Jump to content
xisto Community
Feung

Howto - Transparent Proxy Using Squid

Recommended Posts

this is a quick and dirty how-to to set up a working transparent proxy for small office use. this one is a custom install note. it is NOT compatible with the default RPM packages provided by your linux vendors. use it at your own risk. also note that all the values provided here should be modified according to your specifications. DO NOT use the values as is!

overview

you have an internet gateway in your office:

a. eth0 - external interface (ISP-provided IP)
b. eth1 - internal interface (192.168.0.1)

you want to place advantages such as web access speed-up, web access monitoring and filtering capabilities to this gateway. i use squid 2.6 in this case and the setup here wouldn't work for versions prior to 2.6.

here are the steps.


1. download source from squid-cache.org; create necessary directories;

as root:

mkdir -p /usr/local/var/squid /usr/local/var/squid/cache /usr/local/var/squid/logs
chown -R nobody:nobody /usr/local/var/squid
chmod 750 /usr/local/var/squid /usr/local/var/squid/cache /usr/local/var/squid/logs
exit

2. ./configure with the following options (this was based on Fedora Core, with modifications)

./configure --prefix=/usr/local \   --sysconfdir=/etc/squid \   --enable-epoll \   --enable-snmp \   --enable-removal-policies="heap,lru" \   --enable-storeio="aufs,coss,diskd,null,ufs" \   --enable-ssl \   --with-openssl=/usr/kerberos \   --enable-delay-pools \   --enable-linux-netfilter \   --with-pthreads \   --enable-ntlm-auth-helpers="SMB,fakeauth" \   --enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_group" \   --enable-auth="basic,digest,ntlm" \   --enable-digest-auth-helpers="password" \   --with-winbind-auth-challenge \   --enable-useragent-log \   --enable-referer-log \   --disable-dependency-tracking \   --enable-cachemgr-hostname=localhost \   --enable-underscores \   --enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL" \   --enable-cache-digests \   --enable-ident-lookups \   --enable-follow-x-forwarded-for \   --enable-wccpv2 \   --enable-fd-config \   --with-maxfd=16384
3. make

4. sudo make install

5. put the following in /etc/squid.conf (minimum configuration only, see squid.conf.default for more details):

http_port 127.0.0.1:3128http_port 192.168.0.1:3128 transparentcache_dir ufs /usr/local/var/squid/cache 100 16 256pid_filename /usr/local/var/squid/logs/squid.pidvisible_hostname gw.office.interncache_mgr bl00d@gw.office.internlogformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Shaccess_log /usr/local/var/squid/logs/access.log squidcache_log /usr/local/var/squid/logs/cache.logcache_store_log /usr/local/var/squid/logs/store.loguseragent_log /usr/local/var/squid/logs/useragent.logreferer_log /usr/local/var/squid/logs/referer.logacl localhost src 127.0.0.1/255.255.255.255acl intern src 192.168.0.0/24acl all src 0.0.0.0/0.0.0.0acl manager proto cache_objectacl to_localhost dst 127.0.0.0/8acl SSL_ports port 443 563acl Safe_ports port 80 21 443 563 70 210 1025-65535acl CONNECT method CONNECThttp_access allow internhttp_access allow localhosthttp_access deny !Safe_portshttp_access deny allacl QUERY urlpath_regex cgi-bin \? asp jsp phpcache deny QUERYfollow_x_forwarded_for deny allhttp_reply_access allow all

6. put the follong in /etc/sysconfig/squid:

# default squid options# -D disables initial dns checks. If you most likely will not to have an#	internet connection when you start squid, uncomment thisSQUID_OPTS="-D"# Time to wait for Squid to shut down when asked. Should not be necessary# most of the time.SQUID_SHUTDOWN_TIMEOUT=100

7. put the following in /etc/logrotate.d/squid:

