Squid is caching proxy server, which improves the bandwidth and the reponse time by caching the recently requested web pages. Now a days many servers in the world are configured with squid in order to provide high delivery speeds to the clients. Configuring the squid in transparent mode, special configuartion is not required on the client side. All the requests originatinating from client and going to internet on port 8 are automatically redirected by proxy. !epending on the requirement we need to configure the squid as transparent or non transparent proxy. "his lab aims to enable readers implement a #roxy server in the networ$ so that other users of the %AN can leverage the functionalities of accessing internet through proxy. Prerequisite %atest version of Squid should be used.&version '.( or greater) A web server for testing purpose which can be used instead of *nternet. Squid +ersion greater than '., is required for "ransparent squid proxy configuartion in this lab. Estimated Completion Time 8( -inutes Lab Setup Reference Diagram Warning It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques and that you advise your facilities network and computer operations teams of your testing schedule. Disclaimer The information on this site is for educational purposes only. The author of this article and/or C- DAC cannot be held responsible for any act(s) any person(s) has (have) done as a result of reading this article. Copyright . '/, Centre for !evelopment of Advanced Computing, 0yderabad Squid #roxy Server N*C121/'.1,8.,.3 N*C'21/'.1,8.8.1 4ebserver5*ntern et 1/'.1,8.8.' Client #C 1/'.1,8.,.( ntroduction! !uring the period of development of internet, users are allowed for unlimited access to the resources due to less number of users. So there were less issues related to accessing speed over internet. 4ith the increase in internet usage, many issues raised related to accessing speed, effective bandwidth utilisation etc . 6ne method of overcoming these issues is, maintaining a copy of webpage visited by a user in the cache so that the other user who visits the same webpage will access the same website with in a short period of time. "his method not only increases the accessing speed but also helps in utilising the bandwidth effectively. "he above said functionality, can be achieved by maintaining a proxy server through which all the users in the organisation or a group access the internet. "he most widely used proxy server in %inux is Squid #roxy, which is a free software released 7eneral #ublic %icense. Squid provides proxy and cache services for "yper Text Transfer Protocol &0""#), #ile Transfer Protocol &8"#), and various other protocols. "o configure a system as a proxy server, one should have a sufficient amount of memory for maintaining the cache which inturn increase the performance. $ote! *n case if the internet connection is not available, setup one host as a web server in place of internet and assign the ipaddress to the proxy server networ$ interface in the networ$, used by webserver instead of public ip address assigned to that interface. Lab %! nstalling t&e Squid Proxy 'Estimated Completion Time! %( mins)
!ownload the squid proxy related rpm pac$age from the internet which has an extension .rpm* %i$e for example, squid+,*-*ST./LE0+1*2E*%,*i130*rpm* Now through the command prompt, go to location where the squid pac$age is present and issue the following command at the command prompt as shown below. root4boss5678rpm 9ivh squid+,*-*ST./LE0+1*2E*%,*i130*rpm Copyright . '/, Centre for !evelopment of Advanced Computing, 0yderabad Lab ,! .ccessing t&e Proxy Server configuration file 'Estimated Completion Time! , mins) "o configure squid proxy server we need to edit the 5etc9squid9squid*conf file and the default location of squid*conf file varies from distribution to distribution and from version to version. 4e can edit the configuration file using vi editor through command prompt. Example! root4boss5678vi 9etc9squid9squid*conf "hen the content of the configuration file can be viewed as shown below in the figure.
