November 22, 2024, 04:26:37 AM

News : LinuxSolved.com Linux Help Community Forum..


Author Topic: Configuring Squid Proxy server & Transparent Proxy  (Read 328024 times)

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
Configuring Squid Proxy server & Transparent Proxy
« on: January 08, 2004, 05:45:12 PM »
Hello..
After lots loads of questions about squid I decide to write this tutorial..
Here We are going to do our job in two major steps.
(a) Configuring Squid Proxy
(b) Making squid work in Transparent way

So (a) is for those who want squid working and if you want squid in transparent way then go for (a) and (b) both.

But before making squid transparent make sure you have seen
NAT / Interent Sharing in Linux How to


Part (a)
Configuring Squid for Simple Proxy
I encourage people to install squid from source code. If you want to use squid in transparent way then install squid with following options
This is to configure Squid with support for transparent proxy
Code: [Select]
# enabling the transparent proxy feature during compliation.
./configure --enable-linux-netfilter
 # then make
make
 # then make install
make install
After installing squid successfully we have to configure squid to work for us.

So open /usr/local/squid/etc/squid.conf and uncomment the options which you requires or use the following  squid.conf and modify it according to your use..
Code: [Select]


  # Set the maximums size of the object which will be cached.

maximum_object_size 8192 KB 

  # Set maximum physical RAM to be used for storing objects.
  # NOTE: typically squid uses much more RAM then specified so when we said 16 MB then actually it is using around 25 MB RAM.

cache_mem 16 MB


  # use to set where to store cache. here it is /cache of size 2048 MB.
  # Here 22 and 256 are used to define directory structure so you don't have to touch it.

cache_dir ufs /cache 2048 22 256


  # Here we are disabling cache_store_log as it will only increase disk usage.
  # You can enable it anytime by specifying path instead of "none" directive"

cache_store_log none


  # Here we are specifying that when we say "all " then it means whole internet.
  # Also specifying some required acls.

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255


   # Here specifying acls for which ports are allowed, which network is allowed to use our proxy .
    # Here "your_netwrok" is the name use for your network.
    # Change 192.168.0.0/255.255.255.0 to address of your LAN

acl your_network src 192.168.0.0/255.255.255.0
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT


    # Here giving permission for localhost ie this machine to access proxy.

http_access allow manager localhost
http_access deny manager


    # Denying access to ports which are not safe

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports


     # Allowing access to LAN and denying others.

http_access allow your_network
http_access deny all
icp_access allow all
miss_access allow all


      # Give the email of your adminstrator which can be contacted if anything goes wrong by the users.

cache_mgr you@yourdomain.com


      # Set here the hostname of your proxy box. You can set anything if don't have any FQDN .

visible_hostname you.yourdomain.com
unique_hostname you.yourdomain.com


      # Directive for squid proxy to work also in Transparent mode.
      # If not using transparent proxy then you still keep them.

httpd_accel_host vertual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on


      # Set the port which will be used by clients to access squid proxy

http_port 3128

Now you have your squid.conf ready to go. But before running squid run following to initialized the cache directory
Code: [Select]
/usr/local/squid/sbin/squid -z If it don't give any error then we should move to next step.

Now run squid by (Internet should be already connected)
Code: [Select]
/usr/local/squid/sbin/squid
Now see  /usr/local/squid/var/logs/cache.log if you see some thing like this..
Code: [Select]

2004/01/08 22:48:30| Ready to serve requests. 


2004/01/08 22:48:30|   Completed Validation Procedure
2004/01/08 22:48:30|   Validated 7002 Entries
2004/01/08 22:48:30|   store_swap_size = 63960k
2004/01/08 22:48:31| storeLateRelease: released 0 objects 
If you see some thing like above then you have squid configured correctly and it is working.
Now you have squid ready to use.

Note:
To Use squid configure your clients brower to use proxy by setting the ip of proxy server as your computer's ip running squid and specifying the port as 3128 or other which have changed in squid.conf . Make sure you add same port for SSL proxy as for HTTP proxy .
Now try to surf the net from client and check /usr/local/squid/var/logs/access.log to see whether the site you have opened is recored in access.log to make sure your  computer is using squid.
It is now all done. I have tried to make it simple and practical but there are various other aspect of squid which are not covered here. But I hope as you get your squid working then you will understand them all yourself.


Part (b)
Setting Up squid to run in Transparent Mode
After making sure that your proxy is working fine. You can use transparent proxy if you want to use it.
To run proxy in Transparent mode add the following lines to your NAT script as I specified here NAT / internet shaaring how to
Code: [Select]
#Transparent proxy
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

And now set your client's browser to not to use the proxy and open a site from client then check the access.log to see that the site opened by use is redirected to squid or not.
If you are able to open websites and also that is getting logged in access.log then your transparent proxy is up and working.

