overview
you have an internet gateway in your office:
a. eth0 - external interface (ISP-provided IP)
b. eth1 - internal interface (192.168.0.1)
you want to place advantages such as web access speed-up, web access monitoring and filtering capabilities to this gateway. i use squid 2.6 in this case and the setup here wouldn't work for versions prior to 2.6.
here are the steps.
1. download source from squid-cache.org; create necessary directories;
as root:
mkdir -p /usr/local/var/squid /usr/local/var/squid/cache /usr/local/var/squid/logs
chown -R nobody:nobody /usr/local/var/squid
chmod 750 /usr/local/var/squid /usr/local/var/squid/cache /usr/local/var/squid/logs
exit
2. ./configure with the following options (this was based on Fedora Core, with modifications)
CODE
./configure --prefix=/usr/local \
--sysconfdir=/etc/squid \
--enable-epoll \
--enable-snmp \
--enable-removal-policies="heap,lru" \
--enable-storeio="aufs,coss,diskd,null,ufs" \
--enable-ssl \
--with-openssl=/usr/kerberos \
--enable-delay-pools \
--enable-linux-netfilter \
--with-pthreads \
--enable-ntlm-auth-helpers="SMB,fakeauth" \
--enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_group" \
--enable-auth="basic,digest,ntlm" \
--enable-digest-auth-helpers="password" \
--with-winbind-auth-challenge \
--enable-useragent-log \
--enable-referer-log \
--disable-dependency-tracking \
--enable-cachemgr-hostname=localhost \
--enable-underscores \
--enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL" \
--enable-cache-digests \
--enable-ident-lookups \
--enable-follow-x-forwarded-for \
--enable-wccpv2 \
--enable-fd-config \
--with-maxfd=16384
--sysconfdir=/etc/squid \
--enable-epoll \
--enable-snmp \
--enable-removal-policies="heap,lru" \
--enable-storeio="aufs,coss,diskd,null,ufs" \
--enable-ssl \
--with-openssl=/usr/kerberos \
--enable-delay-pools \
--enable-linux-netfilter \
--with-pthreads \
--enable-ntlm-auth-helpers="SMB,fakeauth" \
--enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_group" \
--enable-auth="basic,digest,ntlm" \
--enable-digest-auth-helpers="password" \
--with-winbind-auth-challenge \
--enable-useragent-log \
--enable-referer-log \
--disable-dependency-tracking \
--enable-cachemgr-hostname=localhost \
--enable-underscores \
--enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL" \
--enable-cache-digests \
--enable-ident-lookups \
--enable-follow-x-forwarded-for \
--enable-wccpv2 \
--enable-fd-config \
--with-maxfd=16384
3. make
4. sudo make install
5. put the following in /etc/squid.conf (minimum configuration only, see squid.conf.default for more details):
CODE
http_port 127.0.0.1:3128
http_port 192.168.0.1:3128 transparent
cache_dir ufs /usr/local/var/squid/cache 100 16 256
pid_filename /usr/local/var/squid/logs/squid.pid
visible_hostname gw.office.intern
cache_mgr bl00d@gw.office.intern
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /usr/local/var/squid/logs/access.log squid
cache_log /usr/local/var/squid/logs/cache.log
cache_store_log /usr/local/var/squid/logs/store.log
useragent_log /usr/local/var/squid/logs/useragent.log
referer_log /usr/local/var/squid/logs/referer.log
acl localhost src 127.0.0.1/255.255.255.255
acl intern src 192.168.0.0/24
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl CONNECT method CONNECT
http_access allow intern
http_access allow localhost
http_access deny !Safe_ports
http_access deny all
acl QUERY urlpath_regex cgi-bin \? asp jsp php
cache deny QUERY
follow_x_forwarded_for deny all
http_reply_access allow all
http_port 192.168.0.1:3128 transparent
cache_dir ufs /usr/local/var/squid/cache 100 16 256
pid_filename /usr/local/var/squid/logs/squid.pid
visible_hostname gw.office.intern
cache_mgr bl00d@gw.office.intern
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /usr/local/var/squid/logs/access.log squid
cache_log /usr/local/var/squid/logs/cache.log
cache_store_log /usr/local/var/squid/logs/store.log
useragent_log /usr/local/var/squid/logs/useragent.log
referer_log /usr/local/var/squid/logs/referer.log
acl localhost src 127.0.0.1/255.255.255.255
acl intern src 192.168.0.0/24
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl CONNECT method CONNECT
http_access allow intern
http_access allow localhost
http_access deny !Safe_ports
http_access deny all
acl QUERY urlpath_regex cgi-bin \? asp jsp php
cache deny QUERY
follow_x_forwarded_for deny all
http_reply_access allow all
6. put the follong in /etc/sysconfig/squid:
CODE
# default squid options
# -D disables initial dns checks. If you most likely will not to have an
# internet connection when you start squid, uncomment this
SQUID_OPTS="-D"
