Loading ...Linux: Setup a transparent proxy with Squid in three easy steps
Y'day I got a chance to play with Squid and iptables. My job was simple : Setup Squid proxy as a transparent server.
Main benefit of setting transparent proxy is you do not have to setup up individual browsers to work with proxies.
My Setup:
i) System: HP dual Xeon CPU system with 8 GB RAM (good for squid).
ii) Eth0: IP:192.168.1.1
iii) Eth1: IP: 192.168.2.1 (192.168.2.0/24 network (around 150 windows XP systems))
iv) OS: Red Hat Enterprise Linux 4.0 (Following instruction should work with Debian and all other Linux distros)
Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.
Server Configuration
- Step #1 : Squid configuration so that it will act as a transparent proxy
- Step #2 : Iptables configuration
- a) Configure system as router
- b) Forward all http requests to 3128 (DNAT)
- Step #3: Run scripts and start squid service
First, Squid server installed (use up2date squid) and configured by adding following directives to file:
# vi /etc/squid/squid.conf
Modify or add following squid directives:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
Where,
- httpd_accel_host virtual: Squid as an httpd accelerator
- httpd_accel_port 80: 80 is port you want to act as a proxy
- httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
- httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
- acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to use squid
- http_access allow localhost: Squid access to LAN and localhost ACL only
- http_access allow lan: -- same as above --
Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines, thanks to David Klein for quick hint ):
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
OR, try out sed (thanks to kotnik for small sed trick)
# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'
Output:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname myclient.hostname.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid
Iptables configuration
Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Here is complete shell script. Script first configure Linux system as router and forwards all http request to port 3128 (Download the fw.proxy shell script):
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Save shell script. Execute script so that system will act as a router and forward the ports:
# chmod +x /etc/fw.proxy
# /etc/fw.proxy
# service iptables save
# chkconfig iptables on
Start or Restart the squid:
# /etc/init.d/squid restart
# chkconfig squid on
Desktop / Client computer configuration
Point all desktop clients to your eth1 IP address (192.168.2.1) as Router/Gateway (use DHCP to distribute this information). You do not have to setup up individual browsers to work with proxies.
How do I test my squid proxy is working correctly?
See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log
Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.
Problems and solutions
(a) Windows XP FTP Client
All Desktop client FTP session request ended with an error:
Illegal PORT command.
I had loaded the ip_nat_ftp kernel module. Just type the following command press Enter and voila!
# modprobe ip_nat_ftp
Please note that modprobe command is already added to a shell script (above).
(b) Port 443 redirection
I had block out all connection request from our router settings except for our proxy (192.168.1.1) server. So all ports including 443 (https/ssl) request denied. You cannot redirect port 443, from debian mailing list, "Long answer: SSL is specifically designed to prevent "man in the middle" attacks, and setting up squid in such a way would be the same as such a "man in the middle" attack. You might be able to successfully achive this, but not without breaking the encryption and certification that is the point behind SSL".
Therefore, I had quickly reopen port 443 (router firewall) for all my LAN computers and problem was solved.
(c) Squid Proxy authentication in a transparent mode
You cannot use Squid authentication with a transparently intercepting proxy.
Further reading:
- How do I use Iptables connection tracking feature?
- How do I build a Simple Linux Firewall for DSL/Dial-up connection?
- Update: Forum topic discussion: Setting up a transparent proxy with Squid peering to ISP squid server
- Squid, a user's guide
- Squid FAQ
- Transparent Proxy with Linux and Squid mini-HOWTO
Updated for accuracy.
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in other helpful articles:
- Squid Proxy Server Limit the number of simultaneous Web connections from a client with maxconn ACL
- Install Squid Proxy Server on CentOS / Redhat enterprise Linux 5
- Linux: How to disable the IPv6 protocol
- nixCraft FAQ Roundup ~ Nov 1, 2007
- Top 10 Hits and Zeitgeist of 2006 for your edification and fun
you gotta be kidding, only 150 desktops and 8 gigs of RAM??????? I use to have p133 with 64megs with that setup way back then!!!
bah, newschoolers SUCKS
LOL
8GB gives you the best performance.
Squid performance = more ram + fast SCSI disk
Cost of RAM : Yet another reason or factor to have a more ram. Even people started to use desktop system with 1GiB:P
Use following sed magic to remove both comments and empty lines at the same expense:
sed ‘/ *#/d; /^ *$/d’
kotnik,
Nice sed trick, no need to use grep
Appreciate your post.
Hi,
I have similar setup, only one question, How do I block Yahoo and MSN messengers (block at router or transparent proxy+iptables level) ?
Cheers,
Aaron
Aaron,
My firewall policy @ router:
Default firewall Policy: Close all door and open only required windows
Block all incoming and outgoing request
Open only required ports i.e. 80 (from proxy only) , 443, 21, 22, 25 etc as per requirement. This configuration automatically blocks rest of stuff.
You can implement similar policy using Squid ACL or iptables.
Nice, quick, down and dirty article.
Aaron: http://www.mail-archive.com/squid-users@squid-cache.org/msg38193.html will explain how to block Yahoo, MSN and other IM’s.
For anyone interested, I have thrown together a HOWTO on getting Squid to work properly in conjunction with Active Directory authentication. It can be found here: http://cryptoresync.com/2006/05/18/installing-squid-with-active-directory-authentication/
Enjoy!
Aaron,
My findings with chat networks like AIM is that, even if you block the specific ports used by the network (ie, 5190), the login server will accept connections to other ports that are common, such as 80, 25, 443, 23, etc. Your best bet for blocking chat traffic is to block the ports used by the network, as well as the IP addresses associated with the login servers, like login.oscar.aol.com.
Additionally, write your internal routing rules such that only traffic passing through your proxy can reach the Internet. Otherwise, users will be able to circumvent your proxy and use a public proxy.
Sometime ago, i wrote another how-to, but this time for a COMPLETELY transparent proxy. That is, a bridged proxy.
That a bit more esoteric stuff, but very useful if you really can’t mess with your network topology.
Have a look at: http://freshmeat.net/articles/view/1433/
I would love to run into your office, replace your server with a Pentium 200 with 128mb of RAM… you probably wouldn’t notice the difference, if all you are using it is for squid. then I would actually make some good use of the machine. I’ve got a pentium 200 doing far more (proper proxy, apache server, svn, samba, etc etc) and handles it perfectly well
???
@Desert Zarzamora and Scott, nice tutorial (thanks for links)
@Hans, heh Well to be frank I am just admin and decision regarding h/w or infrastructure made by someone else … this is how things work in an enterprise IT division (they don’t care about money as they also make more money from core business so they want world class stuff). However, I agree with you about h/w requirement can be low to run other services.
@Bill, Good advice there.
Appreciate all of yours post and feedback
just wondering do wew really need quid acting as an accelerator here?
nice article, and what a beast of a proxy server i think everyone else is just jealous cos they only have p1’s
Thanks LinuxTitli!!! I really appreciate you sharing your knoledge with others!
