Академический Документы
Профессиональный Документы
Культура Документы
Webmin
A proxy server can prevent employees from visiting certain sites, help reduce the load on
your network by caching pages for clients, and make use of SSL to secure connections
between clients and servers. Many smaller companies assume they don't have the time or the
money to put into setting up a proxy server. Thanks to Webmin, that is not the case.
With the Webmin administration portal, you can easily set up a Squid proxy server and
manage that proxy with the user friendly web-based administration tool. I will walk you
through the steps of setting up a Squid proxy server through the Webmin tool. I will
demonstrate this on a Ubuntu 12.10 platform and do everything through the web-based GUI
(no command-line necessary). Because Squid is designed to run on UNIX-like systems (there
was a Windows port for a brief period, but it was abandoned), you need to have Webmin
running on a UNIX-based system. Once you have Webmin up and running, you are very
close to having Squid installed.
Installing Squid
In order to be able to enable the Squid module, Squid needs to be installed; fortunately,
Webmin is smart enough to handle this task for you. After you log in to Webmin as an
administrator, you can have Webmin install Squid and then enable the module for you. Here's
how:
1.
2.
3.
4.
5.
Figure A
Setting up Squid
The first thing you will see is the error "Your Squid cache directory /var/spool/squid3 has not
been initialized. This must be done before Squid can be run." In order to initialize this, click
the Initialize Cache button (with either an existing user, or you can create a new user/group
"proxy"). At this point you will see the "Stopping Squid" warning. Once the system has been
initialized, you will be prompted with the Return To Squid Index link. If you continue seeing
this error, here's what you need to do:
1.
2.
3.
4.
5.
6.
Your plan for using the proxy will dictate how you configure it. Regardless of how you use it,
you will want to define the ports used by the proxy first. By default, Squid uses 3128. You
can stick with the default, or if you need to go with a non-standard port, here's how to change
it:
1. From the Webmin Squid page, click Ports And Networking.
2. In the Ports And Networking page (Figure C), configure the port.
3. Once you have the port set, click Save.
You can set Squid to listen to more than one port by going back into Ports And Network and adding a
new port.
Figure C
By default, Squid will listen to requests coming from all addresses. You can set this on a peraddress or per-hostname basis by entering the IP address or hostname under the Hostname/IP
Address column in the table.
Let's say you want to block Facebook using Squid. You must first create a new Access
Control List (ACL), which you can do by following these steps:
1. From the module index, click Access Control.
2. Below the listing, select Webserver Hostname from the drop-down and click Create New
ACL.
3. In the Create ACL window (Figure D) enter a name for the ACL (Like Facebook) and then
enter the domain (facebook.com). (You could even create a single ACL for a group of related
domains.)
4. In the Failure Redirect, enter the page you would like this to be redirected to.
5. Click Save.
Figure D
Figure E
Back at the module index, click Apply Changes to restart Squid with the newly created
restrictions.
You should now have a proxy set up to block all access to Facebook (I'm not advocating this
practice, just using it as an example). You can apply this same idea to nearly anything you'd
like to block. And remember, Squid can be used for a lot more than blocking domains.
Linux Transparent Squid Proxy Server Guide
expires from Squids cache, Squid can then immediately serve it, accelerating the download
and saving bandwidth.
Internet Service Providers (ISPs) have used Squid proxy servers since the early 1990s to
provide faster download speeds and reduce latency, especially for delivering rich media and
streaming video. Website operators frequently will put a Squid proxy server as a content
accelerator, caching frequently viewed content and easing loads on Web servers. Content
delivery networks and media companies employ Squid proxy servers and deploy them
throughout their networks to improve the experience of viewers requesting programming,
particularly for load balancing and handling traffic spikes for popular content.
Here I will discuss on howto setup it on popular linux flavour Ubuntu.
After installing Ubuntu , configure network interface cards, you must have at least 2 LAN
cards , one for local LAN, second with internet connection e.g DSL
After configuring networking, make sure you are able to browse the internet. After that install
& Configure Squid.
Default login type to linux is GUI (in Ubuntu Desktop or FEDORA) First login as root.
a) Then install SQUID service by issuing following command:
apt-get install squid squid-common
b) Now configure it using default squid configuration file.
gedit /etc/squid/squid.conf
If you have CLI access, then use nano e.g:
nano /etc/squid/squid.conf
o change squid port from http_port 3128 to http_port 8080
o find the http_access section, uncomment the following 2 lines and add your own networks
(for example 192.168.0.0/24):
acl our_networks src 192.168.0.0/24
http_access allow our_networks
o change hostname in the visible_hostname section after:
#Default: # is none , just add:
visible_hostname proxy.aacable.com
Now save file, and exit and restart squid to implement changes we made to squid
configuration:
service squid restart
Now in client browser, set proxy address to SQUID lan ip and port 8080, and test the
browsing. If you dont want to manually set the proxy at client end, setup squid in transparent
mode.
