Difference between revisions of "Squid"

Revision as of 17:05, 7 January 2013

Fist thing I’ve done was refreshing my portage tree, by running:

emerge --sync

then I’ve searched the portage tree for ‘squid’ using my pkgfile function and got this:

pkgfile squid

=> net-analyzer/squid-graph => net-analyzer/squidsites => net-analyzer/squidview => net-proxy/squid => net-proxy/squidclamav => net-proxy/squidguard => sec-policy/selinux-squid

ok, then emerged ‘net-proxy/squid’ using:

emerge -av net-proxy/squid

once it got installed, since this squid proxy setup will be using authentication to authenticate users via the ‘ncsa_auth‘ helper, we need to know the location of this helper so we can use it in our squid.confconfiguration file. To find this I’ll be using a tool named as ‘qfile‘ which is shipped in ‘app-portage/portage-utils‘.

qfile ncsa_authnet-proxy/squid (/usr/libexec/squid/ncsa_auth)

ok, so the auth helper is located in ‘/usr/libexec/squid/ncsa_auth’ so let’s setup Squid’s configuration file (/etc/squid/squid.conf). Make sure you change ‘XXX.XX.XX.XXX’ with your actual server’s IP address and edit anything else you want to suit your needs.

cp /etc/squid/squid.conf{,_orig} && \cat > /etc/squid/squid.conf <<EOF

auth_param basic program /usr/libexec/squid/ncsa_auth /etc/squid/passwd auth_param basic children 5 auth_param basic realm please login? auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl ncsa_users proxy_auth REQUIRED http_access allow ncsa_users acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8

RFC1918 possible internal network

acl localnet src 172.16.0.0/12

RFC1918 possible internal network

acl localnet src 192.168.0.0/16

RFC1918 possible internal network

acl localnet src fc00::/7

RFC 4193 local private network range

acl localnet src fe80::/10

RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access allow localhost http_access deny all http_port 2222 coredump_dir /var/cache/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 icp_access allow localnet icp_access deny all acl ip1 myip XXX.XX.XX.XXX tcp_outgoing_address XXX.XX.XX.XXX ip1 cache_mgr mail@maiwald.tk cache_mem 128 MB visible_hostname ViruSzZ maximum_object_size 20 MB forwarded_for off request_header_access Allow allow all request_header_access Authorization allow all request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all request_header_access Proxy-Authenticate allow all request_header_access Cache-Control allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all request_header_access Proxy-Connection allow all request_header_access User-Agent allow all request_header_access Cookie allow all request_header_access All deny all shutdown_lifetime 3 seconds EOF

proceed with creating the ‘/etc/squid/passwd’ file and adding your user by executing:

htpasswd -c /etc/squid/passwd your_user

(note that you need to omit the ‘-c’ switch when adding another user to the file)

Finally, restart your squid server and check if it’s actually listening using:

/etc/init.d/squid restart
netstat -tunlp | grep 2222

tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 482/(squid) if you like it to start on your system’s start-up, then you can execute:

rc-update add squid default

To test it, for example I use Opera for this so I just go to ‘Settings → Preferences → Advanced → Network → Proxy Servers’ and set the browser to use the proxy server we just created.

Difference between revisions of "Squid"