Keep up the great work!
KMC
Also, LinuxTitli do you have any need to use dansguardian in conjuntion with squid for conent filtering? That would probably make good use of that RAM too!
Thanks again!
Well, I’ll be needing to set one of these up eventually, so you’re bookmarked. I wonder how performance would be if I set up a RAID system on USB drives…
how we can config the ftp service in squid proxy
reply
avanish gupta
india
Avanish,
Add following line to config file
acl ftp proto FTP
http_access allow ftp
If clients compters are using IE browser then Goto > Tools > Advance > and Uncheck option that reads Enable folder view for FTP-Sites.
FTP proxy only work through browser and it will not work at command line.
Remember squid is not a real ftp proxy.
thank you,
i had little bit problems in running the script on redhat 9 , i had remove the $lan_in etc.. and type the actual values but at last i worked fine with me
nesargha
india
Using squid transparently, you lose the ability to authenticate users (bummer). While I can understand why (to a certain degree), is there a way to just get the username for logging purposes?
It’s like I’m up a (little river) without a (rowing device). I need squid for logging user hits, but I can’t do it without transparent routing. And I can’t authenticate in transparent mode due to the accelerator. Any ideas?
Awesome article. Thanks!
AP
@Aaron,
Simple answer is you cannot do both things (transparent proxy + auth). The browser has
no way of knowing it is using a proxy.
So, what you can do is use automatic URL configuration (i.e. no transparent proxy) with WPAD.
The information for WAPD and automatic URL configuration available at official Squid FAQ: http://www.squid-cache.org/Doc/FAQ/FAQ-5.html
If you find any other way then let us know…
Hope this helps.
@nesargha,
May be because of html formatting… I will upload script as a text file so that others can use it directly (but you still need to make changes to script)
I am just a newbie, but I think there’s an error in your configuration of iptables. The lines should read :
iptables -t nat -A PREROUTING -i eth1 -p tcp -–dport 80 -j DNAT -–to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp –-dport 80 -j REDIRECT -–to-port 3128
That is, you need –, not -, before to, to-port and dport.
Correct me if I’m wrong. Martin
I see that the problem is with formatting. You need two dashes, not one, before to, to-port and dport, but they look like one (slightly longer) dasjh onm my screen.
Try again:
iptables -t nat -A PREROUTING -i eth1 -p tcp - –dport 80 -j DNAT - –to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp - –dport 80 -j REDIRECT - –to-port 3128
Martin,
I just checked the script. There is no problem. However, it looks like, HTML formatting breaks the script. Direct link to download script:
http://www.cyberciti.biz/tips/wp-content/uploads/2006/06/fw.proxy.txt
Hope this helps
i am using same rules given above , Can I block my users to use public proxy. Do i have to modify my squid.conf or Iptables
sohan,
You just need to setup LAN ACL. If you are using above config then it only allows access from LAN.
I am running Squid 2.5 on Macintosh OS X (10.3.7) with the handy “SquidMan” port for OS X / Darwin and it works great. The interface does allow me to make the httpd_accel_… modifications to the squid.conf file for transparent proxying, but how do I set-up the iptables step? My system uses ipfw instead and I have tried “sudo ipfw add 1000 fwd 127.0.0.1,8080 tcp from any to any 80″ only to see my port 80 malfunction. How can I configure the port 80 hijack/redirect function to get transparency working on OS X? Thanks in advance.
To not to see both empty lines and remarks grep can be used in this way;
grep -Ev “^$|^#” /etc/squid/squid.conf
Hi,
Is it possible to retain public Ip address, while using squid,
All pc in my lan having public ip address. I want to use squid.
But whenever i use transparent squid, the outgoing packet keeps squid server’s ip as source ip address. how can i use squid httpd_accel without proxy.
The whole point of using transparent proxy/NAT is to hide internal IP address.
As long as you have squid in between internet and other boxes anyone will see your squid ip address
dear,
cyberciti guys,thank you very very mush.because your web site is good food for linux hungry peoples.
Contineue yours job with god’s blassings.
By,
Your’s
S.Karthick
Hi guys,
I ask something about my firewall-squid-dhcp server in one box, i have eth0 for internet-connection and eth1 for local-connection…i want to do is, to be transparent proxy all clients connected at eth1 local-connection.
Could you provide me the minimal config of iptables/squid.conf to make work as a transparent proxy my all-in-one linux box.
i want the minimal config of iptables without filtering temporary.
Thanks!
Squid config remains the same. Only iptables will changes. Type following at command prompt to get started temporary:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
Replace 192.168.1.1 with your actual Linux server IP address (local LAN IP)
Dear friends,
can i run the VPN-Checkpoint software with squid using transparent proxying, please reply asap
Regrds
Jai
Yes you can as long as everything is configured you should able to use VPN with any other internet service
For a “completely totally” transparent proxy, use http://www.balabit.com/downloads/tproxy/linux-2.6/
That way the client IP address will be used by the Squid, still caching etc too. Needs inbound routing of reply server traffic to be routed back through the Squid box though.
It’s kernel & iptables patching only, yielding the tproxy iptables table..
In Valen’s Name.
Hi there, i have a few questions…
1) will this proxy things such as steam games / downloads, Microsoft updates, anti-virus updates and other things that do not run on port 80?
2) The proxy appears to work, and i have set my ip address to it, but if i download a 10mb file, then download the same file on another pc, the speeds are still slow, indicating that the proxy may not be working…
when i run: “tail -f /var/log/squid/access.log” i get the log to screen & file, and it is showing that there is data being proxied, but everything still runs ’slow’
3) I am running it on public ip addresses, one for the eth0 (internet) 203.16.209.x
and the second ip address for the people using the proxy is eth1 (lan) 203.221.91.x the proxy all works, but could this be why it is running slow?
- cheers
Neddy ,
Yes everything should work as long as remote site is using port 80 for downloading updates and patches.
If you need to cache larger file you need to enable cache object size. Default is 4 MB. However it is not recommended to use such large cache object size until and unless you have monster cache server (normally ISP enables large cache object). You need to tune out your squid for this. The defaults are good to improve overall user experience.
Proxy should work fast. Make sure you have correct DNS server setup. Try to use OpenDNS server http://opendns.com/
HTH.
I am having trouble accessing an MS sharepoint server through squid 2.6 configured in transparent proxy mode. Everything that I have read so far suggest that I must bypass squid althogether because of the NTLM authentication require to access share point. Is this the case? Also, what is the iptables statement which I should use before the DNAT statement? I am using wccp and have created a GRE tunnel on the squid box.
Excelent guide, It work forme. Thanks. Now I{m working on acl that let a few machines acces msn.
What guide are you referring to?
Hello,
Really the guide is wonderful and it worked 100% for me and even the clients using it are amazed with its speed. But there is one problem now !!! How can we access mail, i.e: Clients using outlook are not enabled to send and recieve mail because the ports is blocked or it is not able to make resolution to the mail server. How can I make the mail work too ? because now only http is working pop3 and smtp is not !!! how can I do that ?
