instead of BBcode ones. Perhaps a mod can edit this so it's more readable and informative? |
|
|
|
|
Nov 30 2007, 10:39 PM
Post
#4
|
|
|
Colonel Panic Group: [MODERATOR] Posts: 2,780 Joined: 25-March 05 From: Toronto, Ontario, Canada Member No.: 3,233 |
there, fixed ... it was a pain in the butt to go through it all.
xboxrulz |
|
|
|
|
Dec 2 2007, 08:44 PM
Post
#5
|
|
|
Way Out Of Control - You need a life :) Group: [MODERATOR] Posts: 2,032 Joined: 16-August 05 Member No.: 7,896 |
QUOTE(xboxrulz @ Nov 30 2007, 11:39 PM) there, fixed ... it was a pain in the butt to go through it all. xboxrulz I guess that Feung could also have done this by himself, using the browser "search" (probably F3) and replacing each <quote> by [quote] By the way, xb, can you really help me in French, or is it just a joke inside a signature ? |
|
|
|
|
Dec 3 2007, 05:56 PM
Post
#6
|
|
|
Premium Member Group: [HOSTED] Posts: 393 Joined: 9-March 07 From: Tucson, AZ Member No.: 20,794 |
I'm sure he can...at least the French in his signature is grammatically and syntactically correct. If not, I probably can...I speak a fair amount of French ^^
|
|
|
|
|
Dec 5 2007, 05:29 AM
Post
#7
|
|
|
Advanced Member Group: Members Posts: 128 Joined: 12-February 05 From: St. Louis, MO Member No.: 2,612 |
QUOTE(ethergeek @ Dec 3 2007, 11:56 AM) I'm sure he can...at least the French in his signature is grammatically and syntactically correct. If not, I probably can...I speak a fair amount of French ^^ not to mention he's from Toronto... which is to say he's barely south of the French speaking cities.... I know few canadiens who know only one language... moi, j'aime beaucoup le francais... mais je n'aime pas utiliser <<charmap>> ou <<ALT>> pour ecrire les accents... et je ne sais pas l'argot (comme les mots des ordinateurs 
|
|
|
|
|
Dec 5 2007, 03:15 PM
Post
#8
|
|
|
Way Out Of Control - You need a life :) Group: [MODERATOR] Posts: 2,032 Joined: 16-August 05 Member No.: 7,896 |
Thanks, folks.
And, yes, I confirm that xb's French is perfect. I was joking, of course. I don't really need help in french language : Astahost's forum language is English, I accepted it, I think I can understand the topics and I hope that I make myself understood. Thanks again for that nice topic, Feuing. Personnally, i use Privoxy on Win98 (shame on me!), but I serously think about switching to Linux, so this topic will be very precious to me. Regards Yordan |
|
|
|
|
Similar Topics
| Topics | Topics | |
|---|---|---|
|
|
|
|
Lo-Fi Version | Time is now: 7th October 2008 - 09:10 AM |