LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Articles > Technical
User Name
Password

Notices


By sabir_mustafa at 2011-01-21 11:56
DEPLOYING TRANSPARENT WEB PROXY SERVER USING SQUID 2.7STABLE9

It is expected that reader have at least 01 year of experience in Linux and have good command on terminal.

The purpose of this document is to provide a practical guide to the Linux professionals who desire to deploy a sufficiently secure and transparent squid in their infrastructure.
The squid RPM that is shipped with Linux is an easy start but for a system administrator this RPM might be insufficient since it will be lacking certain advance features like bandwidth control, transparent etc.

In this document we will download the squid 2.7STABLE9 from the www.squid-cache.org and compile it with the desired options.

Step 1:

• Download the squid 2.7STABLE9 from www.squid-cache.org.
• Copy the downloaded .tar.gz file in /tmp directory and perform following steps
a. Open terminal
b. Cd /tmp
c. Mv downloadedfilename.tar.gz squid27.tar.gz
d. tar –zxvf squid27.tar.gz squid27
e. Cd squid27

When you are in the squid directory, it is then possible to use “./configure” command to compile the squid in default mode. Since our goal is to compile squid with advance options therefore I had compiled the squid using the following options according to my needs:

I strongly suggest that you must use the command “./configure --help” and read the description of each switch before proceeding.
Code:
./configure --enable-storeio=”diskd,aufs,ufs” --enable-removal-policies=”lru,heap” --enable-delay-pools --enable-snmp --enable-arp-acl --enable-cache-digests --enable-linux-netfilter --disable-ident-lookups --enable-auth=”basic” –enable-basic-auth-helpers=”NCSA” --with-maxfd=8192 --enable-default-err-language=”English” --enable-err-language=”English” && echo “Configuration successful”
After the squid is compiled successfully you should see Configuration successful message on the screen.
Code:
Type make && echo “Make Successful”
Code:
Type make install && echo “Installation complete”
If all the messages appear correctly then the squid is completely installed. By default, squid places its files under /usr/local/squid path. Moreover the command “service start/stop squid” is not available in this mode. I shall write another small document on this topic but right now we have to know how to start and stop squid.

Before starting squid, we need to configure user permissions and cache directories. By the time squid is installed from source there is no “squid” user or group exists on the machine and you have to create them if you want to, however, the default user and group “nobody” can also be used to serve the same purpose.

To enable cache effective user type

vi /usr/local/squid/etc/squid.conf and search for the word “nobody”, the default user for the parameter “cache_effective_user” is “nobody” you can replace it with “squid” if you want.
After setting user, now search for “cache_dir ufs”. The default path and settings to this directory is “/usr/local/squid/var/cache 3000 64 512” on my machine. You can change the path and the settings as well but remember that these directories should be read and writable to the user “nobody or squid”.
Now since you have verified the physical path, it is time to set permission for the user. In my environment, I am using “nobody” therefore I shall perform command for this user.

Type “cd /usr/local/squid/var” and type “ll” to view the existing directories. There should be two directories “logs” and “cache”. If any of these is missing then you should create it manually by using the command:

Code:
mkdir dirname
Set the permissions on both folders for user “nobody”.
Code:
chmod –R nobody.nobody cache
chown 775 –R cache
chmod –R nobody.nobody logs
chown 775 –R logs
To create the cache directories run the command

Code:
/usr/local/squid/sbin/squid -z
The squid shall create the necessary directories in the “cache” folder
After applying the above mentioned command, the basic configuration of squid is complete; we can now proceed for detailed configuration.

Start squid: /usr/local/squid/sbin/squid –D

To verify that squid process is running, type ps aux | grep squid. This command should display the squid parent as well as child process on the screen.

Stop squid: /usr/local/squid/sbin/squid –k shutdown

To verify the squid process has finished, type ps aux | grep squid. This time the command should not display the squid process.

Note:
Add following 03 lines to “rc.local” file. The first line shall start squid automatically and the other two lines will help accessing ftp sites without any problem.