Regards,
I think your topic is already answered @ our forum.
Yes nixcraft answered but still not working right, the script yesterday worked now its not !!! I maybe going crazy…
I have installed Squid-2.4 on Red Hat Linux enterprise 4
2 Public IPs are available from 2 different ISPs.
Now I want to configure Squid so as to apportion traffic among the IPs
by destination (external) IP and by source (internal) IP. The aim is to give complete bandwidth available from one ISP to one set of users for thier access to specific URLs.
Is there any way to do the same in Squid ?
Hi All
I want to put quota limit on Squid for users. I want to limit users for specific data limit like If i want to allow users to consume on 4 GB Data through Squid then what i need to do. Is there any additional tool for squid to do this or squid can do this also ?
If anybody have solution for this please let me know.
thanks
Hi,
Nice tut. Just what I wanted for an education facility of 45 machines. Have a 2Mbps ADSL connection which I want to share across the LAN. This is my first time with squid. One doubt - my lan ip (eth1) is DHCP driven while eth0 (internet facing) has a static IP. In this case, will squid work?
thanks.
will squid work with DHCP aasigned eth0 and static Ip eth1?
Nie tuttorial.thanks
raghu,
You can use Squid with DHCP assigned IP
All this not work for 2.6, in the case of using:
http_port x.x.x.x:xx vhost transparent or any combination, the message is “Can’t use transparent and cache in the same port”, if you try to use the cache_peer command, appear an error FATAL: Bundle in line x: cache_peer …
So, now you can’t use the server for caching and proxy at the same time :S
#1: You cannot set proxy and transparent http on same port.
@2: There is some discussion going on about cache peering @ our forum.
HTH
I’m trying to setup squid transparently on a box that has one network interface, but is plugged into a hub between the Internet connection and the switch that the clients are on. (I realize this is not ideal, but it’s what I have to work with.)
Can anyone point me in the right direction?
sir
well i have one problem, i am one system with two ether lan card one connected to Public ip and another with local network. what i want is if any exterbal client send an request on port 80, that request should be redirect to my local DNS. how can it be possible.
another thing i have two domain mydomain.com (local) and another http://www.com (internet). now if any client request to http://www.com it request should be redirect to mydomain.com. can it be possible, if possible plz send me the solution
Hi vivek,
Can squid be set up on a machine different from the internet gateway machine? I have a DHCP (FC5) server on which I want to set up squid. My internet gateway (ADSL) machine runs Windows Xp and I don’t want to disturb it.
Thanks.
But how i can configure it? any idea? how to activate the cache for my network? any can help me to make the right stuff? I’m redirecting the port 80 to 3128 with iptables (old style squid) and using this:
http_port 10.42.0.1:3128 transparent
half_closed_clients on
visible_hostname 201.234.228.139
coredump_dir /var/spool/squid
Where 10.42.0.1 is the network interface (eth0) conected to lan, and eth1 is the Wan lan.
I want make the cahce for my users with squid, and also using proxy, but i can’t go to every client to configure proxy setting, need transparent, and cache, i try all, i use this:
http_port 10.42.0.1:3128 transparent
cache_peer 127.0.0.1 parent 3128 3130 originserver
half_closed_clients on
visible_hostname 201.234.228.139
coredump_dir /var/spool/squid
Not work, use all “arrows” that i imagine and noting, can any explain me how to do it?
Really thanks a lot for any help.
how to control my bandwidth using squid proxy
for bandwidth you can use this:
first step configure how many delay pools you going to use, for example if you have 2 types of users (one with big badwidth and others with low bandwidth) you need put this:
delay_pools n, in our exaple: delay_pools 2
then you need define the class of bandwidth, there are 3 types, 1, 2, 3, in our example we use the class 1 and 2, for unlimited general and the restricted:
delay_class 1 1
delay_class 2 2
then use the parameter to define the velocity, remember, if you want 128 kbps, you need multiply it for 128 to convert to bps:
delay_parameters 1 -1/-1
delay_parameters 2 -1/-1 16384/57600
-1 means unlimited
second is for 128 and boost of 450
last step is defining the acl, in my case:
acl localhost src 127.0.0.1/255.255.255.255
acl clientes src 10.42.100.0/255.255.255.0
acl limitados src 10.42.99.0/255.255.255.0
delay_access 1 allow clientes localhost !limitados
delay_access 2 allow limitados
delay_access 1 deny all
delay_access 2 deny all
Dunno if is correct but is an example, you can investigate more.
This fw.proxy is to be started every time the computer is started, manually. Then only transparent proxy will work.Is there a method to do it automatically , so that the script is executed on start up even without the need of the user to log in.
Regards
bitou,
If you are using RedHat/CentOS/FC Linux type:
service iptables savechkconfig iptables on
If you are using Debian/Ubuntu Linux read this
In the past I had serious problems with configuring squid on my local network. I am alrady under university firewall/proxy. Can I configure proxy under proxy(I know it has no pracktical use but just asking for testing purpose) ?
its good education packeg to us
Hi,
My name is Prashant. I am Sr.Network Engineer in an ISP.
I would like to put a transparent proxy with bridge between our local networks and Internet.
I’d tryinn to configure squid transparent proxy with bridge couple of times, but yet not successful.
I am explaining the scenario and hope somebody will help me.
SCENARIO :
We have 2 ip pools in our networks.
1. 128.0.0.0/18 (fake ip)
2. 59.x.x.96/27 (real ip)
3. 59.x.x.0/27 (Real IP Used in internetwork)
We have one mikrotik master router from which both network goes to the radware(which is load balancer and using internetwork ip listed in a cisco). Now I want to put squid between mikrotik and radware (load-balancer)
In my network nobody uses authentications so not needed.
When, I configured the squid with trasparent proxy in bridge mod, sometimes it gives me acl errors. But when I changed in squid.conf “access_allow all” , no error comes but page is not loading till done.
With this settings I can ping , traceroute to the internet from client addresses also but page is not loading.
I’ve done all configuration as stated in below link :
http://freshmeat.net/articles/view/1433/
Please guide me regarding this matter.
Regards,
Prashant
Hi,
I have configured the DHCP server using ES Linux-4 .It having 2 ethernet cards. eth0 is used dhcp (Lan) & eth1 is connceted to Internet.
eth0 using IP 192.x.x.x
Netmask 255.255.255.0
Gateway 59.x.x.x (this is IP of eth1)
eth1 using Ip 59.x.x.x
Netmask 255.255.255.240
Gateway 59.x.x.129
Client M/c’s ping to IP of eth0, also ping to gateway of eth0 & ip of eth1. But not able to ping Gateway of eth1-59.x.x.129
so they are not able to connect to the internet.
So plz give me the solution for this.
Hi,
I have configured the transperant proxy with dhcp server. How I block the files for downloading like *.dll & *.mp3 &*.mp4 etc. for a specific time.
