Linux
Proxy
Squid
Web proxy cache is a HTTP and FTP caching proxy server. It stores
data from Web pages and files accessed through it in order to offer
to his clients the data they need without having to look to the
Internet, if that data is cached on the proxy server. By default
Squid runs as a caching proxy server on TCP port 3128 and can control
who can use the proxy server based on host or user authentication. It
also allows to filter the access to Internet based on destinations
ports, destination URLs, etc ...
With Squid web proxy cache you can control and monitor who is accessing where on the Internet.
With Squid web proxy cache you can control and monitor who is accessing where on the Internet.
Squid proxy Server
In order to configure a server as Squid proxy server
the 'squid' rpm must be installed.
# yum install squid
# chkconfig squid on
Squid runs as a 'squid' system daemon storing cached data on /var/spool/squid directory. It is configured through the files on /etc/squid directory and stores the logs on /var/log/squid.
# yum install squid
# chkconfig squid on
Squid runs as a 'squid' system daemon storing cached data on /var/spool/squid directory. It is configured through the files on /etc/squid directory and stores the logs on /var/log/squid.
/etc/squid/squid.conf
This is the main configuration file that sets the way
the proxy cache server is executed. In this case nodes on
192.168.1.0/24 LAN and localhost are allowed to connect to Internet
to the safe ports listed on 'Safe_ports' directive through the proxy.
# cat /etc/squid/squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128
# Rule allowing access from your local networks.
acl localnet src 192.168.1.0/24
# This acl directives specify ports through which traffic is cached and are considered as safe ports.
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Recommended minimum Access Permission configuration:
# Only allow cachemgr access from localhost.
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports.
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports.
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user.
http_access deny to_localhost
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed.
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy.
http_access deny all
# Squid normally listens to port 3128.
http_port 3128
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir.
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these. The refresh_pattern directive specifies when data from a specified server is considered "fresh" and there is not need to refresh it into proxy cache.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Note: there is a full documented squid.conf sample file on /usr/share/doc/squid-3.1.4/squid.conf.documented.
Once the configuration file has been configured the squid daemon must be started and configured to start at boot.
# /etc/init.d/squid start
# chkconfig squid on
# cat /etc/squid/squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128
# Rule allowing access from your local networks.
acl localnet src 192.168.1.0/24
# This acl directives specify ports through which traffic is cached and are considered as safe ports.
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Recommended minimum Access Permission configuration:
# Only allow cachemgr access from localhost.
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports.
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports.
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user.
http_access deny to_localhost
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed.
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy.
http_access deny all
# Squid normally listens to port 3128.
http_port 3128
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir.
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these. The refresh_pattern directive specifies when data from a specified server is considered "fresh" and there is not need to refresh it into proxy cache.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Note: there is a full documented squid.conf sample file on /usr/share/doc/squid-3.1.4/squid.conf.documented.
Once the configuration file has been configured the squid daemon must be started and configured to start at boot.
# /etc/init.d/squid start
# chkconfig squid on
Squid Security
Firewall
Because of squid listen on 3128 TCP/IP by default, that
port must be open on the firewall.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT
Squid can be configured in transparent mode where the client does not known that is connecting to Internet through a proxy server. In this case Squid server must be running on the LAN default gateway and all traffic that pass through it with destination port 80,446,... must be redirected to the Squid port. With this configuration the client is accessing to the Internet using the Squid proxy cache without having to connect directly to it.
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3128
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-ports 3128
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT
Squid can be configured in transparent mode where the client does not known that is connecting to Internet through a proxy server. In this case Squid server must be running on the LAN default gateway and all traffic that pass through it with destination port 80,446,... must be redirected to the Squid port. With this configuration the client is accessing to the Internet using the Squid proxy cache without having to connect directly to it.
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3128
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-ports 3128
SElinux
In order to allow Squid service to run without any
SElinux interference the following parameter must be activated.
# setsebool -P squid_connect_any 1
# setsebool -P squid_connect_any 1
Host Based Security
There are two methods that can be used on
/etc/squid/squid.conf in order to allow/deny client access to
the Squid proxy web cache server : using the IP or the MAC client
address. For example if we want allow access to the 192.168.1.101
address :
# cat /etc/squid/squid.conf
...
acl node01 src 192.168.1.101/32
...
http_access allow node01
...
http_access deny all
Instead of IP address we can use the MAC address.
# cat /etc/squid/squid.conf
...
acl node01mac arp 00:0C:29:78:97:8C
...
http_access allow node01mac
...
http_access deny all
# cat /etc/squid/squid.conf
...
acl node01 src 192.168.1.101/32
...
http_access allow node01
...
http_access deny all
Instead of IP address we can use the MAC address.
# cat /etc/squid/squid.conf
...
acl node01mac arp 00:0C:29:78:97:8C
...
http_access allow node01mac
...
http_access deny all
User Based Security
If we want to control the access to Squid web proxy
cache to certain users in order to allow to access to Internet to
that users, the module 'ncsa' can be used.
# cat /etc/squid/squid.conf
...
acl localnet src 192.168.1.0/24
... # NCSA proxy authentication configuration.
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd # Users ACL definition.
acl ncsa_users proxy_auth REQUIRED # Allow access users only from localnet.
http_access allow ncsa_users localnet # Deny the rest.
http_access deny all
Finally the password file used to authenticate users through ncsa must be created using the 'htpasswd' command as in the case of http user authentication.
# htpasswd -c /etc/squid/passwd john
# chown root:squid /etc/squid/passwd
# chmod 640 /etc/squid/passwd
# /etc/init.d/squid restart
# cat /etc/squid/squid.conf
...
acl localnet src 192.168.1.0/24
... # NCSA proxy authentication configuration.
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd # Users ACL definition.
acl ncsa_users proxy_auth REQUIRED # Allow access users only from localnet.
http_access allow ncsa_users localnet # Deny the rest.
http_access deny all
Finally the password file used to authenticate users through ncsa must be created using the 'htpasswd' command as in the case of http user authentication.
# htpasswd -c /etc/squid/passwd john
# chown root:squid /etc/squid/passwd
# chmod 640 /etc/squid/passwd
# /etc/init.d/squid restart
URL Filter
Squid can also filter the sites that his client is
trying to access. For example if you want to deny the access to all
webs that has in their URL the word 'adult' you can use the
'url_regex' directive on /etc/squid/squid.conf file.
# cat /etc/squid/squid.conf
...
acl filterurl url_regex adult
...
http_access deny filterurl
...
# cat /etc/squid/squid.conf
...
acl filterurl url_regex adult
...
http_access deny filterurl
...
Squid Client
One way to configure a client to use a Squid proxy to
connect to Internet is configuring the web browser (Firefox) to use
the Proxy server in order to connect to internet. For example is you
are using Firefox and you want to use the Squid Proxy running on
192.168.1.10 port 3128 :
Edit --> Preferences --> Network --> Connection --> Settings
Manual Proxy Configuration
Proxy HTTP 192.168.1.10 Port 3128
In case of using test web browser as 'elinks' the way to configure the browser to use a Proxy cache is through 'http_proxy' environment variable.
# export http_proxy=http://192.168.1.10:3128
# elinks http://www.linux-library.in
Edit --> Preferences --> Network --> Connection --> Settings
Manual Proxy Configuration
Proxy HTTP 192.168.1.10 Port 3128
In case of using test web browser as 'elinks' the way to configure the browser to use a Proxy cache is through 'http_proxy' environment variable.
# export http_proxy=http://192.168.1.10:3128
# elinks http://www.linux-library.in
No comments :
Post a Comment