If this don't work but you are able to open sites using simple proxy then you are probably not having NAT. See NAT / internet sharing how to
« Last Edit: April 22, 2007, 08:18:47 PM by Ricky »

Offline lugoteehalt

  • Linux Noob !
  • *
  • Posts: 22
    • BestiaryOfThePit
Configuring Squid Proxy server & Transparent Proxy
« Reply #1 on: January 08, 2004, 07:09:32 PM »
Sorry such a basic question but see a lot of stuff about 'transparent proxies':

What is a transparent proxy? Have looked in dictionaries but do not really understand.

Thanks for any help.

 :D

Offline ashwin_ice

  • Linux Noob !
  • *
  • Posts: 10
Configuring Squid Proxy server & Transparent Proxy
« Reply #2 on: January 09, 2004, 12:15:37 PM »
Thanks a Billion, Ricky... that was really considerate of you and I think that this would help a lot of people. And to those who need to understand what a transparent proxy is... BUT REMEMBER TO USE THE SETTINGS GIVEN IN RICKY'S TUTORIAL AS THE ONE GIVEN THERE IS MORE COMPLEX....

TRANSPARENT PROXY(For those Who Dont Know What a TransParent Proxy is):

A transparent cache is so named because it works by intercepting the network traffic transparently to the browser. In this mode, the cache short-circuits the retrieval process if the desired file is in the cache. Transparent caches are especially useful to ISPs because they require no browser setup modification. Transparent caches are also the simplest way to use a cache internally on a network, because they do not require explicit coordination with other caches. The purpose of this white paper is to discuss the various methods of implementating transparent caching using Squid on Linux with a policy based router, an externalL4 switch, and an L4 switch inside the Linux Squid box. First, some basic concepts will be discussed, followed by the advantages of transparent caching, and finally redirecting packets to Squid using IP-Chains.

 
 
What is transparent caching?  The full explanation about the term "Transparent Caching and Transparent Proxying" depends on the context, but we can assume the context here is HTTP proxy/caches with transparent hijacking of port 80, which is the default HTTP traffic in the internet.

The difference is that the cache includes a cache, while the proxy only proxies without caching. The term transparent is overloaded, having different meanings depending on the situation. To some it means a setup that hijacks port 80 traffic where the client tried to go to other servers, to some it means a semantically transparent proxy that does not change the meaning or content of requests/replies. There is no such thing as a truly transparent proxy, only semitransparent and certainly not such a thing as a truly transparent cache. Squid can be configured to act transparently. In this mode, clients are not required to configure their browsers to access the cache, but Squid will transparently pick up the appropriate packets and cache requests. This solves the biggest problem with caching: i.e. getting users to use the cache server.

 
More Info : http://squid.visolve.com/white_papers/trans_caching.htm

But remember follow Ricky's suggestions or ure gonna screw up like I did   :lol:

Offline lugoteehalt

  • Linux Noob !
  • *
  • Posts: 22
    • BestiaryOfThePit
Configuring Squid Proxy server & Transparent Proxy
« Reply #3 on: January 10, 2004, 01:22:24 PM »
Right, so a proxy is a second computer that also holds a web page, say. Proxy 'The management of another's affairs.'

And transparent means the browser 'sees through it' - if it does not have the desired page it just lets the browser's request out to the net.

Sorry if being dense :D

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
Configuring Squid Proxy server & Transparent Proxy
« Reply #4 on: January 10, 2004, 04:32:22 PM »
Hmm.. well Transparent proxy is Proxy+NAT

Offline lugoteehalt

  • Linux Noob !
  • *
  • Posts: 22
    • BestiaryOfThePit
Configuring Squid Proxy server & Transparent Proxy
« Reply #5 on: January 12, 2004, 03:23:16 PM »
NAT

Short for Network Address Translation, NAT as specified in RFC 1631 is an Internet standard that enables a local-area network (LAN) to use one or more IP addresses for internal traffic and a second for external. A network NAT is commonly used by home users to allow multiple computers to easily connect to a broadband connection. NAT is also used to hide internet network addresses by using the single NAT address.
Today there are two different variants of NAT used. NAPT which is short for Network Address Port Translation, NAPT and PAT which is short for Port Address Translation.

Also see: Network definitions, Proxy


 
Proxy server

A Proxy is a computer server or software program which is part of the gateway server or another computer that separates a local network from outside networks.
A proxy server will generally cache all pages accessed through the network. When a page is accessed that is not in the proxy servers cache the proxy server will access the page using its own IP address cache the page and forward it to the user accessing that page.

