Difference between revisions of "Install Squid Proxy Server"
(ISO-8601 date and time formatting) |
|||
(3 intermediate revisions by one other user not shown) | |||
Line 28: | Line 28: | ||
<pre># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS</pre><pre># Example rule allowing access from your local networks. | <pre># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS</pre><pre># Example rule allowing access from your local networks. | ||
# Adapt localnet in the ACL section to list your (internal) IP networks | # Adapt localnet in the ACL section to list your (internal) IP networks from where browsing should be allowed | ||
acl our_networks src 192.168.10.0/24 | acl our_networks src 192.168.10.0/24 | ||
http_access allow localnet | |||
http_access allow our_networks | http_access allow our_networks | ||
http_access allow localhost | |||
</pre> | |||
If you're using a different network internally then you will need to adjust the addresses appropriately. | If you're using a different network internally then you will need to adjust the addresses appropriately. | ||
Line 97: | Line 50: | ||
The way we do that is to add a rule to the firewal, which will redirect outgoing requests to the web (port 80) to instead go via the proxy server we've setup on the gateway machine on port 8080. | The way we do that is to add a rule to the firewal, which will redirect outgoing requests to the web (port 80) to instead go via the proxy server we've setup on the gateway machine on port 8080. | ||
Add the following firewall rule:<br> | Add the following firewall rule:<br> | ||
<pre>iptables -t nat -A PREROUTING -i | <pre>iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 | ||
</pre> | |||
Alternatively use this method which is better: http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect</pre> | |||
This says that anything coming from the internal interface (br0) which has a destination port of 80 (web) should be redirected to the new squid installation we've made on port 8080. | This says that anything coming from the internal interface (br0) which has a destination port of 80 (web) should be redirected to the new squid installation we've made on port 8080. | ||
Line 117: | Line 71: | ||
The article will be updated on how to configure these later.<br> | The article will be updated on how to configure these later.<br> | ||
If you prefer having ISO-8601 style formatting of the timestamp in your access log then thw following example will give 2012-08-12 08:35:55.119 for August 12th at 10:35:55.119 CEST (CET summer time) include the following entry in your squid.conf file. | |||
<pre>logformat combinedISOGMT %>a %ui %un '''%{%Y-%m-%d %H:%M:%S}tg.%03tu''' %rm "%ru" HTTP/%rv %Hs %>st %<st %mt "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh | |||
</pre> | |||
References:<br> | References:<br> | ||
http://www.debian-administration.org/articles/71<br> | http://www.debian-administration.org/articles/71<br> |
Latest revision as of 08:40, 12 August 2012
Bubba 3 Server can be configured to act as a web proxy.This tutorial is based on the official Debian Guide.
If you've setup a Linux machine as a gateway, standing between you and the internet then you have a lot of options for tweaking it. One of the most common things to setup is transparent proxying via squid.
If you've followed the previous guide on setting up a Linux gateway you will have one machine with two network interfaces, one for internal use (eth0) and one which is publically connected to the internet (eth1).
This gateway machine has a collection of firewall rules which:
- Allow machines "behind" it to make outgoing connections.
* Prevent incoming connections from the internet.
If we wish to setup a transparent proxy server to cache web pages - which would speed up browsing for those machines behind the gateway we need to do two things:
- Install a caching proxy server
* Add some rules to our gateway to seemlessly allow our machines to use it.
The first is simple. As root run:
apt-get install squid
This will install the Squid caching proxy server. This is configured by the file /etc/squid/squid.conf and we will need to make several changes to it.
First of all we need to tell it that we only wish it to listen on the internal interface. Remember that this gateway machine has two networking interfaces, one for the internal LAN and one for the internet.
Pick the one which is internal and add it to the configuration file as follows:
# Squid normally listens to port 3128 http_port 127.0.0.1:8080 transparent http_port 192.168.10.1:8080 transparent
(In my case the internal address is 192.168.10.1, allowing the server to listen on the "loopback" address of 127.0.0.1 is a good idea too, and will be required later).
to tell Squid which networks are allowed to connect to our proxy server, without this it will refuse all incoming requests.
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks.
- Adapt localnet in the ACL section to list your (internal) IP networks from where browsing should be allowed
acl our_networks src 192.168.10.0/24 http_access allow localnet http_access allow our_networks http_access allow localhost
If you're using a different network internally then you will need to adjust the addresses appropriately.
That's all the squid setup complete, so now we restart it:
/etc/init.d/squid restart
Now we have a caching proxy server - which you is listening on 192.168.10.1:8080. If you were to enter that into your browser you should see it working - but what we are going to do next is make it transparent.
Nobody behind the gateway should need to do anything, instead it should just magically work (tm ;)
The way we do that is to add a rule to the firewal, which will redirect outgoing requests to the web (port 80) to instead go via the proxy server we've setup on the gateway machine on port 8080.
Add the following firewall rule:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 Alternatively use this method which is better: http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
This says that anything coming from the internal interface (br0) which has a destination port of 80 (web) should be redirected to the new squid installation we've made on port 8080.
Reload your firewall and you should have it in place.
To test it you simply need to watch the squid logfile as you browse the web from another machine.
On the Bubba machine you can run:
tail -f /var/log/squid/access.log
Now you should see the requests coming through when you refresh the browser.
Now it is time to install Dansguardian and SquidGuard, which add the web filtering functionality
apt-get install dansguardian apt-get install squidguard
The article will be updated on how to configure these later.
If you prefer having ISO-8601 style formatting of the timestamp in your access log then thw following example will give 2012-08-12 08:35:55.119 for August 12th at 10:35:55.119 CEST (CET summer time) include the following entry in your squid.conf file.
logformat combinedISOGMT %>a %ui %un '''%{%Y-%m-%d %H:%M:%S}tg.%03tu''' %rm "%ru" HTTP/%rv %Hs %>st %<st %mt "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
References: