Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Linux Squid Proxy Server - Information Security Awareness

advertisement 
Linux Squid Proxy Server
Descriptions and Purpose of Lab Exercise
Squid is caching proxy server, which improves the bandwidth and the reponse time by
caching the recently requested web pages. Now a days many servers in the world are
configured with squid in order to provide high delivery speeds to the clients. Configuring
the squid in transparent mode, special configuartion is not required on the client side. All
the requests originatinating from client and going to internet on port 80 are automatically
redirected by proxy. Depending on the requirement we need to configure the squid as
transparent or non transparent proxy. This lab aims to enable readers implement a Proxy
server in the network so that other users of the LAN can leverage the functionalities of
accessing internet through proxy.
Prerequisite
•Latest version of Squid should be used.(version 2.5 or greater)
•A web server for testing purpose which can be used instead of Internet.
•Squid Version greater than 2.6 is required for Transparent squid proxy configuartion in
this lab.
Estimated Completion Time
85 Minutes
Lab Setup Reference Diagram
Client PC
192.168.60.50
Squid Proxy Server
NIC1:192.168.60.70
NIC2:192.168.80.1
Webserver/Intern
et
192.168.80.2
Warning
It is imperative that you get written permission from the proper authority in your organization
before using these tools and techniques and that you advise your facilities network and computer
operations teams of your testing schedule.
Disclaimer
The information on this site is for educational purposes only. The author of this article
and/or C- DAC cannot be held responsible for any act(s) any person(s) has (have) done as a
result of reading this article.
Copyright © 2009, Centre for Development of Advanced Computing, Hyderabad
Introduction:
●
●
●
●
●
During the period of development of internet, users are allowed for unlimited access
to the resources due to less number of users. So there were less issues related to
accessing speed over internet.
With the increase in internet usage, many issues raised related to accessing speed,
effective bandwidth utilisation etc . One method of overcoming these issues is,
maintaining a copy of webpage visited by a user in the cache so that the other user
who visits the same webpage will access the same website with in a short period of
time. This method not only increases the accessing speed but also helps in utilising
the bandwidth effectively.
The above said functionality, can be achieved by maintaining a proxy server through
which all the users in the organisation or a group access the internet. The most
widely used proxy server in Linux is Squid Proxy, which is a free software released
General Public License.
Squid provides proxy and cache services for Hyper Text Transfer Protocol (HTTP),
File Transfer Protocol (FTP), and various other protocols.
To configure a system as a proxy server, one should have a sufficient amount of
memory for maintaining the cache which inturn increase the performance.
Note:
In case if the internet connection is not available, setup one host as a web server in
place of internet and assign the ipaddress to the proxy server network interface in the
network, used by webserver instead of public ip address assigned to that interface.
Lab 1: Installing the Squid Proxy (Estimated Completion Time: 10 mins)
Download the squid proxy related rpm package from the internet which has an
extension .rpm. Like for example, squid-2.5.STABLE6-3.4E.12.i386.rpm. Now
through the command prompt, go to location where the squid package is present and issue
the following command at the command prompt as shown below.
root@boss[~]#rpm -ivh squid-2.5.STABLE6-3.4E.12.i386.rpm
Copyright © 2009, Centre for Development of Advanced Computing, Hyderabad
Lab 2: Accessing the Proxy Server configuration file (Estimated Completion
Time: 2 mins)
To configure squid proxy server we need to edit the /etc/squid/squid.conf file
and the default location of squid.conf file varies from distribution to distribution and
from version to version. We can edit the configuration file using vi editor through
command prompt.
Example:
root@boss[~]#vi /etc/squid/squid.conf
Then the content of the configuration file can be viewed as shown below in the figure.
Note :
To add/ modify data of a configuration file using vi editor window press i to go in to the
insert mode and the same can be noticed at the bottom of the vi editor window.
Lab 3: Editing the squid configuration file ( Estimated Completion Time: 15
mins)
1. Providing a name for the proxy server machine.
To specify a hostname for the proxy server in the squid.conf file, locate the
variable visible_hostname and specifiy the hostname in the format shown below in the
example.
Example:
visible_hostname proxy.cdac.in
Note :
In the above example, instead of proxy.cdac.in specify the hostname of your machine.
Copyright © 2009, Centre for Development of Advanced Computing, Hyderabad
2. Specifying the interface and port number on which the proxy server
should
listen.
