Deploying Transparent Proxy Server using SQUID (Minimum Configuration)

This section only describes the minimum configuration needed for Transparent Proxy Server. Tweaking and tuning would be discussed in later sections.
The Proxy service is a service that manages requests on behalf of another service. For example- if we want to filter and manage web requests (usually tcp port 80), we assign 'another' service to oversee the task. The 'other' service is the Proxy server.
One may think, why would I use a proxy when I can control and filter web traffic using Firewall. Well, the answer is
  • Caching: The proxy server caches frequently accessed web elements in the RAM and Hard Drive of the computer. If a requested web element is found in the cache, the element is supplied to the user from the cache. Since the cached element is fetched from the LAN, the time is significantly reduced. This gives us two outputs.
    • Speeds up the Internet browsing experience
    • Saves bandwidth as the same element is not fetched over and over again from the Internet.
  • Additional Layer of Security: Although firewall can also be skilfully to manage web traffic, using a proxy service to filter and control places an additional layer of security in a system. Plus, filtering requests is really easy using Squid as it can resolve names and IPs easily.
Configuration:
I'm using CentOS. The configuration file is /etc/squid/squid.conf. Always make sure that the configuration file has been backed up before editing.
  1. yum install squid
  2. vim /etc/squid/squid.conf

      ## setting the port on which squid will listen for http traffic.
      ## transparent is used because we will make it transparent proxy
      http_port 3128 transparent


      ## defining the LAN
      acl my_network src 192.168.10.0/24



      ## allowing my network to use proxy
      http_access allow my_network
      ## denying proxy service to everyone
      http_access deny all
      ## save & exit
  1. Add the rule to the firewall. We are assuming that eth1 Network Interface Card is on the LAN.
    iptables -t nat -A PREROUTING -i eth1 -s 192.168.10.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
  2. service squid restart; chkconfig squid on
Verifying:
  1. By monitoring the proxy log
    tailf /var/log/squid/access.log
  2. By monitoring the status of the firewall whether web traffic is being redirected:
    watch iptabels -t nat -nvL

    9735 472K DNAT tcp –- eth1 * 192.168.10.0/24 0.0.0.0/0 tcp dpt:80 to:192.168.10.1:3128
The minimum squid configuration is now complete. A portion of web elements are stored in the RAM, as well as majority of web elements being stored in the hard drive. We would be discussing about how to filter and manipulate web traffic using squid in later sections.

Hope it helps. Linux Rocks!!!

Comments

  1. SquidblacklistSeptember 18, 2014 at 3:20 PM

    Squidblacklist.org is the worlds leading publisher of native acl
    blacklists tailored specifically for Squid proxy, and alternative formats for all major third party plugins as well as many other filtering platforms. Including SquidGuard,DansGuardian, and ufDBGuard, as well as pfSense and more.

    There is room for better blacklists, we intend to fill that gap.


    It would be our pleasure to serve you.

    Signed,

    Benjamin E. Nichols
    http://www.squidblacklist.org

    ReplyDelete

Post a Comment