Code:
echo “/usr/local/squid/sbin/squid –k D” >> /etc/rc.local
echo “modprobe ip_conntrack_ftp” >> /etc/rc.local
echo “modprobe ip_nat_ftp” >> /etc/rc.local
Applying basic squid configuration

a. Define basic rules of http access
b. Authorize additional safe ports
c. Control bandwidth with delay pool

Type “vi /usr/local/squid/etc/squid.conf” and apply following settings.

a. Define basic rules of http access
Port Settings:
Code:
http_port 10.1.1.1:3128 transparent
General Settings:
Code:
visible_hostname main_it_center
cache_mgr webmaster
ACLs Settings:
Code:
	acl blocklist url_regex –i “/usr/local/squid/etc/blocklist.txt”
	http_access deny blocklist

	acl singlip src 10.1.1.4
	acl http_access allow singleip

	acl someips src 10.1.1.5 10.1.1.7 10.1.1.15
	http_access allow someips
	acl manyips src “/usr/local/squid/etc/many.txt”
	acl http_access allow manyips


	http_access allow localhost
b. Authorize additional safe ports

Search the word “Safe_ports” and add following ports before the line “acl CONNECT method CONNECT”

Code:
acl Safe_ports port 995         # pop3 of gmail
acl Safe_ports port 587         # smtp of gmail
acl Safe_ports port 465         # smtp of gmail
acl Safe_ports port 993         # smtp of gmail
acl Safe_ports port 25          # smtp
acl Safe_ports port 110         # pop3
acl Safe_ports port 143         # pop3

c. Control bandwidth with delay pool

I am writing a very simple rule that will reduce the network bandwidth of the target ips. The rest of ips shall receive full bandwidth

Code:
acl ipgroup src "/etc/squid/delayedips"
delay_pools 1
delay_class 1 1
delay_parameters 1 12000/24000
delay_access 1 allow ipgroup
delay_access 1 deny all

Configure iptables

Configuring iptables is important for transparent proxy setting. The further advantage is that messengers will be able to directly access internet without the need of proxy settings.


Code:
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

service iptables save
service iptables restart
Configure IP Forwarding

vi /etc/sysctl.conf
Change the value of “net.ipv4.ip_forward” to 1:

net.ipv4.ip_forward = 1

Save the file and type “sysctl –p” to refresh and apply new settings

Note:
In order to apply changes while squid is running, use the command

/usr/local/squid/sbin/squid –k reconfigure


The transparent squid is configured with outlook support and now you do not need to provide the proxy address in the client browsers.

Quote:
Author: Sabir Mustafa [RHCE, MCSA, OELACA (Oracle)]
Review by: Baber Zahoor
Number of machines: 01 [HP 8000 series desktop PC with 1024 GB of RAM]
Operating System: RedHat Enterprise Linux 5.4 [32-bit]
Web Proxy server: SQUID 2.7STABLE9 [Compiled from source]
# of NICs: 02
NICs configuration: eth0 [Connected to public interface (192.168.1.8)]
eth1 [Connected to private interface (10.1.1.1)]

by engineerktk on Mon, 2012-07-30 04:55
Dear Sir,

I want to implement it in Ubuntu 11.04. Can you please point out the modifications/changes that are meant to be made while installation on ubuntu.

Thanks,
Regards,
Ashfaq

by wendllandfredri878 on Sun, 2024-01-07 05:13
Configuring a transparent web proxy using Squid 2.7STABLE9 involves several steps to enable transparent proxying. Firstly, ensure Squid 2.7STABLE9 is installed on the desired system. Then, configure the Squid.conf file, typically located in /etc/squid/ directory, with specific settings. Set the http_port to intercept requests transparently by specifying the proxy port and the transparent keyword: http_port 3128 transparent. Adjust ACLs (Access Control Lists) as needed, allowing or denying certain traffic. Also, ensure the firewall or network settings redirect HTTP traffic to Squid proxy port (3128 by default). Remember to restart the Squid service after making changes to Squid.conf for the configurations to take effect. This setup enables Squid to intercept and proxy HTTP requests transparently without requiring client-side configurations, enhancing network security and control.

by TB0ne on Sun, 2024-01-07 11:20
Quote:
Originally Posted by wendllandfredri878 View Post
Configuring a transparent web proxy using Squid 2.7STABLE9 involves several steps to enable transparent proxying. Firstly, ensure Squid 2.7STABLE9 is installed on the desired system. Then, configure the Squid.conf file, typically located in /etc/squid/ directory, with specific settings. Set the http_port to intercept requests transparently by specifying the proxy port and the transparent keyword: http_port 3128 transparent. Adjust ACLs (Access Control Lists) as needed, allowing or denying certain traffic. Also, ensure the firewall or network settings redirect HTTP traffic to Squid proxy port (3128 by default). Remember to restart the Squid service after making changes to Squid.conf for the configurations to take effect. This setup enables Squid to intercept and proxy HTTP requests transparently without requiring client-side configurations, enhancing network security and control.
Really?? What else did Chat GPT tell you? Did you notice that this thread had been closed for *TWELVE YEARS*, or that the latest version of Squid is 6?? No one is going to be using 2.7.

Reported.


  



All times are GMT -5. The time now is 04:36 AM.

Main Menu
Advertisement
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration