Squid Proxy Server Tutorial
Purpose - Web Caching and Security.
Software Used in this Tutorial - CentOS 4.3, Squid Proxy Server
Other Requirements - PC with 2 network cards, hub/switch, broadband internet connection
Summary - Proxy Servers are often used by network administrators to free up bandwith, create a faster web browing experience for lan clients, monitor the internet activity of lan clients, and lock down a lan's internet access. The proxy server we're going to configure today will allow you to do most of this. I'll write a follow up article which covers log viewing, DHCP, and the squidguard add-on later this summer.
Step 1, Getting the Software -
My first experience with Linux was way back with Redhat 7.3. I've always been comfortable with Redhat, and the RPM package management system.
In this tutorial we're going to use a popular RHEL (Redhat Enterprise Linux) close called CentOS: http://www.centos.org. CentOS is free, easy to use (IMO), and very stable. To get it go to centos.org and download the ISO files that match your platform. I'm currently running CentOS 4.3 for i386 platforms. Once you've downloaded all of the ISO's (4 cd's or 1 dvd), write the ISO's to the appropriate blank media (cds or dvd). Now you're ready to install the OS.
Step 2, Installing the Software -
Since many of you are probably new to linux, I'll provide a brief walk through for installing the OS and getting the system configured correctly:
First put in CD 1/4 or your CentOS dvd. Make sure your system is configured to boot from your CDROM drive first. When the CentOS menu appears, simply click Enter to load the installer. CentOS uses the same user friendly installer as Redhat and Fedora. All of the menus should be self explanatory. When you get to the option for partitioning the hard drive, I always allow disk druid to automatically partition my drive, and remove all existing partitions. Beware, this will erase all of your existing hard drive data, just like fdisk and format c: would in windows.
Later you'll be asked what kind of installation you'd like to perform. Select the option at the bottom named "CUstom". While this is a "Server", we do not need all of the server packages that get installed with CentOS's server options. So select "Custom" and click next. Whether you install additional packages is entirely up to you. The default packages selected with the Custom option can stay, now scroll down the list and check the box next to:
Web Server - Includes Squid
Network Servers - Includes DHCP which we will use in a later tutorial
Administration Tools - Provides some nice gui tools
System Tools - Provides other useful system tools for linux servers
Click next and the installation should begin.
Step 3, Configuring the Server -
*Note: It's never a good idea to login to a server as root, for the sake of this tutorial just go ahead and do it.
Once you have CentOS installed, the actual server configuration is quite easy. First let's disable a few services that CentOS enables by default. Go to the Applications menu (same as start menu in windows), choose System Settings, then Server Settings, then click on Services.
Uncheck and Stop the following services:
ISDB
PCMCIA
Sendmail
Smartd (if you're using SATA drives)
SSH
Then click the Save button at the top of the services window.
Now let's configure your two network cards. Go to Applications >> System Settings >> Network. You should have two network devices listed, eth0 and eth1. eth0 should be your external interface (the one connected to your router/gateway/firewall), eth1 will be your internal interface (the one connected to your hub/switch/lan clients). Refer to the proxy diagram at the top of this tutorial to get an idea of the layout.
eth0 (external to router/gateway)
IP Address: 192.168.0.254
Subnet Mask: 255.255.255.0
Gateway: 192.168.0.1
eth1 (internal to lan)
IP Address: 192.168.1.1
Subnet Mask: 255.255.255.0
Gateway: 192.168.0.254
View a sample of this setup here: removed
Once your network cards have been configured, choose File >> Save from the Network Configuration menu. Now we have to restart the network service. Let's do it from the command prompt: Go to Applications >> System Tools >> Terminal. Type
"/etc/init.d/network restart" (no quotes), then hit enter.
Everything should have restarted "Ok".Now it's time to configure your server to allow internet connection sharing from eth0 to eth1.
From the terminal type the following commands (without quotes):
"echo 1 > /proc/sys/net/ipv4/ip_forward" click enter
"iptables -t nat -A PREROUTING -o eth0 -j MASQUERATE" click enter
Now let's take a minute to test the internet connection sharing. Log on to one of your lan PC's and configure your network settings accordingly. Remember we're not covering DHCP in this tutorial so you'll have to setup a static IP. In Windows XP go to your TCP/IP settings
and use the following static ip:
192.168.1.100
255.255.255.0
192.168.1.1
I use the public 4.2.2.1 as my DNS Server, it seems to always work exteremly well.
To test the internet connection sharing try to ping your linksys router (or dlink, netgear, etc. etc.).