Nandkishor,
Please see this article
how about if i use another PC for router & gateway, then use another PC (SLES installed) just for transparent proxy (DMZ).
the proxy already worked, but its not transparent. what should i do with the iptable ?
advice plz
Hi,
I have configured the many virtual hosts at one server and added same big file in that all virtual hosts. But because of this big file more size is required.
So it is posible to me create one folder on that server, put that file & give the path of that folder in the all virtual hosts.
But How it is possible? Plz give me the solution for this.
Hi,
I have see the article for blocking of the .dll, .mp3 ,mp4, .exe & many files downloades, & do the configuration.
But this is not working to block the files downloading. Plz give me the solution for this.
hello everybody
i want to configure a squid server on fedora core 5. i want to that range of ip address is 192.168.1.1 - 192.168.1.60, and 192.168.1.101-192.168.1.160 . internet is running on this client machines. not running internet on others ip address i.e 192.168.1.61 - 192.168.1.100. please urgent reply me on my mail address.
Gurpinder Singh
Hi all
i would like to know how to forward HTTP request to others proxy (like privoxy).
Thanks.
Good day. I’m currently running squid 2.5 on my centOS server… I needed authentication for my users before accessing the internet (80, 21, 443, etc) so I configured it correspondingly. However, one of my clients needs to access an ftp server which enforces a username and password authentication. Squid tries to connect using an anonymous user rather than prompting for a password…
My question being: How could I enable user authentication to public ftp servers if my machine is behind a squid proxy server?
I’d appreciate your best effort. Thanks in advance.
hello every body,
i have a squid proxy server
my server ip is 192.168.0.1
my client ip is 192.168.0.2 to 192.168.0.240
internet is working proper on client
can it possible that first 30 client (192.168.0.2-192.168.0.30) get more bandwith than rest client
plz told me wat change will do on squid.conf file for it.
how to prevent bypassing sarg and dansguardian
Hi All
My name is tushar and i want to make proejct on squid proxy server, because I want to submit the complet project on squid proxy server.
Thanks.
Tushar Raut
Is there any indication to use some sort of virus/malware filter in this setup, aka, HAVP - HTTP. http://www.server-side.de/
Cheers!
Frank
Hi
Thanks for the fw.proxy file.
after enableing this file i’m able to run my system as router and proxy server.
But after restart server I’m reciveing so many logs messages.
Please have look and tel me how can block them.
Due to this my server responding slovely…
System log:-
May 24 12:45:06 pune dbus: Can’t send to audit system: USER_AVC pid=2658 uid=81 loginuid=-1 message=avc: denied { send_msg } for scontext=root:system_r:unconfined_t tcontext=user_u:system_r:initrc_t tclass=dbus
May 24 11:28:21 pune kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:14:85:64:d7:3e:08:00 SRC=10.20.204.70 DST=10.20.255.255 LEN=78 TOS=0×00 PREC=0×00 TTL=128 ID=29613 PROTO=UDP SPT=137 DPT=137 LEN=58
May 24 11:28:22 pune kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:14:85:64:d7:3e:08:00 SRC=10.20.204.70 DST=10.20.255.255 LEN=78 TOS=0×00 PREC=0×00 TTL=128 ID=29615 PROTO=UDP SPT=137 DPT=137 LEN=58
May 24 11:28:23 pune kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:14:85:64:d7:3e:08:00 SRC=10.20.204.70 DST=10.20.255.255 LEN=78 TOS=0×00 PREC=0×00 TTL=128 ID=29616 PROTO=UDP SPT=137 DPT=137 LEN=58
Regards,
Chandrakant
chandrakant,
Remove last line:
iptables -A INPUT -j LOGBTW, log will not slow down your server.
your instructions work good but i can’t connect to my network printer and another server on my lan. also having problem setting up static ip for eth0. i followed the instruction from the link you gave. i tried to do it several times and always had to go back to using dhcp. i need some help and what gateway would i use for eth0?
Hi,
One more problem i am facing with above configuration.
I am not able to use web access of exchange 2003 server. and office scan http url
can any buddy help me resolve this.
Chandrakant
Hello Friend,
i am bhupesh karankar, i have problem in squid.
as above, i have implement squid in my server. but still my client not able to access mail via outlook with squid.
wating for ur reply
i have same configuration as above.
wating for ur reply,
need help
Bhupesh Karankar
bkarankar@gmail.com
0998110488
Thanks for posting the transparent proxy script. It works very well. I like the way you choose to close everything and only open what you need. I do need to open a few ports, like https (443) and possibly one or two more (ssh). Can you post how you would do this? Thanks.
Find line
# DROP everything and Log itAdd your iptables rules before that line. Remember you must deal with eth0 and eth1, otherwise you will create a new security issue.
hello,
this is nice script.
but when i use this, it blocked smb and squid and my web server,
what to do.
wating for reply
bkarankar@gmail.com
bhupesh karankar
bhupesh,
Open those port using iptables rules as this script locks down eveything. read my comment # 82. If you have more questions please post to our forum.
Prashant!!!
allow access for ICP
Regards
Hi,
I configured the transperant proxy & also set the IPtables. This is working fine. But recentaly I trust by a trouble. If I try to open any site like gmail.com or any other sites. Some time that are works but some time they give follwing error.
The requested URL could not be retrieved
While trying to retrieve the URL: http://gmail.com/
The following error was encountered:
Unable to determine IP address from host name for gmail.com
The dnsserver returned:
Refused: The name server refuses to perform the specified operation.
This means that:
The cache was not able to resolve the hostname presented in the URL.
Check if the address is correct.
Your cache administrator is root.
Pleas give me the solution for this.
Regards,
Nandkishor
Hi,
I need to install transparent proxy with squid caching, but my eth0 is connected using DHCP, so what all changes need to be done ? Thank you for publishing your experiences and configurations…
Regards
Hi Linuxnewbie,
Make sure eth0 always get same IP using eth0, if not possible modify a script to obtain IP address using following statement:
ifconfig eth0 | grep 'inet addr:' | cut -d':' -f2 | awk '{ print $1}'Set SQUID_SERVER as follows:
SQUID_SERVER=$(ifconfig eth0 | grep 'inet addr:' | cut -d':' -f2 | awk '{ print $1}')NOTE: you only need to use above, if SQUID_SERVER ip is dynamic; otherwise it should work out of box.
HTH
Thanks for the reply…so no need to make any changes in the IPTABLES, right ?
Hi Vivek,
I configured squid/2.6.STABLE12 with the help of your script file. below is my N/W scenario
client–> Squid + Router –> pix–> Router–> Internet.
In this case everything is working very fine. For few minutes. After sometime client not able to ping gateway that is my squid server. But client able to ping next hope ip I’s Pix ip or router ip. This problem is resolved when I restart network service of Linux machine.
and it’s happened every time.
Please find below linux machine iptables snap.
# squid server IP
SQUID_SERVER=”10.30.200.1″
# Interface connected to Internet
INTERNET=”eth0″
# Interface connected to LAN
LAN_IN=”eth1″
# Squid port
SQUID_PORT=”3128″
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Hi Vivek,
I configured squid/2.6.STABLE12 with the help of your script file. below is my N/W scenario
client–> Squid + Router –> pix–> Router–> Internet.
