Difference between revisions of "Install Squid Proxy Server"

From BubbaWiki
Jump to navigation Jump to search
(Created page with 'Bubba 3 Server can be configured to act as a web proxy. If you've setup a Linux machine as a gateway, standing between you and the internet then you have a lot of options for tw...')
 
(ISO-8601 date and time formatting)
 
(8 intermediate revisions by one other user not shown)
Line 1: Line 1:
Bubba 3 Server can be configured to act as a web proxy.
Bubba 3 Server can be configured to act as a web proxy.This tutorial is based on the official Debian Guide.<br>


If you've setup a Linux machine as a gateway, standing between you and the internet then you have a lot of options for tweaking it. One of the most common things to setup is transparent proxying via squid.  
If you've setup a Linux machine as a gateway, standing between you and the internet then you have a lot of options for tweaking it. One of the most common things to setup is transparent proxying via squid.  
Line 14: Line 14:


The first is simple. As root run:<br>  
The first is simple. As root run:<br>  
<pre>apt-get install squid</pre>
<pre>apt-get install squid</pre>  
This will install the Squid caching proxy server. This is configured by the file /etc/squid/squid.conf and we will need to make several changes to it.
This will install the Squid caching proxy server. This is configured by the file /etc/squid/squid.conf and we will need to make several changes to it.  


First of all we need to tell it that we only wish it to listen on the internal interface. Remember that this gateway machine has two networking interfaces, one for the internal LAN and one for the internet.
First of all we need to tell it that we only wish it to listen on the internal interface. Remember that this gateway machine has two networking interfaces, one for the internal LAN and one for the internet.  


Pick the one which is internal and add it to the configuration file as follows:
Pick the one which is internal and add it to the configuration file as follows:  
<pre># Squid normally listens to port 3128
<pre># Squid normally listens to port 3128
http_port 127.0.0.1:8080 transparent
http_port 127.0.0.1:8080 transparent
http_port 192.168.10.1:8080 transparent</pre>
http_port 192.168.10.1:8080 transparent</pre>  
(In my case the internal address is 192.168.10.1, allowing the server to listen on the "loopback" address of 127.0.0.1 is a good idea too, and will be required later).<br>
(In my case the internal address is 192.168.10.1, allowing the server to listen on the "loopback" address of 127.0.0.1 is a good idea too, and will be required later).<br>  


to tell Squid which networks are allowed to connect to our proxy server, without this it will refuse all incoming requests.
to tell Squid which networks are allowed to connect to our proxy server, without this it will refuse all incoming requests.  
<pre># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS</pre><pre># Example rule allowing access from your local networks.
<pre># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS</pre><pre># Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
 
# from where browsing should be allowed
# Adapt localnet in the ACL section to list your (internal) IP networks from where browsing should be allowed
 
 
 
acl our_networks src 192.168.10.0/24
acl our_networks src 192.168.10.0/24
#http_access allow localnet
http_access allow localnet
http_access allow our_networks
http_access allow our_networks
http_access allow localhost</pre>
http_access allow localhost
If you're using a different network internally then you will need to adjust the addresses appropriately.


That's all the squid setup complete, so now we restart it:<br>
 
</pre>
If you're using a different network internally then you will need to adjust the addresses appropriately.
 
That's all the squid setup complete, so now we restart it:<br>  
<pre>/etc/init.d/squid restart
<pre>/etc/init.d/squid restart
</pre>
</pre>  
Now we have a caching proxy server - which you is listening on 192.168.10.1:8080. If you were to enter that into your browser you should see it working - but what we are going to do next is make it transparent.<br>
Now we have a caching proxy server - which you is listening on 192.168.10.1:8080. If you were to enter that into your browser you should see it working - but what we are going to do next is make it transparent.<br>
 
Nobody behind the gateway should need to do anything, instead it should just magically work (tm&nbsp;;)<br>  


Nobody behind the gateway should need to do anything, instead it should just magically work (tm ;)<br>
The way we do that is to add a rule to the firewal, which will redirect outgoing requests to the web (port 80) to instead go via the proxy server we've setup on the gateway machine on port 8080.


The way we do that is to add a rule to the firewal, which will redirect outgoing requests to the web (port 80) to instead go via the proxy server we've setup on the gateway machine on port 8080.
Add the following firewall rule:<br>
<pre>iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080


Add the following towards the end of your firewall rules:
Alternatively use this method which is better: http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect</pre>  
<pre>iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8080
This says that anything coming from the internal interface (br0) which has a destination port of 80 (web) should be redirected to the new squid installation we've made on port 8080.  
</pre>
&nbsp;This says that anything coming from the internal interface (br0) which has a destination port of 80 (web) should be redirected to the new squid installation we've made on port 8080.


Reload your firewall and you should have it in place.
Reload your firewall and you should have it in place.  


To test it you simply need to watch the squid logfile as you browse the web from another machine.
To test it you simply need to watch the squid logfile as you browse the web from another machine.  


