A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource, available from a different server. The proxy server evaluates the request according to its filtering rules. For example, it may filter traffic by IP address or protocol. If the request is validated by the filter, the proxy provides the resource by connecting to the relevant server and requesting the service on behalf of the client.
Fig. Schematic representation of a proxy server, where the computer in the middle acts as the proxy server between the other two.
or
"A 'transparent proxy' is a proxy that does not modify the request or response beyond what is required for proxy authentication and identification".
Main benefit of setting transparent proxy is you do not have to setup up individual browsers to work with proxies.
ii) Eth0: IP:192.168.0.1
iii) Eth1: IP: 192.168.2.1 (192.168.2.0/24 network.
iv) OS: CentOS 5.4 (also work on Redhat Enterprise Linux 4)
Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.
Modify or add following squid directives:
Where,
[root@gateway squid]# cat /etc/squid/squid.conf
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl bad dstdomain "/etc/squid/bad-sites.acl"
http_access allow !bad
acl our_networks src 192.168.2.0/24
#http_access allow our_networks
#http_access allow localhost
acl ftp proto FTP
http_access allow ftp
http_access deny all
http_reply_access allow all
icp_access allow all
#hicp_access allow all
http_port 192.168.2.1:3128 transparent
hierarchy_stoplist cgi-bin ?
cache_mem 128 MB
cache_dir ufs /home/squid 512 16 256
access_log /home/log/squid/access.log squid
error_log /home/log/squid/error.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
visible_hostname gateway
http_port 80 vhost
coredump_dir /home/spool/squid
[root@gateway squid]#
Start or Restart the squid:
Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.
Hope This will help You..
!Enjoy Linux
Kuldeep Sharma
Transparent proxies
An intercepting proxy (also forced proxy or transparent proxy) combines a proxy server with a gateway or router (commonly with NAT capabilities). Connections made by client browsers through the gateway are diverted to the proxy without client-side configuration (or often knowledge).or
"A 'transparent proxy' is a proxy that does not modify the request or response beyond what is required for proxy authentication and identification".
Main benefit of setting transparent proxy is you do not have to setup up individual browsers to work with proxies.
My Setup:
i) System: Intel Dual Core system with 4 GB RAM.ii) Eth0: IP:192.168.0.1
iii) Eth1: IP: 192.168.2.1 (192.168.2.0/24 network.
iv) OS: CentOS 5.4 (also work on Redhat Enterprise Linux 4)
Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.
Server Configuration
- Step #1 : Squid configuration so that it will act as a transparent proxy
- Step #2 : Iptables configuration
- a) Configure system as router
- b) Forward all http requests to 3128 (DNAT)
- Step #3: Run scripts and start squid service
First, Squid server installed (use up2date squid) and configured by adding following directives to file:
# vi /etc/squid/squid.confModify or add following squid directives:
http_port 80 vhostWhere,
http_port 80 vhost: Squid as an httpd accelerator and 80 is port you want to act as a proxy
[root@gateway squid]# cat /etc/squid/squid.conf
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl bad dstdomain "/etc/squid/bad-sites.acl"
http_access allow !bad
acl our_networks src 192.168.2.0/24
#http_access allow our_networks
#http_access allow localhost
acl ftp proto FTP
http_access allow ftp
http_access deny all
http_reply_access allow all
icp_access allow all
#hicp_access allow all
http_port 192.168.2.1:3128 transparent
hierarchy_stoplist cgi-bin ?
cache_mem 128 MB
cache_dir ufs /home/squid 512 16 256
access_log /home/log/squid/access.log squid
error_log /home/log/squid/error.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
visible_hostname gateway
http_port 80 vhost
coredump_dir /home/spool/squid
[root@gateway squid]#
Iptables configuration
Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.2.1:3128
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128Start or Restart the squid:
# /etc/init.d/squid restart
# chkconfig squid onDesktop / Client computer configuration
Point all desktop clients to your eth1 IP address (192.168.2.1) as Router/Gateway (use DHCP to distribute this information). You do not have to setup up individual browsers to work with proxies.How do I test my squid proxy is working correctly?
See access log file /var/log/squid/access.log:# tail -f /var/log/squid/access.logAbove command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.
Hope This will help You..
!Enjoy Linux
Kuldeep Sharma
