:52595EA2
DEPLOYING TRANSPARENT WEB PROXY SERVER USING SQUID 2.7STABLE9
It is expected that reader have at least 01 year of experience in Linux and have good command on terminal.
The purpose of this document is to provide a practical guide to the Linux professionals who desire to deploy a sufficiently secure and transparent squid in their infrastructure.
The squid RPM that is shipped with Linux is an easy start but for a system administrator this RPM might be insufficient since it will be lacking certain advance features like bandwidth control, transparent etc.
In this document we will download the squid 2.7STABLE9 from the www.squid-cache.org and compile it with the desired options.
Step 1:
• Download the squid 2.7STABLE9 from www.squid-cache.org.
• Copy the downloaded .tar.gz file in /tmp directory and perform following steps
a. Open terminal
b. Cd /tmp
c. Mv downloadedfilename.tar.gz squid27.tar.gz
d. tar –zxvf squid27.tar.gz squid27
e. Cd squid27
When you are in the squid directory, it is then possible to use “./configure” command to compile the squid in default mode. Since our goal is to compile squid with advance options therefore I had compiled the squid using the following options according to my needs:
I strongly suggest that you must use the command “./configure --help” and read the description of each switch before proceeding.
Code:
./configure --enable-storeio=”diskd,aufs,ufs” --enable-removal-policies=”lru,heap” --enable-delay-pools --enable-snmp --enable-arp-acl --enable-cache-digests --enable-linux-netfilter --disable-ident-lookups --enable-auth=”basic” –enable-basic-auth-helpers=”NCSA” --with-maxfd=8192 --enable-default-err-language=”English” --enable-err-language=”English” && echo “Configuration successful”
After the squid is compiled successfully you should see Configuration successful message on the screen.
Code:
Type make && echo “Make Successful”
Code:
Type make install && echo “Installation complete”
If all the messages appear correctly then the squid is completely installed. By default, squid places its files under /usr/local/squid path. Moreover the command “service start/stop squid” is not available in this mode. I shall write another small document on this topic but right now we have to know how to start and stop squid.
Before starting squid, we need to configure user permissions and cache directories. By the time squid is installed from source there is no “squid” user or group exists on the machine and you have to create them if you want to, however, the default user and group “nobody” can also be used to serve the same purpose.
To enable cache effective user type
vi /usr/local/squid/etc/squid.conf and search for the word “nobody”, the default user for the parameter “cache_effective_user” is “nobody” you can replace it with “squid” if you want.
After setting user, now search for “cache_dir ufs”. The default path and settings to this directory is “/usr/local/squid/var/cache 3000 64 512” on my machine. You can change the path and the settings as well but remember that these directories should be read and writable to the user “nobody or squid”.
Now since you have verified the physical path, it is time to set permission for the user. In my environment, I am using “nobody” therefore I shall perform command for this user.
Type “cd /usr/local/squid/var” and type “ll” to view the existing directories. There should be two directories “logs” and “cache”. If any of these is missing then you should create it manually by using the command:
Code:
mkdir dirname
Set the permissions on both folders for user “nobody”.
Code:
chmod –R nobody.nobody cache
chown 775 –R cache
chmod –R nobody.nobody logs
chown 775 –R logs
To create the cache directories run the command
Code:
/usr/local/squid/sbin/squid -z
The squid shall create the necessary directories in the “cache” folder
After applying the above mentioned command, the basic configuration of squid is complete; we can now proceed for detailed configuration.
Start squid: /usr/local/squid/sbin/squid –D
To verify that squid process is running, type ps aux | grep squid. This command should display the squid parent as well as child process on the screen.
Stop squid: /usr/local/squid/sbin/squid –k shutdown
To verify the squid process has finished, type ps aux | grep squid. This time the command should not display the squid process.
Note:
Add following 03 lines to “rc.local” file. The first line shall start squid automatically and the other two lines will help accessing ftp sites without any problem.
Code:
echo “/usr/local/squid/sbin/squid –k D” >> /etc/rc.local
echo “modprobe ip_conntrack_ftp” >> /etc/rc.local
echo “modprobe ip_nat_ftp” >> /etc/rc.local
Applying basic squid configuration
a. Define basic rules of http access
b. Authorize additional safe ports
c. Control bandwidth with delay pool
Type “vi /usr/local/squid/etc/squid.conf” and apply following settings.
a. Define basic rules of http access
Port Settings:
Code:
http_port 10.1.1.1:3128 transparent
General Settings:
Code:
visible_hostname main_it_center
cache_mgr webmaster
ACLs Settings:
Code:
acl blocklist url_regex –i “/usr/local/squid/etc/blocklist.txt”
http_access deny blocklist
acl singlip src 10.1.1.4
acl http_access allow singleip
acl someips src 10.1.1.5 10.1.1.7 10.1.1.15
http_access allow someips
acl manyips src “/usr/local/squid/etc/many.txt”
acl http_access allow manyips
http_access allow localhost
b. Authorize additional safe ports
Search the word “Safe_ports” and add following ports before the line “acl CONNECT method CONNECT”
Code:
acl Safe_ports port 995 # pop3 of gmail
acl Safe_ports port 587 # smtp of gmail
acl Safe_ports port 465 # smtp of gmail
acl Safe_ports port 993 # smtp of gmail
acl Safe_ports port 25 # smtp
acl Safe_ports port 110 # pop3
acl Safe_ports port 143 # pop3
c. Control bandwidth with delay pool
I am writing a very simple rule that will reduce the network bandwidth of the target ips. The rest of ips shall receive full bandwidth
Code:
acl ipgroup src "/etc/squid/delayedips"
delay_pools 1
delay_class 1 1
delay_parameters 1 12000/24000
delay_access 1 allow ipgroup
delay_access 1 deny all
Configure iptables
Configuring iptables is important for transparent proxy setting. The further advantage is that messengers will be able to directly access internet without the need of proxy settings.
Code:
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save
service iptables restart
Configure IP Forwarding
vi /etc/sysctl.conf
Change the value of “net.ipv4.ip_forward” to 1:
net.ipv4.ip_forward = 1
Save the file and type “sysctl –p” to refresh and apply new settings
Note:
In order to apply changes while squid is running, use the command
/usr/local/squid/sbin/squid –k reconfigure
The transparent squid is configured with outlook support and now you do not need to provide the proxy address in the client browsers.
Quote:
Author: Sabir Mustafa [RHCE, MCSA, OELACA (Oracle)]
Review by: Baber Zahoor
Number of machines: 01 [HP 8000 series desktop PC with 1024 GB of RAM]
Operating System: RedHat Enterprise Linux 5.4 [32-bit]
Web Proxy server: SQUID 2.7STABLE9 [Compiled from source]
# of NICs: 02
NICs configuration: eth0 [Connected to public interface (192.168.1.8)]
eth1 [Connected to private interface (10.1.1.1)]
Home »
» Configuring Transparent Web Proxy using Squid 2.7STABLE9