In this case everything is working very fine. For few minutes. After sometime client not able to ping gateway that is my squid server. But client able to ping next hope ip I’s Pix ip or router ip. This problem is resolved when I restart network service of Linux machine.
and it’s happened every time.
Please help me to resolve this issue.
Regards,
Chandru
Need help. I have read the forum on transparent proxy. I have followed it to the letter. A cannot get it to work. I am using Suse linux 10.2. I can get to the internet from the workstations, but only if I setup the squid server as a proxy in IE. Any help would be greatly appreciated. Thanks
I have used above kind of firewall (IPTABLE), I don’t want to use transparent proxy because we need to use authentication, and if I am allowing forward and unlimited access to LAN then they are also able to bypass the proxy to use internet,
So can anyone give me solution that, for accessing websites ( http/https) people must go through Proxy and its authentication, and rest for everything they should be allowed from the LAN rest everything includes (FTP , DNS ) respose.
Thanks
Amrendra.
I had got some errors when I used the instructions above, 400 something like syntax of the request was wrong…
The script above works great but this is what I have to add to get it to work on my ubuntu 7.04
squid.conf:
http_port 80
http_port 192.168.1.9:3128 transparent
(this is NIC connected to internet)
acl jamal_net src 192.168.2.0/24
(this LAN Nic)
http_access allow jamal_net
http_access allow localhost
Change your IP’s to comply with you above script.
start your squid.conf
start your fw-proxy
add it to rc.local so it will boot at startup.
Execellent write-up.Very helpful to me
From SquidFaq
For Squid-2.6 and Squid-3.0 you simply need to add the keyword
transparenton thehttp_portthat your proxy will receive the redirected requests on as the above directives are not necessary and in fact have been removed in those releases:http_port 3128 transparenthi all,
will this shel script work even if i install a redirector program(i.e squidguard)on squid?and how??
thanks
I work in a public library and we provide wireless access to our patrons. No configuration is required on their laptops because transparent proxying is in effect, via a rule in SUSE Firewall.
I’m using SUSE 10.2, SQUID, Dansguardian, and the SUSE2 Firewall.
Is it possible with my existing setup to also forward users to a custom home page that I have set up? This page will have our wireless policy, etc. on it. If so, how exactly would this be done?
Thanks!
how configure best squid server on RHEL 5
i have create in RHEL 4
but i have problem about RHEL 5
Hi,
when i execute squid -z.the following error is appear.
FATAL: Could not determine fully qualified hostname. Please set ‘visible_hostname’
Squid Cache (Version 2.6.STABLE13): Terminated abnormally.
CPU Usage: 0.004 seconds = 0.004 user + 0.000 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0
Aborted
but i configure visible_hostname myhostname in my squid.conf file.still the same error comming again.what can i do?
any one have squid configaration than can use any where
I have a box running public IP on eth0 and private IP on eth1.
Everything seems to be working but my sites running apache can’t be accessed via their Public IP anymore. However I can still access them via eth1. Any help is appreciated.
Sir,
is there any solution regarding linux Squid Proxy which responsible to handle two ADSL internet connection. combining bandwidth, Provide loadsharing, feed back if one connection goes down.
Thanks for your excellent site.
I have followed your guide and set this up successfully.
I will recommend this guide to anyone setting up a squid server.
Elliott
Systems Administrator
What about setting this up using the latest version of Squid?
Fedora 6 comes with squid but the parameters mentioned above are not there. They have been updated.
Any help?
DUH, i see the post explaining it. Disregard my last post
I like to know how to configure ftp and proxy for my internal use and external( internet) ftp with proxy.
Please help
You said allowing port 443 out solves your problems, but in fact it creates more. Now users can simply use SSL-based web proxies to tunnel past your proxy. This means no logging, control, nothing. For example, try https://vtunnel.com/
King,
You cannot redirect port 443 with a transparent proxy and this the only solution. Other option is disable a transparent proxy and use port such as 3128.
HTH
Hi,
I had gone thru your notes. It is very good and interesting. I have 2 network cards in my squid proxy server on centos.
I need all the users to access only certain sites during the office hours and after office hours they can access anysites as they wish. This should not be applicable for managers who can access anysite at anytime.
This I made it but when I configured squid I had given the port 8080 instead of 3128 the default port.
The end users if the remove the proxy (ip of squid server) then they can access any site during the office hours. How to disable this ????
Something to do with firewall. I tried but I failed. I am pasting it can you correct it.
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
squid_server has two network card. One is having internal ip and the other external ip.
I had give external ip for SQUID_SERVER.
SQUID_PORT is 8080
Thanks and Regards,
Saji Alexander.
Anyone knows how to get this instructions working on SuSe 9 Enterprise Edition…. It looks like some of the syntax doesn’t work.
Because in my case I cannot get it to work. Please help, I’m a newbie that is very eager to learn about proxying.
Please Help…
Thanks in advance
I have read your instruction but I have the same question as Saji ALexander.
I have been trying to figure this out but failed.
Is it possible to force all browser on a server running transparent proxy to use its proxy service for its web traffic? The server has dual interface.
Thanks
hanz
@Saji, You have to define TIME based ACL for squid to put time based restrictions.
@hanz, yup, this config force all http traffic via squid.
Hi Dear,
Thanks or very simple steps.
Harish
I have configured the transparent proxy but not all users are able to use it. Most of them must have the proxy in their browsers, just a few are able to conect without having to configure. And is very slow with transparent proxy. Any sugestions?
thanks for ur three steps to create transparent proxy but i am not sure it works with squid 2.6 stables 13. because i tried ur step on this squid 2.6. may be this article suit to squid 2.5.
hi fmstereo>>i think u have to enable one options on ur proxy which is previously off like the following
httpd_accel_no_pmtu_disc off
change it to
httpd_accel_no_pmtu_disc on
Why not use only one utility to filter out comments and empty lines when going through squid.conf:
grep -v ^# /etc/squid/squid.conf | grep -v ^$
or if you prefer sed:
sed ‘/ *#/d; /^ *$/d’ < /etc/squid/squid.conf
give me a step of linux centos proxy setting and iptables confige and many more service starting
Hello Friends,
Need help from you…
I had configured my squid server, squid+dansguardian with Linux RHCL-4 .. its working for a hrs abustaly fine but abt 1 hrs its getting slow and get stoped work .. i m not able to understand the problem. normail proxy is working fine… but when it get started with dansguardian then problenm comes….
can someone help me out on this i have squid version squid-2.5.STABLE6-3.4E.11 and dansG is dansguardian-2.8.0.6-1.2.el4.rf
following is the conf file …
dansguardian….