Users who wish to setup a proxy at home or home office to be used to share a internet connection VIA modem or other internet connection may wish to consider any of the following products:

- Sygate Home Network
- WinProxy
- SpoonProxy
- ShareTheNet

Also see: ICS, Network definitions http://www.mrhope.com/jargon/n/nat.htm

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
Configuring Squid Proxy server & Transparent Proxy
« Reply #6 on: January 13, 2004, 06:34:07 AM »
I think we here we have now a good explanation. It is now a good tutorial..  :)

Offline vasu

  • Linux Noob !
  • *
  • Posts: 19
linux squid and iptable error
« Reply #7 on: February 11, 2004, 06:21:05 AM »
hi

  everyone i configured  redhat linux9.0 squid it is workiing fine after i add iptables squid is show running but cilent system net acces is not comming.

Offline vasu

  • Linux Noob !
  • *
  • Posts: 19
linux bandwidth controlle software
« Reply #8 on: February 11, 2004, 06:34:51 AM »
hi
 
          i have  in redhat linux 9.0.i configured two lan cards eth0 directly conneted internet eth1 is private ip,s with i configured linux with  nat so i want now some private ips given some restrication how to it. this is my right now is using script.


and i want manging bandwidth controlle software in linux u have any free software is there please given website link

i#/bin/sh
service ipchains stop
/sbin/rmmod  ipchains
/sbin/insmod ip_tables
echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain

/sbin/iptables --table nat --append POSTROUTING -s 192.168.1.2  -j MASQUERADE

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
Configuring Squid Proxy server & Transparent Proxy
« Reply #9 on: February 11, 2004, 07:35:02 AM »
What do want to do ? Simple internet sharing or Proxy or Transparent proxy ?
I can tell you how to block specific ip address but you have to tell me that wht do you want to use .. Iptable or squid ??
You can also have bandwidth management using squid on the per user basis by using delay pools..

Offline vasu

  • Linux Noob !
  • *
  • Posts: 19
how to block ftp service in redhat linux nat
« Reply #10 on: February 12, 2004, 01:06:27 PM »
hi

   i work now  rh9.0 iin nat ip masqureade so i want now how to block ftp in nat private ip

this is my nat script please tell mee how block ftp service this pariticular ip 192.168.1.2


i#/bin/sh
service ipchains stop
/sbin/rmmod ipchains
/sbin/insmod ip_tables
echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain

/sbin/iptables --table nat --append POSTROUTING -s 192.168.1.2 -j MASQUERADE

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
Configuring Squid Proxy server & Transparent Proxy
« Reply #11 on: February 13, 2004, 03:13:41 PM »
Vasu your question has been answered here.. in new thread wher you have asked it..
http://www.linuxsolved.com/forums/viewtopic.php?t=180

Offline kmashraf

  • Linux Noob !
  • *
  • Posts: 18
Requesting advice
« Reply #12 on: April 10, 2004, 01:48:56 PM »
I have a gateway machine with the following config
IDT WinChip 200 MHz
32 MB RAM
2 GB HDD
2 NIC's (one eth0 connected to a cable modem and the other eth1 connected to the local lan)
I run Vector Linux 3.2 on it. Like the small footprint and intend to use it for purposes such as NAT, FIREWALLING, PROXYING.
This box is already doing NAT for my local network as well as firewalling.
It also is running Psionic PortSentry. Nifty little piece of software.
I do not want to change any of that.
I want to install a minimalist proxy on it. Just want to block all of 'em steamy sites from specific ip's cause I don't want the kids to loose it. I like to believe that I am liberal and  would rather educate the kids. But others are not so cool.The want this sh.... cut off.
I am a little confused about caching. I want to know if I have to setup squid as a caching proxy to achieve these ends ? I am not really concerned about the performance of web access. I only wanna block off specific sites to specific ip's.
Thanks
All help greatly appreciated
Love the Brave GNU World ! 8)

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
Configuring Squid Proxy server & Transparent Proxy
« Reply #13 on: April 10, 2004, 05:21:32 PM »
For kmashraf..
Well to do all that you can just install smoothwall.
BTw.. to block a site u can make acl, search linuxsolved.com forums using search feature.
INstalling squid caching server will increase the performance.
I would rather suggest to incrase RAM if you are going to install squid.

Offline kmashraf

  • Linux Noob !
  • *
  • Posts: 18
Re Requesting Advice
« Reply #14 on: April 11, 2004, 02:55:15 AM »
Using Smoothwall would mean losing my existing setup. Not a happy thought, since I spent time setting it up.
So you say that 32 MB RAM is not enough for Squid ? The RAM I have are SIMM's, getting more or replacing with higher capacity RAM will be a difficult exercise.
The machine in question has been in service 24/7/365 for the past 3 years. Running mostly RedHat and Mandrake. Vector Linux I setup only recently for I felt that RH and Mandrake are too much for a machine of that config.
Thank you.
Khan Md Ashraf