Deploying Transparent Proxy Server using SQUID (Minimum Configuration)
The Proxy service is a service that manages requests on behalf of another service. For example- if we want to filter and manage web requests (usually tcp port 80), we assign 'another' service to oversee the task. The 'other' service is the Proxy server.
One may think, why would I use a proxy when I can control and filter web traffic using Firewall. Well, the answer is
- Caching: The proxy server caches frequently accessed web elements in the RAM and Hard Drive of the computer. If a requested web element is found in the cache, the element is supplied to the user from the cache. Since the cached element is fetched from the LAN, the time is significantly reduced. This gives us two outputs.
- Speeds up the Internet browsing experience
- Saves bandwidth as the same element is not fetched over and
over again from the Internet.
- Additional Layer of Security: Although firewall can also be
skilfully to manage web traffic, using a proxy service to filter and
control places an additional layer of security in a system. Plus,
filtering requests is really easy using Squid as it can resolve
names and IPs easily.
Configuration:
I'm using CentOS. The configuration file is
/etc/squid/squid.conf. Always make sure that the configuration file
has been backed up before editing.- yum install squid
- vim
/etc/squid/squid.conf
- ## setting the
port on which squid will listen for http traffic.
## transparent is used because we will make it transparent proxy
http_port 3128 transparent
## defining the LAN
acl my_network src 192.168.10.0/24
- Add the rule to the firewall. We are assuming
that eth1 Network Interface Card is on the LAN.
iptables -t nat -A PREROUTING -i eth1 -s 192.168.10.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
- service squid
restart; chkconfig squid on
- ## allowing my
network to use proxy
http_access allow my_network
## denying proxy service to everyone
http_access deny all
## save & exit
- By monitoring the proxy log
tailf /var/log/squid/access.log
- By monitoring the status of the firewall whether
web traffic is being redirected:
watch iptabels -t nat -nvL
9735 472K DNAT tcp –- eth1 * 192.168.10.0/24 0.0.0.0/0 tcp dpt:80 to:192.168.10.1:3128
The
minimum squid configuration is now complete. A portion of web
elements are stored in the RAM, as well as majority of web elements
being stored in the hard drive. We would be discussing about how to
filter and manipulate web traffic using squid in later sections.
Hope
it helps. Linux Rocks!!!
Squidblacklist.org is the worlds leading publisher of native acl
ReplyDeleteblacklists tailored specifically for Squid proxy, and alternative formats for all major third party plugins as well as many other filtering platforms. Including SquidGuard,DansGuardian, and ufDBGuard, as well as pfSense and more.
There is room for better blacklists, we intend to fill that gap.
It would be our pleasure to serve you.
Signed,
Benjamin E. Nichols
http://www.squidblacklist.org