#################################################
DansGuardian config file for version 2.8.0
# **NOTE** as of version 2.7.5 most of the list files are now in dansguardianf1.conf
# Web Access Denied Reporting (does not affect logging)
#
# -1 = log, but do not block - Stealth mode
# 0 = just say ‘Access Denied’
# 1 = report why but not what denied phrase
# 2 = report fully
# 3 = use HTML template file (accessdeniedaddress ignored) - recommended
#
reportinglevel = 3
# Language dir where languages are stored for internationalisation.
# The HTML template within this dir is only used when reportinglevel
# is set to 3. When used, DansGuardian will display the HTML file instead of
# using the perl cgi script. This option is faster, cleaner
# and easier to customise the access denied page.
# The language file is used no matter what setting however.
#
languagedir = ‘/etc/dansguardian/languages’
# language to use from languagedir.
language = ‘ukenglish’
# Logging Settings
# 0 = none 1 = just denied 2 = all text based 3 = all requests
loglevel = 2
# Log Exception Hits
# Log if an exception (user, ip, URL, phrase) is matched and so
# the page gets let through. Can be useful for diagnosing
# why a site gets through the filter. on | off
logexceptionhits = on
# Log File Format
# 1 = DansGuardian format 2 = CSV-style format
# 3 = Squid Log File Format 4 = Tab delimited
logfileformat = 1
# Log file location
#
# Defines the log directory and filename.
#loglocation = ‘/var/log/dansguardian/access.log’
# Network Settings
#
# the IP that DansGuardian listens on. If left blank DansGuardian will
# listen on all IPs. That would include all NICs, loopback, modem, etc.
# Normally you would have your firewall protecting this, but if you want
# you can limit it to only 1 IP. Yes only one.
filterip =
# the port that DansGuardian listens to.
filterport = 3128
# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 172.16.24.12
# the port DansGuardian connects to proxy on
proxyport = 8080
# accessdeniedaddress is the address of your web server to which the cgi
# dansguardian reporting script was copied
# Do NOT change from the default if you are not using the cgi.
#
accessdeniedaddress = ‘http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl’
# Non standard delimiter (only used with accessdeniedaddress)
# Default is enabled but to go back to the original standard mode dissable it.
nonstandarddelimiter = on
# Banned image replacement
# Images that are banned due to domain/url/etc reasons including those
# in the adverts blacklists can be replaced by an image. This will,
# for example, hide images from advert sites and remove broken image
# icons from banned domains.
# 0 = off
# 1 = on (default)
usecustombannedimage = 1
filtergroupslist = ‘/etc/dansguardian/filtergroupslist’
# Authentication files location
bannediplist = ‘/etc/dansguardian/bannediplist’
exceptioniplist = ‘/etc/dansguardian/exceptioniplist’
banneduserlist = ‘/etc/dansguardian/banneduserlist’
exceptionuserlist = ‘/etc/dansguardian/exceptionuserlist’