Configure Squid as Transparent Proxy (Squid version >= 2.6)
Edit the Squid configuration file
gedit /etc/squid/squid.conf
o change from: http_port 8008 to,
http_port 8080 transparent
Save & Exit. and restart squid proxy server by
service squid restart
OR
squid -k rec
Iptables configuration
Next, add following rules to forward all http requests (coming to port 80) to the Squid server
port 8080 :
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to
192.168.0.1:8080
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --toport 8080
Where 192.168.0.1 is the ip of the Proxy LAN interface. &
eth1 is WAN]
* Save the new iptables:
iptables-save
OR use the following
https://aacable.wordpress.com/2011/06/01/linux-simple-internet-sharing-script/
++++++++++++++++++++++++++++++++++++
Also, following is a great guide which will gonna help you in installing SQUID proxy server
in transparent mode.
http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
WARNING: Could not determine this machines public hostname. Please configure one or set
'visible_hostname'.
It means the hostname isn't correctly defined and you need to change the visible_hostname in the
config file. It needs to change for identity of the cache server or troubleshooting or viewing the logs.
So change it before anything else like this:
visible_hostname HowtoForge
As you can see http_port 3128, it means Squid listens for requests from HTTP clients on this
port.
ACLs are used to restrict usage, limit web access of host(s); each ACL line defines a
particular type of activity, such as an access time or source network, after that we need to link
the ACL to an http_access statement that tells Squid whether or not to deny or allow traffic
that matches the ACL.
When you install Squid for the first time, you need to add some acls to allow your network to
use the internet because squid by default denies web access.
The syntax of an ACL is like this:
acl aclname acltype value
aclname = rulename (it could be some desire name like mynetwork)
acltype = type of acl like : src, dst (src:source ip | dst:destination ip)
value = it could be ip address, networks, URLs ,...
Note: Specify the rules before the line http_access deny all. After that change save your file
and restart the squid service.
(If you use vi editor use this to save and quit > 1-press ESC key 2-type ':x' without quotation
and hit enter.)
# service squid restart
Remember you may see an error after restarting the squid service for using "/24" in your
config, if so don't panic you can easily change /24 to /255.255.255.0 and again restart the
squid service, after restarting your entire network which uses the IP addresses 192.168.1.1 to
192.168.1.254 have access to the internet.
You may ask yourself about allowing internet to everyone except particular ip addresses,
actually it's a good start and brings some fun :) . Ok, to do this open the config file and do
like this:
acl bad_employee src 192.168.1.18
http_access deny bad_employee
acl mynetwork src 192.168.1.0/24
http access allow mynetwork
In the above example the entire network will be allowed to use the internet except the
blocked person (bad_employee). Remember Squid interprets the rules from top to bottom, so
you need to be careful.
You can create a restricting rule by times for your company and assign that to your created
mynetwork acl like this:
acl mynetwork src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
And you can do more than blocking one URL, if you want to block more than a single
domain we need to create a file to hold the particular URLs and give this file read
permissions like this:
# touch /etc/squid/block_list.txt
# chmod 444 /etc/squid/block_list.txt
# vi /etc/squid/block_list.txt
Enter some URLs to block like this:
www.sxx.com
www.yahoo.com
www.hotmail.com
And then save and quit, it's time to create rules. Open the config file and put these parameters
in it:
acl block_list url_regex "/etc/squid/block_list.txt"
http_access deny block_list
You can block the URLs that contain unexpected words like this:
acl blockword url_regex sxx
http_access deny blockword
If you want block more extensions to download you can specify all in a file as described
before (exact like some URL to block section).
You can configure squid to prompt for username and password from users with ncsa_auth
that reads an NCSA-compliant encrypted password file, so:
# htpasswd -c /etc/squid/squid_passwd your_username
enter pass : your_password
# chmod o+r /etc/squid/squid_passwd
Open the config file and put these lines in it and change to your own configuration:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
acl ncsa_user proxy_auth REQUIRED
http_access allow ncsa_user
If you don't want to modify the browser for using a proxy there is a method that is called
"Transparent Proxy"; to use this you need to do like this:
Prior to Squid Version 2.6:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Thanks for taking the time to read this guide, I hope it's helpful.
This guide was part 1, and in part 2 we will know about "Content Caching" , "Load
Balancing", "Bandwidth Management", "Squid Logs", "Nmap" and "Monitoring [Visited
URLs by Useres]" and more ...
Here the simple steps which you need to perform on squid server. I am using CentOs 6.4 read
out more about CentOs 6.4
Lab Environment:
CetnOs 6.4 (as squid transparent proxy server), Hostname = pxy.broexperts.com
eth0 : (Connected to Internet)
IP = 192.168.1.211/24, Gateway = 192.168.1.1 and DNS = 8.8.8.8
eth1 : (Connected to LAN)
IP = 10.0.0.1/8, and DNS = 172.0.0.1
Xp Pro SP3 (Client PC for testing). Hostname = xp1.broexperts.com
IP = 10.0.0.11/8, Gateway = 10.0.0.1(squid Servers IP) and DNS = 10.0.0.3
TIP : Setting up DNS server for this Tutorial you can follow this BIND Caching-only
Configurations on CentOs 6.4
Step-1 Installing squid packages.
yum install squid -y
Step-4 Restart and chkconfig the squid service so the service can be available on time of
boot.