$ote 2 "o add5 modify data of a configuration file using vi editor window press i to go in to the insert mode and the same can be noticed at the bottom of the vi editor window. Lab 1! Editing t&e squid configuration file ' Estimated Completion Time! %- mins) %* Providing a name for t&e proxy server mac&ine* "o specify a hostname for the proxy server in the squid.conf file, locate the variable visible:&ostname and specifiy the hostname in the format shown below in the example. Example! visible:&ostname proxy.cdac.in
$ote 2 *n the above example, instead of proxy*cdac*in specify the hostname of your machine. Copyright . '/, Centre for !evelopment of Advanced Computing, 0yderabad
,. Specifying t&e interface and port number on ;&ic& t&e proxy server s&ould listen* :y default, the proxy server will listen on all the available networ$ interfaces on the system for requests. 8or ;xample, if one interface card is assigned a public ip from which it is connected to internet and the other interface card is assigned an ip address which belongs to your local area networ$. "hen in order to ma$e you proxy server to listen for requests from your %ocal Area Networ$ through aparticular port, then change the variable &ttp:port 1%,3 in the squid configuration file to desired ipaddress and port number in the format shown below. &ttp:port <ip address belonging to L.$=!<port number= Example! 8or example, if your proxy server has an ip address 1/'.1,8.,.3 which belongs to the local area networ$ 1/'.1,8.,.5'< and you want the server to listen for requests from your %AN through a particular port say =<(,, then you can change the variable &ttp:port as shown. http>port 1/'.1,8.,.32=<(,
1. .ssigning .ccess Controls :y default, no user machine is allowed to connect to the proxy server except the localhost. "o allow the local machines access your proxy server, locate the acl section in the squid configuration file starting with acl and at the end of the last acl line specify your access control. 8or example to allow local area networ$ 1/'.1,8.,.5'< machines to access your proxy server, specify the acl as acl mylan src %>,*%03*0(*(9,--*,--*,--*(
*n the above example, mylan specifies the name of my access control. 4e can specify any name other than my lan for access control. src specifies the source networ$.
2* .llo; or Deny based on .ccess Control* After specifying the access control for your local %AN, we need to provide allow permission for the specified %AN using &ttp:access variable in the squid configuration file as shown in the example below. Example! "o allow the above specified access control & i.e acl mylan src 1/'.1,8.,.5'((.'((.'((.), we need to specify the http>access variable as Copyright . '/, Centre for !evelopment of Advanced Computing, 0yderabad &ttp:access allow mylan 0ere mylan specifies the access control used. Suppose if we want to allow all the networ$s except the 1/'.1,8.,.5'< networ$ to access the proxy then we can specify the http>access variable as &ttp:access deny ?mylan *n the above line, ?mylan specifies except mylan networ$. $ote! "he above specified http>access variable should be specified before the line &ttp:access deny all in the configuration file. Saving t&e c&anges and exit t&e vi Editor
After ma$ing appropriate changes to your configuration file exit the vi editor window by pressing Esc followed by !;q?* 0ere wq specifies save changes and exit the configuration file. Starting t&e squid proxy services "o start the squid proxy services, at the command prompt type 9etc9init*d9squid start "he other options that can be used instead of start are , stop, reload and force9 reload. Start and stop options are used to start and stop services. reload and force9reload are used to reload the contents of configuration file incase of modifications done to configuration file. Testing t&e Squid configuartion
"o test the squid configuration, open a browser in any one of the pc in local area networ$ or on the proxy server and specify the proxy settings as the ipaddress of the proxy server and port on which it is listening for requests. 8or example, in firefox web browser if we want to set the proxy settings in the browser window goto Edit 99?Preferences and window similar to shown below will be displayed.
Copyright . '/, Centre for !evelopment of Advanced Computing, 0yderabad Now select .dvanced tab, and under advanced tab clic$ on $et;or@ tab and clic$ on Settings option under Connection field. "hen a window similar to the shown below will be displayed. then clic$ o$ to save changes and exit the connection settings window and #references window. After type some website and chec$ whether you are able to view the webpage. Copyright . '/, Centre for !evelopment of Advanced Computing, 0yderabad ) Configuring squid as a Transparent Proxy $ote2 "o configure squid #roxy as a "ransparent #roxy, squid pac$age '., or greater is used. 1."o Configure Squid proxy as a "ransparent proxy, modify the squid configuartion file as shown below. &ttp:port %>,*%03*0(*A(!3(3( transparent '."o redirect the client requests going to internet on port 8 through the proxy, configure the iptables by issuing the following command at the terminal prompt.
8iptables +t nat +. PRERBCT$D +i et&% +p tcp ++dport 3( +E REDRECT ++to+port 3(3( =.Now restart the squid service by issuing following command at the terminal prompt. 89etc9init*d9iptables restart <.Also enable ip forwarding, by typing the following command at the terminal prompt. 8ec&o % Fcat =9proc9sys9net9ipv29ip:for;ard (.Now on the client side, specify the default gateway ipaddress as the proxy server ip address and do not configure any proxy settings in the client side browser. ,.Now to try to access the web browser which was setup for testing from the client machine. Transparent Proxy s&ould not be used in t&e follo;ing situation 1.4hen https sites needs to be filtered. '.4hen proxy authentication is enabled. =.4hen local !NS servers are not available. Copyright . '/, Centre for !evelopment of Advanced Computing, 0yderabad