# Show weighted phrases found
# If enabled then the phrases found that made up the total which excedes
# the naughtyness limit will be logged and, if the reporting level is
# high enough, reported. on | off
showweightedfound = on
# Weighted phrase mode
# There are 3 possible modes of operation:
# 0 = off = do not use the weighted phrase feature.
# 1 = on, normal = normal weighted phrase operation.
# 2 = on, singular = each weighted phrase found only counts once on a page.
#
weightedphrasemode = 2
# Positive result caching for text URLs
# Caches good pages so they don’t need to be scanned again
# 0 = off (recommended for ISPs with users with disimilar browsing)
# 1000 = recommended for most users
# 5000 = suggested max upper limit
urlcachenumber = 5000
#
# Age before they are stale and should be ignored in seconds
# 0 = never
# 900 = recommended = 15 mins
urlcacheage = 9000
# Smart and Raw phrase content filtering options
# Smart is where the multiple spaces and HTML are removed before phrase filtering
# Raw is where the raw HTML including meta tags are phrase filtered
# CPU usage can be effectively halved by using setting 0 or 1
# 0 = raw only
# 1 = smart only
# 2 = both (default)
phrasefiltermode = 2
# Lower casing options
# When a document is scanned the uppercase letters are converted to lower case
# in order to compare them with the phrases. However this can break Big5 and
# other 16-bit texts. If needed preserve the case. As of version 2.7.0 accented
# characters are supported.
# 0 = force lower case (default)
# 1 = do not change case
preservecase = 0
# Hex decoding options
# When a document is scanned it can optionally convert %XX to chars.
# If you find documents are getting past the phrase filtering due to encoding
# then enable. However this can break Big5 and other 16-bit texts.
# 0 = disabled (default)
# 1 = enabled
hexdecodecontent = 0
# Force Quick Search rather than DFA search algorithm
# The current DFA implementation is not totally 16-bit character compatible
# but is used by default as it handles large phrase lists much faster.
# If you wish to use a large number of 16-bit character phrases then
# enable this option.
# 0 = off (default)
# 1 = on (Big5 compatible)
forcequicksearch = 0
# Reverse lookups for banned site and URLs.
# If set to on, DansGuardian will look up the forward DNS for an IP URL
# address and search for both in the banned site and URL lists. This would
# prevent a user from simply entering the IP for a banned address.
# It will reduce searching speed somewhat so unless you have a local caching
# DNS server, leave it off and use the Blanket IP Block option in the
# bannedsitelist file instead.
reverseaddresslookups = off
# Reverse lookups for banned and exception IP lists.
# If set to on, DansGuardian will look up the forward DNS for the IP
# of the connecting computer. This means you can put in hostnames in
# the exceptioniplist and bannediplist.
# It will reduce searching speed somewhat so unless you have a local DNS server,
# leave it off.
reverseclientiplookups = off
# Build bannedsitelist and bannedurllist cache files.
# This will compare the date stamp of the list file with the date stamp of
# the cache file and will recreate as needed.
# If a bsl or bul .processed file exists, then that will be used instead.
# It will increase process start speed by 300%. On slow computers this will
# be significant. Fast computers do not need this option. on | off
createlistcachefiles = on
# POST protection (web upload and forms)
# does not block forms without any file upload, i.e. this is just for
# blocking or limiting uploads
# measured in kibibytes after MIME encoding and header bumph
# use 0 for a complete block
# use higher (e.g. 512 = 512Kbytes) for limiting
# use -1 for no blocking
#maxuploadsize = 512
#maxuploadsize = 0
maxuploadsize = -1
# Max content filter page size
# Sometimes web servers label binary files as text which can be very
# large which causes a huge drain on memory and cpu resources.
# To counter this, you can limit the size of the document to be
# filtered and get it to just pass it straight through.
# This setting also applies to content regular expression modification.
# The size is in Kibibytes - eg 2048 = 2Mb
# use 0 for no limit
maxcontentfiltersize = 256
# Username identification methods (used in logging)
# You can have as many methods as you want and not just one. The first one
# will be used then if no username is found, the next will be used.
# * proxyauth is for when basic proxy authentication is used (no good for
# transparent proxying).
# * ntlm is for when the proxy supports the MS NTLM authentication
# protocol. (Only works with IE5.5 sp1 and later). **NOT IMPLEMENTED**
# * ident is for when the others don’t work. It will contact the computer
# that the connection came from and try to connect to an identd server
# and query it for the user owner of the connection.
usernameidmethodproxyauth = on
usernameidmethodntlm = off # **NOT IMPLEMENTED**
usernameidmethodident = off
# Preemptive banning - this means that if you have proxy auth enabled and a user accesses
# a site banned by URL for example they will be denied straight away without a request
# for their user and pass. This has the effect of requiring the user to visit a clean
# site first before it knows who they are and thus maybe an admin user.
# This is how DansGuardian has always worked but in some situations it is less than
# ideal. So you can optionally disable it. Default is on.
# As a side effect disabling this makes AD image replacement work better as the mime
# type is know.
preemptivebanning = on
# Misc settings
# if on it adds an X-Forwarded-For: to the HTTP request
# header. This may help solve some problem sites that need to know the
# source ip. on | off
forwardedfor = off
# if on it uses the X-Forwarded-For: to determine the client
# IP. This is for when you have squid between the clients and DansGuardian.
# Warning - headers are easily spoofed. on | off
usexforwardedfor = off
# if on it logs some debug info regarding fork()ing and accept()ing which
# can usually be ignored. These are logged by syslog. It is safe to leave
# it on or off
logconnectionhandlingerrors = on
# Fork pool options
# sets the maximum number of processes to sporn to handle the incomming
# connections. Max value usually 250 depending on OS.
# On large sites you might want to try 180.
maxchildren = 120
# sets the minimum number of processes to sporn to handle the incomming connections.
# On large sites you might want to try 32.
minchildren = 8
# sets the minimum number of processes to be kept ready to handle connections.
# On large sites you might want to try 8.
minsparechildren = 4
# sets the minimum number of processes to sporn when it runs out
# On large sites you might want to try 10.
preforkchildren = 6
# sets the maximum number of processes to have doing nothing.
# When this many are spare it will cull some of them.
# On large sites you might want to try 64.
maxsparechildren = 32
# sets the maximum age of a child process before it croaks it.
# This is the number of connections they handle before exiting.
# On large sites you might want to try 10000.
maxagechildren = 500
# Process options
# (Change these only if you really know what you are doing).
# These options allow you to run multiple instances of DansGuardian on a single machine.
# Remember to edit the log file path above also if that is your intention.
# IPC filename
#
# Defines IPC server directory and filename used to communicate with the log process.
ipcfilename = ‘/tmp/.dguardianipc’
# URL list IPC filename
#
# Defines URL list IPC server directory and filename used to communicate with the URL
# cache process.
urlipcfilename = ‘/tmp/.dguardianurlipc’
# PID filename
#
# Defines process id directory and filename.
#pidfilename = ‘/var/run/dansguardian.pid’
# Disable daemoning
# If enabled the process will not fork into the background.
# It is not usually advantageous to do this.
# on|off ( defaults to off )
nodaemon = off
# Disable logging process
# on|off ( defaults to off )
nologger = off
# Daemon runas user and group
# This is the user that DansGuardian runs as. Normally the user/group nobody.
# Uncomment to use. Defaults to the user set at compile time.
# daemonuser = ‘nobody’
# daemongroup = ‘nobody’
# Soft restart
# When on this disables the forced killing off all processes in the process group.
# This is not to be confused with the -g run time option - they are not related.
# on|off ( defaults to off )
softrestart = off
I am building a rather unique Proxy server
I need to be able to forward requests by maching the destintaions to 3 lists:
- blacklist -> Block,
- freelist -> Forward to upstreem Proxy with Spesified username and password same for all,
- DirrectAccesslist - Retreve directly,
What ever is remaining is forward to the upstreem proxy which will request username and password for charging purposes.
The AD and charging Side of this I will work out later, it is the routeing with creds by list lookup that I have no idea where to start..
Site info
300 computers, 1000 users, 40M internet link
I have a Dual Xeon 1.6 with 2G ram SCSI HW Raid HDD Server for the task (retired Ms Server)
Ideas?
Thanks
hello all friends,
pls help me. now i created squid 2.6 server on windows server 2003. but our ISP is burnned some websites.e.g http://mail.yahoo.com, https://mail.google.com .so, i want to open that web site and other to squid’s redirect setting.
i want to know http redirect setting of squid 2.6.
best reguards,
Sai Wunna Aung
Network Technician
hey, nice work. I appreciate the way u spread your knowledge just alike a teacher spreads to new bie’s. Thx Again
Hey guys,
How do i able to open the ports in proxy? i have the problems on my network, in which i can’t able to view webcam and voice in the yahoo messenger…
As what i know 5000-5010 used for voice both tcp and udp while 5100 for video as tcp… I put it in Safe_ports but it seems not working…
And also i’m not able to upload files but good downloadings….
Hi,
Please help me to solve this problem.
i have four network cards in linux machine
3 NC for WAN
1 for local LAN
my squid is sending all the internet traffic to only on one network card other two are free
its is possible that squid bind three wan NC and combine the Internet.
thanks
how to manage users browsing time quotas by squid.
Example: Set a limit of 1 hour per day for the user
dual xeon with 8 gig ram?
how many (hundreds?) users this monster serve???
i’m using old refurbished p3 with 384meg ram serving 50+ heavy downloaders users with no problem.
and, with ipcop, it only takes TWO clicks to activate transparent proxy from its web gui.
off course, you learn nothing with ipcop. coz it’s simply usable and minimal learning curve.
you’ll learn a lot from getting dirty on cli.
How can we block PC using Mac addresses ?
I tried by: - acl block arp 12:23:43:df:32:df
but my squid does not know keyword arp
for solving this i tried to rebuild it but i failed can u help me to rebuild ?
Mangal,
See our Squid MAC Filtering FAQ
Dear all
Need Help ….
I have Squid 2.6 STABLE6
Actually when I add
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl Tiajri src 10.0.0.0/24
http_access allow localhost
http_access allow Tijari
and when I tried to Stop And Start Squid service
it gaves me Faild to start
Faild …. please help me
Simple script to save your users from badware:
#!/bin/bash
URL0=http://www.mvps.org/winhelp2002/hosts.txt
URL1=http://everythingisnt.com/hosts
SQUIDBADWARE=/etc/squid/badware_list
BADWARESTATS=/etc/squid/badware_stats
wget $URL0 -O /tmp/SQUIDBADWARE0 -o /dev/null
wget $URL1 -O /tmp/SQUIDBADWARE1 -o /dev/null
BADWARE0=`cat /tmp/SQUIDBADWARE0`
echo "$BADWARE0" >> /tmp/SQUIDBADWARE1
cat /tmp/SQUIDBADWARE1 | grep 127.0.0.1 | sed 's/127.0.0.1 //g' > /tmp/SQUIDBADWARE2
cat /tmp/SQUIDBADWARE2 | grep -v localhost | cut -d "#" -f 1 > /tmp/SQUIDBADWARE3
rm $SQUIDBADWARE.backup
mv $SQUIDBADWARE $SQUIDBADWARE.backup
cp /tmp/SQUIDBADWARE3 $SQUIDBADWARE
SUM=`wc -l $SQUIDBADWARE`
DATE=`date +%Y-%m-%d`
echo "$DATE $SUM" >> $BADWARESTATS
rm /tmp/SQUIDBADWARE0 /tmp/SQUIDBADWARE1 /tmp/SQUIDBADWARE2 /tmp/SQUIDBADWARE3
/etc/init.d/squid reload > /dev/null
To squid.conf add/update following lines:
acl BADWARE_LIST_1 dstdomain url_regex -i "/etc/squid/badware_list"
deny_info ERR_BADWARE_ACCESS_DENIED BADWARE_LIST_1
…..