On the Bubba machine you can run:
On the Bubba machine you can run:  
<pre>tail -f /var/log/squid/access.log
<pre>tail -f /var/log/squid/access.log
</pre>
</pre>  
Now you should see the requests coming through when you refresh the browser.<br>
Now you should see the requests coming through when you refresh the browser.<br>  


Now it is time to install Dansguardian, which is a web filter.<br>
Now it is time to install Dansguardian and SquidGuard, which add the web filtering functionality<br>  
<pre>apt-get install dansguardian
<pre>apt-get install dansguardian
</pre>
apt-get install squidguard
The article will be updated on how to configure dansguardian.<br>
</pre>  
The article will be updated on how to configure these later.<br>  
 
 


References:<br>
If you prefer having ISO-8601 style formatting of the timestamp in your access log then thw following example will give&nbsp;2012-08-12 08:35:55.119 for August 12th at 10:35:55.119 CEST (CET summer time) include the following entry in your squid.conf file.
<pre>logformat combinedISOGMT&nbsp;%&gt;a&nbsp;%ui&nbsp;%un&nbsp;'''%{%Y-%m-%d&nbsp;%H:%M:%S}tg.%03tu'''&nbsp;%rm "%ru" HTTP/%rv&nbsp;%Hs&nbsp;%&gt;st&nbsp;%&lt;st&nbsp;%mt "%{Referer}&gt;h" "%{User-Agent}&gt;h"&nbsp;%Ss:%Sh
</pre>
References:<br>  


http://www.debian-administration.org/articles/71<br>
http://www.debian-administration.org/articles/71<br>

Latest revision as of 08:40, 12 August 2012

Bubba 3 Server can be configured to act as a web proxy.This tutorial is based on the official Debian Guide.

If you've setup a Linux machine as a gateway, standing between you and the internet then you have a lot of options for tweaking it. One of the most common things to setup is transparent proxying via squid.

If you've followed the previous guide on setting up a Linux gateway you will have one machine with two network interfaces, one for internal use (eth0) and one which is publically connected to the internet (eth1).

This gateway machine has a collection of firewall rules which:

  • Allow machines "behind" it to make outgoing connections.
    * Prevent incoming connections from the internet.

If we wish to setup a transparent proxy server to cache web pages - which would speed up browsing for those machines behind the gateway we need to do two things:

  • Install a caching proxy server
    * Add some rules to our gateway to seemlessly allow our machines to use it.

The first is simple. As root run:

apt-get install squid

This will install the Squid caching proxy server. This is configured by the file /etc/squid/squid.conf and we will need to make several changes to it.

First of all we need to tell it that we only wish it to listen on the internal interface. Remember that this gateway machine has two networking interfaces, one for the internal LAN and one for the internet.

Pick the one which is internal and add it to the configuration file as follows: 

# Squid normally listens to port 3128
http_port 127.0.0.1:8080 transparent
http_port 192.168.10.1:8080 transparent

(In my case the internal address is 192.168.10.1, allowing the server to listen on the "loopback" address of 127.0.0.1 is a good idea too, and will be required later).

to tell Squid which networks are allowed to connect to our proxy server, without this it will refuse all incoming requests. 

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks.

  1. Adapt localnet in the ACL section to list your (internal) IP networks from where browsing should be allowed





acl our_networks src 192.168.10.0/24
http_access allow localnet
http_access allow our_networks
http_access allow localhost

If you're using a different network internally then you will need to adjust the addresses appropriately.

That's all the squid setup complete, so now we restart it:

/etc/init.d/squid restart

Now we have a caching proxy server - which you is listening on 192.168.10.1:8080. If you were to enter that into your browser you should see it working - but what we are going to do next is make it transparent.

Nobody behind the gateway should need to do anything, instead it should just magically work (tm ;)

The way we do that is to add a rule to the firewal, which will redirect outgoing requests to the web (port 80) to instead go via the proxy server we've setup on the gateway machine on port 8080.

Add the following firewall rule:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

Alternatively use this method which is better: http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

This says that anything coming from the internal interface (br0) which has a destination port of 80 (web) should be redirected to the new squid installation we've made on port 8080.

Reload your firewall and you should have it in place.

To test it you simply need to watch the squid logfile as you browse the web from another machine.

On the Bubba machine you can run: 

tail -f /var/log/squid/access.log

Now you should see the requests coming through when you refresh the browser.

Now it is time to install Dansguardian and SquidGuard, which add the web filtering functionality

apt-get install dansguardian
apt-get install squidguard

The article will be updated on how to configure these later.


If you prefer having ISO-8601 style formatting of the timestamp in your access log then thw following example will give 2012-08-12 08:35:55.119 for August 12th at 10:35:55.119 CEST (CET summer time) include the following entry in your squid.conf file. 

logformat combinedISOGMT %>a %ui %un '''%{%Y-%m-%d %H:%M:%S}tg.%03tu''' %rm "%ru" HTTP/%rv %Hs %>st %<st %mt "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

References:

http://www.debian-administration.org/articles/71

Retrieved from "https://wiki.excito.com/index.php?title=Install_Squid_Proxy_Server&oldid=1272"