# Time to wait for Squid to shut down when asked. Should not be necessary
# most of the time.
SQUID_SHUTDOWN_TIMEOUT=100
# -D disables initial dns checks. If you most likely will not to have an
# internet connection when you start squid, uncomment this
SQUID_OPTS="-D"
# Time to wait for Squid to shut down when asked. Should not be necessary
# most of the time.
SQUID_SHUTDOWN_TIMEOUT=100
7. put the following in /etc/logrotate.d/squid:
CODE
/usr/local/var/squid/logs/access.log {
weekly
rotate 5
copytruncate
compress
notifempty
missingok
}
/usr/local/var/squid/logs/cache.log {
weekly
rotate 5
copytruncate
compress
notifempty
missingok
}
/usr/local/var/squid/logs/useragent.log {
weekly
rotate 5
copytruncate
compress
notifempty
missingok
}
/usr/local/var/squid/logs/referer.log {
weekly
rotate 5
copytruncate
compress
notifempty
missingok
}
/usr/local/var/squid/logs/store.log {
weekly
rotate 5
copytruncate
compress
notifempty
missingok
# This script asks squid to rotate its logs on its own.
# Restarting squid is a long process and it is not worth
# doing it just to rotate logs
postrotate
/usr/local/sbin/squid -k rotate
endscript
}
[/quote]
8. put the following in /etc/rc.d/init.d/squid:
[code]
#!/bin/bash
# squid This shell script takes care of starting and stopping
# Squid Internet Object Cache
#
# chkconfig: - 90 25
# description: Squid - Internet Object Cache. Internet object caching is \
# a way to store requested Internet objects (i.e., data available \
# via the HTTP, FTP, and gopher protocols) on a system closer to the \
# requesting site than to the source. Web browsers can then use the \
# local Squid cache as a proxy HTTP server, reducing access time as \
# well as bandwidth consumption.
# pidfile: /usr/local/var/squid/logs/squid.pid
# config: /etc/squid/squid.conf
PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/bin:/usr/sbin
export PATH
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
# check if the squid conf file is present
[ -f /etc/squid/squid.conf ] || exit 0
if [ -f /etc/sysconfig/squid ]; then
. /etc/sysconfig/squid
fi
# don't raise an error if the config file is incomplete
# set defaults instead:
SQUID_OPTS=${SQUID_OPTS:-"-D"}
SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20}
SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100}
# determine the name of the squid binary
[ -f /usr/local/sbin/squid ] && SQUID=/usr/local/sbin/squid && SQUID1=squid
[ -z "$SQUID" ] && exit 0
prog="$SQUID"
# determine which one is the cache_swap directory
CACHE_SWAP=`sed -e 's/#.*//g' /etc/squid/squid.conf | \
grep cache_dir | awk '{ print $3 }'`
[ -z "$CACHE_SWAP" ] && CACHE_SWAP=/usr/local/var/squid/cache
RETVAL=0
start() {
for adir in $CACHE_SWAP; do
if [ ! -d $adir/00 ]; then
echo -n "init_cache_dir $adir... "
$SQUID -z -F -D >> /usr/local/var/squid/logs/squid.out 2>&1
fi
done
echo -n $"Starting $prog: "
$SQUID $SQUID_OPTS >> /usr/local/var/squid/logs/squid.out 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
timeout=0;
while :; do
[ ! -f /usr/local/var/squid/logs/squid.pid ] || break
if [ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]; then
RETVAL=1
break
fi
sleep 1 && echo -n "."
timeout=$((timeout+1))
done
fi
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SQUID1
[ $RETVAL -eq 0 ] && echo_success
[ $RETVAL -ne 0 ] && echo_failure
echo
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
$SQUID -k check >> /usr/local/var/squid/logs/squid.out 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
$SQUID -k shutdown &
rm -f /var/lock/subsys/$SQUID1
timeout=0
while :; do
[ -f /usr/local/var/squid/logs/squid.pid ] || break
if [ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; then
echo
return 1
fi
sleep 2 && echo -n "."
timeout=$((timeout+2))
done
echo_success
echo
else
echo_failure
echo
fi
return $RETVAL
}
reload() {
$SQUID $SQUID_OPTS -k reconfigure
}
restart() {
stop
start
}
condrestart() {
[ -e /var/lock/subsys/squid ] && restart || :
}
rhstatus() {
status $SQUID && $SQUID -k check
}
probe() {
return 0
}
case "$1" in
start)
start
;;
stop)
stop
;;
reload)
reload
;;
restart)
restart
;;
condrestart)
condrestart
;;
status)
rhstatus
;;
probe)
exit 0
;;
*)
echo $"Usage: $0 {start|stop|status|reload|restart|condrestart}"
exit 1
esac
exit $?
