Configuring Transparent Web Proxy using Squid 2.7STABLE9 P DEPLOYING TRANSPARENT WEB PROXY SERVER USING SQUID 2.

7STABLE9 It is expected that reader have at least 01 year of experience in Linux and have good command on terminal. The purpose of this document is to provide a practical guide to the Linux professionals who desire to deploy a sufficiently secure and transparent squid in their infrastructure. The squid RPM that is shipped with Linux is an easy start but for a system administrator this RPM might be insufficient since it will be lacking certain advance features like bandwidth control, transparent etc. In this document we will download the squid 2.7STABLE9 from the www.squid-cache.org and compile it with the desired options. Step 1: Download the squid 2.7STABLE9 from www.squid-cache.org. Copy the downloaded .tar.gz file in /tmp directory and perform following steps a. Open terminal b. Cd /tmp c. Mv downloadedfilename.tar.gz squid27.tar.gz d. tar zxvf squid27.tar.gz squid27 e. Cd squid27 When you are in the squid directory, it is then possible to use ./configure command to compile the squid in default mode. Since our goal is to compile squid with advance options therefore I had compiled the squid using the following options according to my needs: I strongly suggest that you must use the command ./configure --help and read the description of each switch before proceeding. Code: ./configure --enable-storeio=diskd,aufs,ufs --enable-removal-policies=lru,heap --enabledelay-pools --enable-snmp --enable-arp-acl --enable-cache-digests --enable-linux-netfilter -disable-ident-lookups --enable-auth=basic enable-basic-auth-helpers=NCSA --withmaxfd=8192 --enable-default-err-language=English --enable-err-language=English && echo Configuration successful After the squid is compiled successfully you should see Configuration successful message on the screen. Code: Type make && echo Make Successful Code: Type make install && echo Installation complete If all the messages appear correctly then the squid is completely installed. By default, squid places its files under /usr/local/squid path. Moreover the command service start/stop squid is not available in this mode. I shall write another small document on this topic but right now we have to know how to start and stop squid. Before starting squid, we need to configure user permissions and cache directories. By the time squid is installed from source there is no squid user or group exists on the machine and you have to create them if you want to, however, the default user and group nobody can also be used to serve the same purpose.

To enable cache effective user type vi /usr/local/squid/etc/squid.conf and search for the word nobody, the default user for the parameter cache_effective_user is nobody you can replace it with squid if you want. After setting user, now search for cache_dir ufs. The default path and settings to this directory is /usr/local/squid/var/cache 3000 64 512 on my machine. You can change the path and the settings as well but remember that these directories should be read and writable to the user nobody or squid. Now since you have verified the physical path, it is time to set permission for the user. In my environment, I am using nobody therefore I shall perform command for this user. Type cd /usr/local/squid/var and type ll to view the existing directories. There should be two directories logs and cache. If any of these is missing then you should create it manually by using the command: Code: mkdir dirname Set the permissions on both folders for user nobody. Code: chmod R nobody.nobody cache chown 775 R cache chmod R nobody.nobody logs chown 775 R logs To create the cache directories run the command Code: /usr/local/squid/sbin/squid -z The squid shall create the necessary directories in the cache folder After applying the above mentioned command, the basic configuration of squid is complete; we can now proceed for detailed configuration. Start squid: /usr/local/squid/sbin/squid D To verify that squid process is running, type ps aux | grep squid. This command should display the squid parent as well as child process on the screen. Stop squid: /usr/local/squid/sbin/squid k shutdown To verify the squid process has finished, type ps aux | grep squid. This time the command should not display the squid process. Note: Add following 03 lines to rc.local file. The first line shall start squid automatically and the other two lines will help accessing ftp sites without any problem. Code: echo /usr/local/squid/sbin/squid k D >> /etc/rc.local echo modprobe ip_conntrack_ftp >> /etc/rc.local echo modprobe ip_nat_ftp >> /etc/rc.local Applying basic squid configuration a. Define basic rules of http access

b. Authorize additional safe ports c. Control bandwidth with delay pool Type vi /usr/local/squid/etc/squid.conf and apply following settings. a. Define basic rules of http access Port Settings: Code: http_port 10.1.1.1:3128 transparent General Settings: Code: visible_hostname main_it_center cache_mgr webmaster ACLs Settings: Code: acl blocklist url_regex i /usr/local/squid/etc/blocklist.txt http_access deny blocklist acl singlip src 10.1.1.4 acl http_access allow singleip acl someips src 10.1.1.5 10.1.1.7 10.1.1.15 http_access allow someips acl manyips src /usr/local/squid/etc/many.txt acl http_access allow manyips http_access allow localhost b. Authorize additional safe ports Search the word Safe_ports and add following ports before the line acl CONNECT method CONNECT Code: acl Safe_ports port 995 # pop3 of gmail acl Safe_ports port 587 # smtp of gmail acl Safe_ports port 465 # smtp of gmail acl Safe_ports port 993 # smtp of gmail acl Safe_ports port 25 # smtp acl Safe_ports port 110 # pop3 acl Safe_ports port 143 # pop3 c. Control bandwidth with delay pool I am writing a very simple rule that will reduce the network bandwidth of the target ips. The rest of ips shall receive full bandwidth Code: acl ipgroup src "/etc/squid/delayedips" delay_pools 1 delay_class 1 1

delay_parameters 1 12000/24000 delay_access 1 allow ipgroup delay_access 1 deny all Configure iptables Configuring iptables is important for transparent proxy setting. The further advantage is that messengers will be able to directly access internet without the need of proxy settings. Code: /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE service iptables save service iptables restart Configure IP Forwarding vi /etc/sysctl.conf Change the value of net.ipv4.ip_forward to 1: net.ipv4.ip_forward = 1 Save the file and type sysctl p to refresh and apply new settings Note: In order to apply changes while squid is running, use the command /usr/local/squid/sbin/squid k reconfigure The transparent squid is configured with outlook support and now you do not need to provide the proxy address in the client browsers.