From the command line type "ping 192.168.0.1". If you get a response then your internet connection sharing is enabled correctly and your linux server is configured as a router. The path goes something like this:
192.168.1.100 (pc) >> 192.168.1.1 (eth1) >> 192.168.0.254 (eth0) >> 192.168.0.1 (router)
Step 4, Configuring Squid -
It's finally time to configure squid. Open up /etc/squid/squid.conf with the default Text Editor. Squid provides a squid.conf.default file, so you'll have a backup of the default squid conf file in case you screw something up. The squid.conf file has a ton of commented docs, to keep with the order of things I just find the commented text, then add my rule below.
Start by doing a Find search for the phrase "httpd_accel_port
Below the default comment, add the following:
httpd_accel_host virtual
httpd_accel_port 80
Next do a Find for the phrase "http_port 3128"
Below the default comment, add the following:
http_port 192.168.1.1:3128
**This is very important** By specifying the IP address of eth1 (your internal interface), it ensures that remote users over the internet do not use your proxy server. An open proxy can be exploited quite easily if you tell squid to listen on eth0, your external interface.
Finally we get to add our own custom rules, this is where you can lock your network down as much as you'd like. Do a Find for the phrase "INSERT YOUR OWN". That should bring you to the spot where you can insert your own rules.
Squid works by using acl's, or access control lists, to identify different values. What you call your acl's is entirely up to you, but it makes sense to use names that describe what the acl is for. First I'm going setup an acl for basic network users by ip address. Remember we don't have DHCP configured on our server so it'll be easy to identify the different lan users.
acl home_user src 192.168.1.100
acl home_user src 192.168.1.101
acl home_admin src 192.168.1.102
I just declared two access control lists. One was named home_user, and contained two lan ip's (which relate to two pc's on my lan). The second was named home_admin which happens to refer to MY pc's ip address. You'll see why I put myself in a separate control list in a minute.
Let's setup a few more acl's"
acl blocked_files url_regex -i \.exe$ \.com$ \.bat$ \.pif$
acl allowed_files url_regex -i SOMECOOLFILE.exe
acl blocked_domains url_regex -i some-porn-site.com
Finally let's declare the rules for each of our acl's:
http_access deny blocked_files !home_admin !allowed_files
http_access allow home_admin
http_access allow home_user
http_access allow localhost
http_access deny all
Take a look at the first line of our acl rules. That line in plain english would read: "Deny access to all files with a file extention that's present in the "blocked_files" acl, EXCEPT for the file named "SOMECOOLFILE.exe", and except for members of the home_admin acl. I put myself in a separate acl so I could still have access to all of the files on the web. I trust myself enough where I don't need to filter exe's. Now my girlfriend on the other hand needs to have .exe access restricted.
The next three rules should be self explanatory. The last rule is very important. It denies access to everything that hasn't been allowed. Think of Squid as a tagging system. Squid looks at each web request and compares it to its list of acl's. If the web request is coming from 192.168.1.100, it will be identified as a home_user. It then see's that members of the home_user acl are granted http_access. So that web request is tagged to be allowed to access the web, so the "deny all" rule is ignored.
Now imagine there's a web request coming from 192.168.1.103. Well that ip doesn't fall under any defined acl, and therefore has no "allow" rule associated with it. That request will work its way through all of the rules and finally end up on "http_access deny all", which means, the web request will be denied and the user will receive an error message.
Once you've finished declaring all of your acl's save the squid.conf file and close your text editor.
Step 5, Transparent Proxy -
You may be asking yourself, "why does squid listen on port 3128 when most web requests are sent over port 80?". Well that's a good question. Some of you may be familiar with the Connection Settings options in Firefox and IE. This tool let's lan users specify the address and port of their network's proxy server.
But if your proxy server is meant to filter certain internet traffic, then why would lan clients WANT to use the network's proxy? Well chances are they wouldn't, so you can setup something called a "transparent" proxy.
A Transparent proxy is a proxy server that exists without lan clients ever even knowing, at least not until one of their web requests gets blocked. To make your proxy all cool and transparent, go to Applications >> Sytstem Tools >> Terminal
In the command prompt type: (no quotes)
"iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128"
Then click enter. That rule tells your firewall to pass all traffic that comes in on port 80, on eth1 (your internal interface), to get redirected to port 3128. Hey, isn't 3128 the port that squid is listening on? You got it! Now all traffic outbound on port 80 automatically gets sent through squid. View the the exampe here: removed
Step 6, Starting Squid -
From the terminal window, Applications >> System Tools >> Terminal, type
"/etc/init.d/squid start" then click enter.
Squid should start with an Ok, and now you're all set to use your cool new proxy server.
-----------------------------------------------------------
Original Author : pcthuglife
Original Link : http://www.hothardware.com/forum/messageview.cfm?catid=17&threadid=33822&enterthread=y
Once You Know, You Newegg.
Once You Newegg, You EggXpert.