weekly
rotate 5
copytruncate
compress
notifempty
missingok
}
/usr/local/var/squid/logs/cache.log {
weekly
rotate 5
copytruncate
compress
notifempty
missingok
}
/usr/local/var/squid/logs/useragent.log {
weekly
rotate 5
copytruncate
compress
notifempty
missingok
}
/usr/local/var/squid/logs/referer.log {
weekly
rotate 5
copytruncate
compress
notifempty
missingok
}
/usr/local/var/squid/logs/store.log {
weekly
rotate 5
copytruncate
compress
notifempty
missingok
# This script asks squid to rotate its logs on its own.
# Restarting squid is a long process and it is not worth
# doing it just to rotate logs
postrotate
/usr/local/sbin/squid -k rotate
endscript
}
[/quote]
8. put the following in /etc/rc.d/init.d/squid:
[code]
#!/bin/bash
# squid This shell script takes care of starting and stopping
# Squid Internet Object Cache
#
# chkconfig: - 90 25
# description: Squid - Internet Object Cache. Internet object caching is \
# a way to store requested Internet objects (i.e., data available \
# via the HTTP, FTP, and gopher protocols) on a system closer to the \
# requesting site than to the source. Web browsers can then use the \
# local Squid cache as a proxy HTTP server, reducing access time as \
# well as bandwidth consumption.
# pidfile: /usr/local/var/squid/logs/squid.pid
# config: /etc/squid/squid.conf
PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/bin:/usr/sbin
export PATH
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
# check if the squid conf file is present
[ -f /etc/squid/squid.conf ] || exit 0
if [ -f /etc/sysconfig/squid ]; then
. /etc/sysconfig/squid
fi
# don't raise an error if the config file is incomplete
# set defaults instead:
SQUID_OPTS=${SQUID_OPTS:-"-D"}
SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20}
SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100}
# determine the name of the squid binary
[ -f /usr/local/sbin/squid ] && SQUID=/usr/local/sbin/squid && SQUID1=squid
[ -z "$SQUID" ] && exit 0
prog="$SQUID"
# determine which one is the cache_swap directory
CACHE_SWAP=`sed -e 's/#.*//g' /etc/squid/squid.conf | \
grep cache_dir | awk '{ print $3 }'`
[ -z "$CACHE_SWAP" ] && CACHE_SWAP=/usr/local/var/squid/cache
RETVAL=0
start() {
for adir in $CACHE_SWAP; do
if [ ! -d $adir/00 ]; then
echo -n "init_cache_dir $adir... "
$SQUID -z -F -D >> /usr/local/var/squid/logs/squid.out 2>&1
fi
done
echo -n $"Starting $prog: "
$SQUID $SQUID_OPTS >> /usr/local/var/squid/logs/squid.out 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
timeout=0;
while :; do
[ ! -f /usr/local/var/squid/logs/squid.pid ] || break
if [ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]; then
RETVAL=1
break
fi
sleep 1 && echo -n "."
timeout=$((timeout+1))
done
fi
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SQUID1
[ $RETVAL -eq 0 ] && echo_success
[ $RETVAL -ne 0 ] && echo_failure
echo
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
$SQUID -k check >> /usr/local/var/squid/logs/squid.out 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
$SQUID -k shutdown &
rm -f /var/lock/subsys/$SQUID1
timeout=0
while :; do
[ -f /usr/local/var/squid/logs/squid.pid ] || break
if [ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; then
echo
return 1
fi
sleep 2 && echo -n "."
timeout=$((timeout+2))
done
echo_success
echo
else
echo_failure
echo
fi
return $RETVAL
}
reload() {
$SQUID $SQUID_OPTS -k reconfigure
}
restart() {
stop
start
}
condrestart() {
[ -e /var/lock/subsys/squid ] && restart || :
}
rhstatus() {
status $SQUID && $SQUID -k check
}
probe() {
return 0
}
case "$1" in
start)
start
;;
stop)
stop
;;
reload)
reload
;;
restart)
restart
;;
condrestart)
condrestart
;;
status)
rhstatus
;;
probe)
exit 0
;;
*)
echo $"Usage: $0 {start|stop|status|reload|restart|condrestart}"
exit 1
esac
exit $?
then issue the command:
chmod 750 /etc/rc.d/init.d/squid
9. add the following rules in your existing iptables (nat section):
CODE
A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-ports 3128
if you have allowed only a selection of ports to be accepted in the INPUT section of iptables, make sure you also add te port 3128 in the allow list
10. now you can create startup and shutdown run level links to the squid run script:
CODE
as root:
chkconfig --add squid
chkconfig --level 345 squid on
chkconfig --add squid
chkconfig --level 345 squid on
and run the service:
CODE
as root:
service squid start
service squid start
it should initialize the cache directory and runs in background.
that's all (see, it is simple isn't it? Wink). because the server is already the gateway of your internal network, all the web access from the internal network will be redirected to the squid port for processing.