http_access deny BADWARE_LIST_1
http_access deny !Safe_ports BADWARE_LIST_1
http_access deny CONNECT !SSL_ports
Don’t forget add this script to your crontab
crontab –e
30 23 * * * /data/scripts/squidguard.sh
Dear I am using CentOS Linux server here I don’t need to define proxy in squid.conf.
kindly guide me how to use without ISP proxy. also i have 3 DSL modems connected in office and i need to configure all together if 1 is not working it switch to other automatically.
your quick response will be higly appreciative.
Best Regards.
Faisal
Hi,
This site is good with good comments.
can you help me. i am using the same config.
Pls clear my 2 doubts.
1.after making proxy transparent. the sites which are blocked in squid-block.acl does not works from client pc. (again if we use a proxy server then only it works).
2. how to block a website (such as http://www.youtube.com) using iptables.
regards,
Santosh
hello,
pls reply ASAP.
regards,
santosh
Hi all
I configured squid proxy in our office but problem is outlook express not working please help me out..
regards
nandha
Dear,
i have 3 NIC in Squid Proxy, One connect with Lan and other 2 connect with 2 DSL modems. I want to combine more than 1 DSL link speed togetehr. Kindly Helo me regarding this what will be need to configure in Linux. Halp me ASAP
Thanks
Hi,
I’ve configured my Squid as par your guidence but am nt able to access any website from client nor I’m able to ping.
though I’m able to open some of websites from their IP and even able to open control panel of my ADSL Router!
I’ve no clue where things are wrong!
I wud highly be grateful to you help me to fix this issue!
here is the complete scenario of my network
[LAN] —> e1 [ SQUID ] e0 —-> [ADSL]
192.168.2.0 [LAN]
192.168.2.1 [e1 of squid]
192.168.1.2 [e0 of squid]
192.168.1.1 [adsl router ip]
waiting despreatly!
Rock on
Jit
I have configured SQUID PROXY with TRANSPARENT using this site help
Thanks
I had gone throug your notes. It is very good and interesting. I have 2 network cards in my squid proxy server on RHEL5.
I need all the users to access only certain sites during the office hours and after office hours they can access any sites as they wish. This should not be applicable for managers who can access any site at anytime.
This I made it but when I configured squid I had given the port 8080 instead of 3128 the default port.
The end users if the remove the proxy (ip of squid server) then they can access any site during the office hours. How to disable this ????
Something to do with firewall. I tried but I failed. I am pasting it can you correct it.
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
squid_server has two network card. One is having internal ip and the other external ip.
I had give external ip for SQUID_SERVER.
SQUID_PORT is 8080
Please help me.. It is very urgent.
Thanks and Regards,
I have a clarkconnect linux box am not that good in linux but can configure when given the example.
My network has layer three switch which does the routing for all Vlans. I have created a specia Vlan where all traffic fron the LAN Vlans is routed, coonected this node to CC box LAN interface. Also i have added the static routes on the CC box and all vlans can access the internet properly.
But i want to use proxy. WHEN I START THE SQUID PROCESS it block all outgoing traffic and gives me the ip and port to configure as proxy on brower settings , that i do but still cannt connect.
here is a file for my routes
Adding extra LANs on Clark Connect
#/etc/system/network file
EXTRALANS=”10.0.2.0/24 10.0.3.0/24 10.0.4.0/24 10.0.5.0/24 10.0.6.0/24 10.0.7.0/24 10.0.8.0/24 10.0.9.0/24 10.0.10.0/24 10.0.11.0/24 10.0.12.0/24 10.0.13.0/24 10.0.14.0/24 10.0.15.0/24 10.0.16.0/24 10.0.17.0/24 10.0.18.0/24 10.0.19.0/24 10.0.20.0/24 10.0.21.0/24 10.0.22.0/24 10.0.23.0/24 10.0.24.0/24 10.0.25.0/24 10.0.26.0/24 10.0.27.0/24 10.0.28.0/24 10.0.29.0/24 10.0.30.0/24 10.0.31.0/24 10.0.32.0/24 10.0.33.0/24 10.0.34.0/24 10.0.35.0/24 10.0.36.0/24 10.0.37.0/24 10.0.38.0/24 10.0.39.0/24″
#Adding Static routes to Clark Connect for Vlans to work with proxy
#This should work
#/etc/sysconfig/network-scripts/route-eth1
10.0.2.0/24 via 10.2.56.2
10.0.3.0/24 via 10.2.56.2
10.0.4.0/24 via 10.2.56.2
10.0.5.0/24 via 10.2.56.2
10.0.6.0/24 via 10.2.56.2
10.0.7.0/24 via 10.2.56.2
10.0.8.0/24 via 10.2.56.2
10.0.9.0/24 via 10.2.56.2
10.0.10.0/24 via 10.2.56.2
10.0.11.0/24 via 10.2.56.2
10.0.12.0/24 via 10.2.56.2
10.0.13.0/24 via 10.2.56.2
10.0.14.0/24 via 10.2.56.2
10.0.15.0/24 via 10.2.56.2
10.0.16.0/24 via 10.2.56.2
10.0.17.0/24 via 10.2.56.2
10.0.18.0/24 via 10.2.56.2
10.0.19.0/24 via 10.2.56.2
10.0.20.0/24 via 10.2.56.2
10.0.21.0/24 via 10.2.56.2
10.0.22.0/24 via 10.2.56.2
10.0.23.0/24 via 10.2.56.2
10.0.24.0/24 via 10.2.56.2
10.0.25.0/24 via 10.2.56.2
10.0.26.0/24 via 10.2.56.2
10.0.27.0/24 via 10.2.56.2
10.0.28.0/24 via 10.2.56.2
10.0.29.0/24 via 10.2.56.2
10.0.30.0/24 via 10.2.56.2
10.0.31.0/24 via 10.2.56.2
10.0.32.0/24 via 10.2.56.2
10.0.33.0/24 via 10.2.56.2
10.0.34.0/24 via 10.2.56.2
10.0.35.0/24 via 10.2.56.2
10.0.36.0/24 via 10.2.56.2
10.0.37.0/24 via 10.2.56.2
10.0.38.0/24 via 10.2.56.2
10.0.39.0/24 via 10.2.56.2
which other file should i configure for web proxy to work
IP and port CC is giving for proxy is
10.2.56.2
8080 or 3128
but does not work