Setting up Transparent Squid Proxy: Difference between revisions
No edit summary |
(added some templates) |
||
Line 1: | Line 1: | ||
This document covers how to set up squid as a transparent proxy server. | This document covers how to set up squid as a transparent proxy server. | ||
The following is assumed: | The following is assumed: | ||
* You have already install a server running Alpine Linux as a base, with Alpine 1.10.6 or later. | * You have already install a server running Alpine Linux as a base, with Alpine 1.10.6 or later. | ||
* Your proxy server will reside in a DMZ zone, separated from the network segment your clients are in. Other implementations are covered here | * Your proxy server will reside in a DMZ zone, separated from the network segment your clients are in. Other implementations are covered [http://wiki.squid-cache.org/SquidFaq/InterceptionProxy here]. | ||
** In order to transparently redirect web traffic from your clients to the proxy server in the DMZ, you will need to configure | ** In order to transparently redirect web traffic from your clients to the proxy server in the DMZ, you will need to configure your intercepting router to DNAT traffic. | ||
=== Install Squid === | === Install Squid === | ||
{{Cmd|apk add acf-squid}} | |||
Configure squid with at least the following configuration: | Configure squid with at least the following configuration: | ||
{{Note|substitute '''proxy.example.com''' and the '''mynet''' acl for your own desired hostname and network subnet respectively}} | |||
<pre> | <pre> | ||
Line 110: | Line 109: | ||
Check squid with: | Check squid with: | ||
{{Cmd|squid -k reconfigure}} | |||
Start squid: | Start squid: | ||
{{Cmd|/etc/init.d/squid start}} | |||
Add squid to boot-up sequence: | Add squid to boot-up sequence: | ||
rc-update add squid default | {{Cmd|rc-update add squid default}} | ||
Remember to add port 8080 to the permitted ports clients can connect on to any firewalls on your proxy server or inbetween the proxy and the clients. | Remember to add port 8080 to the permitted ports clients can connect on to any firewalls on your proxy server or inbetween the proxy and the clients. | ||
Line 124: | Line 123: | ||
If you are running shorewall, add this to your /etc/shorewall/rules file: | If you are running shorewall, add this to your /etc/shorewall/rules file: | ||
{{Note|Substitute '''loc''' and '''dmz:172.16.1.2:8080''' for your client subnet zone and proxy server zone and IP as defined in /etc/shorewall/zones.}} | |||
<pre> | |||
## This forces all web traffic to be redirected to the proxy on port 8080 | |||
DNAT loc dmz:172.16.1.2:8080 tcp 80 | |||
</pre> | |||
And restart shorewall with: | And restart shorewall with: | ||
{{Cmd|shorewall check}} | |||
{{Cmd|shorewall restart}} |
Revision as of 15:24, 23 July 2010
This document covers how to set up squid as a transparent proxy server.
The following is assumed:
- You have already install a server running Alpine Linux as a base, with Alpine 1.10.6 or later.
- Your proxy server will reside in a DMZ zone, separated from the network segment your clients are in. Other implementations are covered here.
- In order to transparently redirect web traffic from your clients to the proxy server in the DMZ, you will need to configure your intercepting router to DNAT traffic.
Install Squid
apk add acf-squid
Configure squid with at least the following configuration:
# This makes squid transparent http_port 8080 transparent visible_hostname proxy.example.com cache_mem 8 MB cache_dir aufs /var/cache/squid 900 16 256 # Even though we only use one proxy, this line is recommended # More info: http://www.squid-cache.org/Versions/v2/2.7/cfgman/hierarchy_stoplist.html hierarchy_stoplist cgi-bin ? # Keep 7 days of logs logfile_rotate 7 access_log /var/log/squid/access.log squid cache_store_log none pid_filename /var/run/squid.pid # Web auditors want to see the full uri, even with the query terms strip_query_terms off refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 coredump_dir /var/cache/squid # # Authentication # # Optional authentication methods (NTLM, etc) can go here # # Access Control Lists (ACL's) # # These settings are recommended by squid acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] upgrade_http0.9 deny shoutcast acl apache rep_header Server ^Apache broken_vary_encoding allow apache # Standard ACL settings acl QUERY urlpath_regex cgi-bin \? asp aspx jsp acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 8004 9000 acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1024 1022 1025-65535 acl purge method PURGE acl CONNECT method CONNECT # Require authentication #acl userlist proxy_auth REQUIRED acl userlist src 0.0.0.0/0.0.0.0 # Definition of network subnets acl mynet src 192.168.0.0/24 # # Access restrictions # cache deny QUERY # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Only allow purge requests from localhost http_access allow purge localhost http_access deny purge # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # Allow hosts in mynet subnet to access the entire Internet without being # authenticated http_access allow mynet # Denying all access not explicitly allowed http_access deny all http_reply_access allow all icp_access allow all
Check squid with:
squid -k reconfigure
Start squid:
/etc/init.d/squid start
Add squid to boot-up sequence:
rc-update add squid default
Remember to add port 8080 to the permitted ports clients can connect on to any firewalls on your proxy server or inbetween the proxy and the clients.
If you are running an Alpine Linux firewall on the firewall separating the Proxy from the clients, you will need to redirect all traffic from your client subnet on port 80 to the proxy server on port 8080 to allow web traffic to be proxied.
If you are running shorewall, add this to your /etc/shorewall/rules file:
## This forces all web traffic to be redirected to the proxy on port 8080 DNAT loc dmz:172.16.1.2:8080 tcp 80
And restart shorewall with:
shorewall check
shorewall restart