By default, the proxy server will listen on all the available network interfaces on
the system for requests. For Example, if one interface card is assigned a public ip from
which it is connected to internet and the other interface card is assigned an ip address
which belongs to your local area network. Then in order to make you proxy server to
listen for requests from your Local Area Network through aparticular port, then change the
variable http_port 3128 in the squid configuration file to desired ipaddress and port
number in the format shown below.
http_port <ip address belonging to LAN>:<port number>
Example: For example, if your proxy server has an ip address 192.168.60.70 which
belongs to the local area network 192.168.60.0/24 and you want the server to listen for
requests from your LAN through a particular port say 3456, then you can change the
variable http_port as shown.
http_port 192.168.60.70:3456
3. Assigning Access Controls
By default, no user machine is allowed to connect to the proxy server except
the localhost. To allow the local machines access your proxy server, locate the acl section in
the squid configuration file starting with acl and at the end of the last acl line specify your
access control.
For example to allow local area network 192.168.60.0/24 machines to access your proxy
server, specify the acl as
acl mylan src 192.168.60.0/255.255.255.0
In the above example, mylan specifies the name of my access control. We can specify any
name other than my lan for access control. src specifies the source network.
4. Allow or Deny based on Access Control.
After specifying the access control for your local LAN, we need to
provide allow permission for the specified LAN using http_access variable in the squid
configuration file as shown in the example below.
Example:
To allow the above specified access control ( i.e acl mylan src
192.168.60.0/255.255.255.0), we need to specify the http_access variable as
Copyright © 2009, Centre for Development of Advanced Computing, Hyderabad
http_access allow mylan
Here mylan specifies the access control used. Suppose if we want to allow all the networks
except the 192.168.60.0/24 network to access the proxy then we can specify the
http_access variable as
http_access deny !mylan
In the above line, !mylan specifies except mylan network.
Note:
The above specified http_access variable should be specified before the line http_access deny all
in the configuration file.
●
Saving the changes and exit the vi Editor
After making appropriate changes to your configuration file exit the vi editor
window by pressing Esc followed by :wq!. Here wq specifies save changes and exit the
configuration file.
●
Starting the squid proxy services
To start the squid proxy services, at the command prompt type
/etc/init.d/squid start
The other options that can be used instead of start are , stop, reload and forcereload. Start and stop options are used to start and stop services. reload and force-reload
are used to reload the contents of configuration file incase of modifications done to
configuration file.
●
Testing the Squid configuartion
To test the squid configuration, open a browser in any one of the pc in local area
network or on the proxy server and specify the proxy settings as the ipaddress of the proxy
server and port on which it is listening for requests. For example, in firefox web browser if
we want to set the proxy settings in the browser window goto Edit -->Preferences and
window similar to shown below will be displayed.
Copyright © 2009, Centre for Development of Advanced Computing, Hyderabad
Now select Advanced tab, and under advanced tab click on Network tab and click on
Settings option under Connection field. Then a window similar to the shown below will be
displayed.
then click ok to save changes and exit the connection settings window and Preferences
window. After type some website and check whether you are able to view the webpage.
Copyright © 2009, Centre for Development of Advanced Computing, Hyderabad
II ) Configuring squid as a Transparent Proxy
Note: To configure squid Proxy as a Transparent Proxy, squid package 2.6 or
greater is used.
1.To Configure Squid proxy as a Transparent proxy, modify the squid configuartion file as
shown below.
http_port 192.168.60.70:8080 transparent
2.To redirect the client requests going to internet on port 80 through the proxy, configure
the iptables by issuing the following command at the terminal prompt.
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
3.Now restart the squid service by issuing following command at the terminal prompt.
#/etc/init.d/iptables restart
4.Also enable ip forwarding, by typing the following command at the terminal prompt.
#echo 1 |cat >/proc/sys/net/ipv4/ip_forward
5.Now on the client side, specify the default gateway ipaddress as the proxy server ip
address and do not configure any proxy settings in the client side browser.
6.Now to try to access the web browser which was setup for testing from the client
machine.
Transparent Proxy should not be used in the following situation
1.When https sites needs to be filtered.
2.When proxy authentication is enabled.
3.When local DNS servers are not available.
Copyright © 2009, Centre for Development of Advanced Computing, Hyderabad
Related documents
The Impact Map
The Impact Map
Information and Educational Technology University of California, Davis
Information and Educational Technology University of California, Davis
Mock AFM (Atomic Force Microscope) powerpoint
Mock AFM (Atomic Force Microscope) powerpoint
Energy Flow in Ecosystems Enrich C4L2
Energy Flow in Ecosystems Enrich C4L2
upside-down
upside-down
The right to information Any person has the right to obtain detailed
The right to information Any person has the right to obtain detailed
FRESHWATER BIOLOGICAL ASSOCIATION
FRESHWATER BIOLOGICAL ASSOCIATION
access request for adult proxy
access request for adult proxy
HTTP Error 407 - Proxy authentication required
HTTP Error 407 - Proxy authentication required
Download
advertisement