/usr/local/var/squid/logs/access.log {	weekly	rotate 5	copytruncate	compress	notifempty	missingok}/usr/local/var/squid/logs/cache.log {	weekly	rotate 5	copytruncate	compress	notifempty	missingok}/usr/local/var/squid/logs/useragent.log {	weekly	rotate 5	copytruncate	compress	notifempty	missingok}/usr/local/var/squid/logs/referer.log {	weekly	rotate 5	copytruncate	compress	notifempty	missingok}/usr/local/var/squid/logs/store.log {	weekly	rotate 5	copytruncate	compress	notifempty	missingok# This script asks squid to rotate its logs on its own.# Restarting squid is a long process and it is not worth# doing it just to rotate logs	postrotate	  /usr/local/sbin/squid -k rotate	endscript}[/quote]8. put the following in /etc/rc.d/init.d/squid:[code]#!/bin/bash# squid This shell script takes care of starting and stopping# Squid Internet Object Cache## chkconfig: - 90 25# description: Squid - Internet Object Cache. Internet object caching is \# a way to store requested Internet objects (i.e., data available \# via the HTTP, FTP, and gopher protocols) on a system closer to the \# requesting site than to the source. Web browsers can then use the \# local Squid cache as a proxy HTTP server, reducing access time as \# well as bandwidth consumption.# pidfile: /usr/local/var/squid/logs/squid.pid# config: /etc/squid/squid.confPATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/bin:/usr/sbinexport PATH# Source function library.. /etc/rc.d/init.d/functions# Source networking configuration.. /etc/sysconfig/network# Check that networking is up.[ ${NETWORKING} = "no" ] && exit 0# check if the squid conf file is present[ -f /etc/squid/squid.conf ] || exit 0if [ -f /etc/sysconfig/squid ]; then. /etc/sysconfig/squidfi# don't raise an error if the config file is incomplete# set defaults instead:SQUID_OPTS=${SQUID_OPTS:-"-D"}SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20}SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100}# determine the name of the squid binary[ -f /usr/local/sbin/squid ] && SQUID=/usr/local/sbin/squid && SQUID1=squid[ -z "$SQUID" ] && exit 0prog="$SQUID"# determine which one is the cache_swap directoryCACHE_SWAP=`sed -e 's/#.*//g' /etc/squid/squid.conf | \grep cache_dir | awk '{ print $3 }'`[ -z "$CACHE_SWAP" ] && CACHE_SWAP=/usr/local/var/squid/cacheRETVAL=0start() {for adir in $CACHE_SWAP; doif [ ! -d $adir/00 ]; thenecho -n "init_cache_dir $adir... "$SQUID -z -F -D >> /usr/local/var/squid/logs/squid.out 2>&1fidoneecho -n $"Starting $prog: "$SQUID $SQUID_OPTS >> /usr/local/var/squid/logs/squid.out 2>&1RETVAL=$?if [ $RETVAL -eq 0 ]; thentimeout=0;while :; do[ ! -f /usr/local/var/squid/logs/squid.pid ] || breakif [ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]; thenRETVAL=1breakfisleep 1 && echo -n "."timeout=$((timeout+1))donefi[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SQUID1[ $RETVAL -eq 0 ] && echo_success[ $RETVAL -ne 0 ] && echo_failureechoreturn $RETVAL}stop() {echo -n $"Stopping $prog: "$SQUID -k check >> /usr/local/var/squid/logs/squid.out 2>&1RETVAL=$?if [ $RETVAL -eq 0 ]; then$SQUID -k shutdown &rm -f /var/lock/subsys/$SQUID1timeout=0while :; do[ -f /usr/local/var/squid/logs/squid.pid ] || breakif [ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; thenechoreturn 1fisleep 2 && echo -n "."timeout=$((timeout+2))doneecho_successechoelseecho_failureechofireturn $RETVAL}reload() {$SQUID $SQUID_OPTS -k reconfigure}restart() {stopstart}condrestart() {[ -e /var/lock/subsys/squid ] && restart || :}rhstatus() {status $SQUID && $SQUID -k check}probe() {return 0}case "$1" instart)start;;stop)stop;;reload)reload;;restart)restart;;condrestart)condrestart;;status)rhstatus;;probe)exit 0;;*)echo $"Usage: $0 {start|stop|status|reload|restart|condrestart}"exit 1esacexit $?

then issue the command:
chmod 750 /etc/rc.d/init.d/squid

9. add the following rules in your existing iptables (nat section):
A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-ports 3128

if you have allowed only a selection of ports to be accepted in the INPUT section of iptables, make sure you also add te port 3128 in the allow list

10. now you can create startup and shutdown run level links to the squid run script:
as root:chkconfig --add squidchkconfig --level 345 squid on

and run the service:
as root:service squid start

it should initialize the cache directory and runs in background.

that's all (see, it is simple isn't it? Wink). because the server is already the gateway of your internal network, all the web access from the internal network will be redirected to the squid port for processing.

Share this post


Link to post
Share on other sites

Do I really have to type service squid start
</Quote>
or are <Quote> and </Quote> mistyping for ?
Regards

Yordan :rolleyes:


Yeah, you don't need the quote...he used the html quote tags instead of BBcode ones. Perhaps a mod can edit this so it's more readable and informative?

Share this post


Link to post
Share on other sites
there, fixed ... it was a pain in the butt to go through it all.

 

xboxrulz

I guess that Feung could also have done this by himself, using the browser "search" (probably F3) and replacing each <quote> by

By the way, xb, can you really help me in French, or is it just a joke inside a signature ?

Share this post


Link to post
Share on other sites

I'm sure he can...at least the French in his signature is grammatically and syntactically correct. If not, I probably can...I speak a fair amount of French ^^


not to mention he's from Toronto... which is to say he's barely south of the French speaking cities.... I know few canadiens who know only one language...

moi, j'aime beaucoup le francais... mais je n'aime pas utiliser <<charmap>> ou <<ALT>> pour ecrire les accents... et je ne sais pas l'argot (comme les mots des ordinateurs :rolleyes:

Share this post


Link to post
Share on other sites

Thanks, folks.And, yes, I confirm that xb's French is perfect.I was joking, of course. I don't really need help in french language : Xisto's forum language is English, I accepted it, I think I can understand the topics and I hope that I make myself understood.Thanks again for that nice topic, Feuing. Personnally, i use Privoxy on Win98 (shame on me!), but I serously think about switching to Linux, so this topic will be very precious to me.RegardsYordan

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.