Install Squid Proxy Server

From BubbaWiki
Revision as of 08:40, 12 August 2012 by Lars Höög (talk | contribs) (ISO-8601 date and time formatting)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Bubba 3 Server can be configured to act as a web proxy.This tutorial is based on the official Debian Guide.

If you've setup a Linux machine as a gateway, standing between you and the internet then you have a lot of options for tweaking it. One of the most common things to setup is transparent proxying via squid.

If you've followed the previous guide on setting up a Linux gateway you will have one machine with two network interfaces, one for internal use (eth0) and one which is publically connected to the internet (eth1).

This gateway machine has a collection of firewall rules which:

  • Allow machines "behind" it to make outgoing connections.
    * Prevent incoming connections from the internet.

If we wish to setup a transparent proxy server to cache web pages - which would speed up browsing for those machines behind the gateway we need to do two things:

  • Install a caching proxy server
    * Add some rules to our gateway to seemlessly allow our machines to use it.

The first is simple. As root run:

apt-get install squid

This will install the Squid caching proxy server. This is configured by the file /etc/squid/squid.conf and we will need to make several changes to it.

First of all we need to tell it that we only wish it to listen on the internal interface. Remember that this gateway machine has two networking interfaces, one for the internal LAN and one for the internet.

Pick the one which is internal and add it to the configuration file as follows:

# Squid normally listens to port 3128
http_port 127.0.0.1:8080 transparent
http_port 192.168.10.1:8080 transparent

(In my case the internal address is 192.168.10.1, allowing the server to listen on the "loopback" address of 127.0.0.1 is a good idea too, and will be required later).

to tell Squid which networks are allowed to connect to our proxy server, without this it will refuse all incoming requests.

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks.
  1. Adapt localnet in the ACL section to list your (internal) IP networks from where browsing should be allowed


acl our_networks src 192.168.10.0/24 http_access allow localnet http_access allow our_networks http_access allow localhost


If you're using a different network internally then you will need to adjust the addresses appropriately.

That's all the squid setup complete, so now we restart it:

/etc/init.d/squid restart

Now we have a caching proxy server - which you is listening on 192.168.10.1:8080. If you were to enter that into your browser you should see it working - but what we are going to do next is make it transparent.

Nobody behind the gateway should need to do anything, instead it should just magically work (tm ;)

The way we do that is to add a rule to the firewal, which will redirect outgoing requests to the web (port 80) to instead go via the proxy server we've setup on the gateway machine on port 8080.

Add the following firewall rule:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

Alternatively use this method which is better: http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

This says that anything coming from the internal interface (br0) which has a destination port of 80 (web) should be redirected to the new squid installation we've made on port 8080.

Reload your firewall and you should have it in place.

To test it you simply need to watch the squid logfile as you browse the web from another machine.

On the Bubba machine you can run:

tail -f /var/log/squid/access.log

Now you should see the requests coming through when you refresh the browser.

Now it is time to install Dansguardian and SquidGuard, which add the web filtering functionality

apt-get install dansguardian
apt-get install squidguard

The article will be updated on how to configure these later.


If you prefer having ISO-8601 style formatting of the timestamp in your access log then thw following example will give 2012-08-12 08:35:55.119 for August 12th at 10:35:55.119 CEST (CET summer time) include the following entry in your squid.conf file.

logformat combinedISOGMT %>a %ui %un '''%{%Y-%m-%d %H:%M:%S}tg.%03tu''' %rm "%ru" HTTP/%rv %Hs %>st %<st %mt "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh 

References:

http://www.debian-administration.org/articles/71