Service squid start
Chkconfig squid on
Step-5 IPtables rule for transparent squid proxy.
iptables -t nat -A PREROUTING -i eth1 -p tcp dport 80 -j DNAT to 10.0.0.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp dport 80 -j REDIRECT to-port 3128
iptables -I INPUT -s 10.0.0.0/8 -p tcp dport 3128 -j ACCEPT
Now we can test browsing on Client Machine.
Squid Installation
To set up a transparent proxy with Squid, we start by adding necessary iptables rules.
These rules should help you get started, but please make sure that they do not conflict with
any of the existing configuration.
# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
The first rule will cause all outbound packets from eth1 (WAN interface) to have the source
IP address of eth1 (i.e., enable NAT). The second rule will redirect all incoming HTTP
packets (destined to TCP 80) from eth0 (LAN interface) to Squid listening ort (TCP 3128),
instead of forwarding it out to WAN interface right away.
We start Squid installation by using yum.
# yum install squid
Now we will modify Squid configuration to turn it into a transparent proxy. We define our
LAN subnet (e.g., 10.10.10.0/24) as a valid client network. Any traffic not originating from
the LAN subnet will be denied access.
# vim /etc/squid/squid.conf
1
visible_hostname proxy.example.tst
10
11
Now that Squid is up and running, we can test its functionality by monitoring Squid log. Visit
any URL from a computer connected to the LAN, and you should see something like the
following in the log.
# tailf /var/log/squid/access.log
1402987348.816
1048 10.10.10.10 TCP_MISS/302 752 GET
http://www.google.com/ - DIRECT/173.194.39.178 text/html
1402987349.416
445 10.10.10.10 TCP_MISS/302 762 GET
http://www.google.com.bd/? - DIRECT/173.194.78.94 text/html
According to the log file, the machine with IP 10.10.10.10 tried to access google.com and
Squid processed the request.
The most basic form of Squid proxy server is now ready. In the rest of the tutorial, we will be
tuning some parameters of Squid to control outbound traffic. Note that this is for
demonstration only. Actual policies should be customized to meet your requirements.
Preliminary
Before starting the configuration, we clarify a few points.
Squid Configuration Parsing
While reading a configuration file, Squid parses the file in a top-down fashion. Rules are
parsed top-down until a match is found. Whenever a match is found, that rule is executed,
and any other rule below it is ignored. So, the best practice for adding filtering rules is to
specify rules in the following sequence.
explicit allow
explicit deny
allow entire LAN
deny all
This command will allow Squid to run with updated parameters without restarting itself.
# vim /etc/squid/denied-ip-file
10.10.10.24
10.10.10.25
# vim /etc/squid/squid.conf
1## first we create an ACL to isolate the denied IPs ##
2acl denied-ip-list src "/etc/squid/denied-ip-file"
3
4## then we apply the ACL ##
5http_access deny denied-ip-list
## explicit deny ##
## allow LAN ##
## deny all ##
Now we need to restart Squid service. Squid will no longer honor requests from these IP
addresses. If we check the squid log, we will find 'TCP_DENIED' for requests originated
from these hosts.
# vim /etc/squid/squid.conf
1
## ACL definition ##
Please note that we have used the ACL type 'url_regex', which will match the words 'badsite'
and 'denysite' in requested URLs. That is, any request whose URL contains 'badsite' or
'denysite' (e.g., badsite.org, newdenysite.com, otherbadsite.net) will be blocked.
# vim /etc/squid/custom-block-website-file
custom-block-site
# vim /etc/squid/squid.conf
1
custom-denied-list custom-block-site
# squid -k reconfigure
The blocked hosts should not be able to access the mentioned site now. The log file
/var/log/squid/access.log should contain 'TCP_DENIED' for corresponding requests.
1reply_body_max_size 50 MB custom-denied-list
# squid -k reconfigure
100 MB storage is allocated for Squid cache. You may increase the allocated space if you
want.
16 directories, each containing 256 subdirectories will be used to store cache files. This
parameter should not be modified.
We can verify whether Squid cache is enabled from the log file /var/log/squid/access.log. For
successful cache hits, we should see entries with 'TCP_HIT'.
To sum up, Squid is a powerful, industry standard web proxy server that is used widely by
system admins worldwide. Squid provides easy access control that can be used to administer
traffic originating from the LAN. It can be deployed in small companies as well as large
enterprise networks. This tutorial covered only a subset of all Squid features. Refer to the
official documentation for a complete feature list.
Hope this helps.