ติดตั้ง Squid ทำ Proxy Server แบบ Transparent

By | 20/06/2011

Squid cache logoSquid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.

An intercepting proxy (also known as a “transparent proxy“) combines a proxy server with a gateway. Connections made by client browsers through the gateway are redirected through the proxy without client-side configuration (or often knowledge). So the client never realize and don’t have to configure the client machine to use the proxy, but they are using it.

Squid Cache Proxy Installation

1. Open up your shell and type this command:
sudo apt-get install squid
2. Finish.
For other OS you can download the binary package here.

Configure Squid Cache Proxy as Transparent Proxy

To configure squid proxy as transparent proxy you need to edit squid.conf file in /etc/squid/squid.conf as follow:

[code]</p>
<pre>acl all src all<br />
acl manager proto cache_object<br />
acl localhost src 127.0.0.1/32<br />
acl localnet src 192.168.1.0/24</p>
<p>acl SSL_ports port 443 563<br />
acl Safe_ports port 80        # http<br />
acl Safe_ports port 21        # ftp<br />
acl Safe_ports port 443      # https<br />
acl Safe_ports port 70        # gopher<br />
acl Safe_ports port 210      # wais<br />
acl Safe_ports port 1025-65535    # unregistered ports<br />
acl Safe_ports port 280        # http-mgmt<br />
acl Safe_ports port 488        # gss-http<br />
acl Safe_ports port 591        # filemaker<br />
acl Safe_ports port 777        # multiling http<br />
acl CONNECT method CONNECT</p>
<p>http_access allow manager localhost<br />
http_access deny manager<br />
http_access deny !Safe_ports<br />
http_access deny CONNECT !SSL_ports</p>
<p>http_access allow localnet<br />
http_access allow localhost<br />
http_access deny all</p>
<p>http_reply_access allow localnet<br />
http_reply_access deny all</p>
<p>icp_access allow localnet<br />
icp_access deny all</p>
<p>http_port 8080 transparent</p>
<p>hierarchy_stoplist cgi-bin ?</p>
<p>cache_mem 256 MB<br />
cache_dir ufs /var/spool/squid 2048 16 256<br />
cache_mgr admin@email.com<br />
cache_effective_user squid<br />
cache_effective_group squid</p>
<p>access_log /var/log/squid/access.log squid</p>
<p>refresh_pattern ^ftp:        1440    20%    10080<br />
refresh_pattern ^gopher:    1440    0%    1440<br />
refresh_pattern (cgi-bin|\?)    0    0%    0<br />
refresh_pattern .        0    20%    4320</p>
<p>visible_hostname yourdomain.com</p>
<p>icp_port 3130</p>
<p>always_direct    allow    all</p>
<p>forwarded_for off</p>
<p>coredump_dir /var/spool/squid[/code]

The most important line is
“http_port 8080 transparent” : This line means, Squid proxy run as transparent proxy at port 8080 (by default 3128). Later you need to edit the iptables to bypass every request/response connection through this port.
Note: That setting is for Squid v2.6 or v2.7. For later version like Squid v3.1, “transparent” option is being deprecated, you need to use option “intercept” instead.

There are many things that squid can do, like limiting download speed for certain ip, denied some “time wasting” sites, denied some ports, denied download some files in certain hours, and many more case that you can name. So take your time to read their documentation guide here.

Note: Squid Web Proxy installation steps above only for Ubuntu/Debian. For others it might working but need adjustment.

Iptables Configurations

To make Squid as the transparent proxy (“man in the middle”), you need to configure the iptables.
I got this script to help you:

[code]</p>
<pre>#!/bin/sh<br />
# ————————————————————————————<br />
# See URL: http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html<br />
# (c) 2006, nixCraft under GNU/GPL v2.0+<br />
# ————————————————————————————-<br />
# squid server IP<br />
SQUID_SERVER="192.168.1.1"<br />
# Interface connected to Internet<br />
INTERNET="eth0"<br />
# Interface connected to LAN<br />
LAN_IN="eth1"<br />
# Squid port<br />
SQUID_PORT="3128"</p>
<p># DO NOT MODIFY BELOW<br />
# Clean old firewall<br />
iptables -F<br />
iptables -X<br />
iptables -t nat -F<br />
iptables -t nat -X<br />
iptables -t mangle -F<br />
iptables -t mangle -X<br />
# Load IPTABLES modules for NAT and IP conntrack support<br />
modprobe ip_conntrack<br />
modprobe ip_conntrack_ftp<br />
# For win xp ftp client<br />
#modprobe ip_nat_ftp<br />
echo 1 > /proc/sys/net/ipv4/ip_forward<br />
# Setting default filter policy<br />
iptables -P INPUT DROP<br />
iptables -P OUTPUT ACCEPT<br />
# Unlimited access to loop back<br />
iptables -A INPUT -i lo -j ACCEPT<br />
iptables -A OUTPUT -o lo -j ACCEPT<br />
# Allow UDP, DNS and Passive FTP<br />
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT<br />
# set this system as a router for Rest of LAN<br />
iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE<br />
iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT<br />
# unlimited access to LAN<br />
iptables -A INPUT -i $LAN_IN -j ACCEPT<br />
iptables -A OUTPUT -o $LAN_IN -j ACCEPT<br />
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy<br />
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT<br />
# if it is same system<br />
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT<br />
# DROP everything and Log it<br />
iptables -A INPUT -j LOG<br />
iptables -A INPUT -j DROP[/code]

Okay, that’s all of it. If you like it please leave me a comment.

ที่มา/info: http://www.ivankristianto.com/os/ubuntu/howto-install-and-configure-squid-as-transparent-proxy/648/

3 thoughts on “ติดตั้ง Squid ทำ Proxy Server แบบ Transparent

  1. ignacaz

    Nice work, but what about HTTPS? How you deal with https sites like gmail.com in transparent proxy? Iptables?

    Reply

ใส่ความเห็น

อีเมลของคุณจะไม่แสดงให้คนอื่นเห็น ช่องที่ต้องการถูกทำเครื่องหมาย *