Revision as of 17:05, 7 January 2013

Personal tools

Namespaces

Variants

Views

Actions

Search

Categories

Toolbox

Stuff

@@ Line 3: / Line 3: @@
 # emerge --sync
 then I’ve searched the portage tree for ‘squid’ using my pkgfile function and got this:
-# pkgfile squid  => net-analyzer/squid-graph  => net-analyzer/squidsites  => net-analyzer/squidview  => net-proxy/squid  => net-proxy/squidclamav  => net-proxy/squidguard  => sec-policy/selinux-squid
+# pkgfile squid
+=> net-analyzer/squid-graph
+=> net-analyzer/squidsites
+=> net-analyzer/squidview
+=> net-proxy/squid
+=> net-proxy/squidclamav
+=> net-proxy/squidguard
+=> sec-policy/selinux-squid
 ok, then emerged ‘net-proxy/squid’ using:
 # emerge -av net-proxy/squid
 once it got installed, since this squid proxy setup will be using authentication to authenticate users via the ‘ncsa_auth‘ helper, we need to know the location of this helper so we can use it in our squid.confconfiguration file. To find this I’ll be using a tool named as ‘qfile‘ which is shipped in ‘app-portage/portage-utils‘.
 # qfile ncsa_authnet-proxy/squid (/usr/libexec/squid/ncsa_auth)
 ok, so the auth helper is located in ‘/usr/libexec/squid/ncsa_auth’ so let’s setup Squid’s configuration file (/etc/squid/squid.conf). Make sure you change ‘XXX.XX.XX.XXX’ with your actual server’s IP address and edit anything else you want to suit your needs.
-# cp /etc/squid/squid.conf{,_orig} && \cat > /etc/squid/squid.conf <<EOFauth_param basic program /usr/libexec/squid/ncsa_auth /etc/squid/passwdauth_param basic children 5auth_param basic realm please login?auth_param basic credentialsttl 2 hoursauth_param basic casesensitive off acl ncsa_users proxy_auth REQUIREDhttp_access allow ncsa_usersacl manager proto cache_objectacl localhost src 127.0.0.1/32 ::1acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1acl localnet src 10.0.0.0/8     # RFC1918 possible internal networkacl localnet src 172.16.0.0/12  # RFC1918 possible internal networkacl localnet src 192.168.0.0/16 # RFC1918 possible internal networkacl localnet src fc00::/7       # RFC 4193 local private network rangeacl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machinesacl SSL_ports port 443acl Safe_ports port 80          # httpacl Safe_ports port 21          # ftpacl Safe_ports port 443         # httpsacl Safe_ports port 70          # gopheracl Safe_ports port 210         # waisacl Safe_ports port 1025-65535  # unregistered portsacl Safe_ports port 280         # http-mgmtacl Safe_ports port 488         # gss-httpacl Safe_ports port 591         # filemakeracl Safe_ports port 777         # multiling httpacl Safe_ports port 901         # SWATacl CONNECT method CONNECThttp_access allow manager localhosthttp_access deny managerhttp_access deny !Safe_portshttp_access deny CONNECT !SSL_portshttp_access allow localnethttp_access allow localhosthttp_access allow localhosthttp_access deny allhttp_port 2222coredump_dir /var/cache/squidrefresh_pattern ^ftp:           1440    20%     10080refresh_pattern ^gopher:        1440    0%      1440refresh_pattern -i (/cgi-bin/|\?) 0     0%      0refresh_pattern .               0       20%     4320 icp_access allow localneticp_access deny allacl ip1 myip XXX.XX.XX.XXXtcp_outgoing_address XXX.XX.XX.XXX ip1cache_mgr wMaster@stavrovski.netcache_mem 64 MBvisible_hostname ViruSzZmaximum_object_size 10 MB forwarded_for offrequest_header_access Allow allow allrequest_header_access Authorization allow allrequest_header_access WWW-Authenticate allow allrequest_header_access Proxy-Authorization allow allrequest_header_access Proxy-Authenticate allow allrequest_header_access Cache-Control allow allrequest_header_access Content-Encoding allow allrequest_header_access Content-Length allow allrequest_header_access Content-Type allow allrequest_header_access Date allow allrequest_header_access Expires allow allrequest_header_access Host allow allrequest_header_access If-Modified-Since allow allrequest_header_access Last-Modified allow allrequest_header_access Location allow allrequest_header_access Pragma allow allrequest_header_access Accept allow allrequest_header_access Accept-Charset allow allrequest_header_access Accept-Encoding allow allrequest_header_access Accept-Language allow allrequest_header_access Content-Language allow allrequest_header_access Mime-Version allow allrequest_header_access Retry-After allow allrequest_header_access Title allow allrequest_header_access Connection allow allrequest_header_access Proxy-Connection allow allrequest_header_access User-Agent allow allrequest_header_access Cookie allow allrequest_header_access All deny all shutdown_lifetime 3 secondsEOF
+# cp /etc/squid/squid.conf{,_orig} && \cat > /etc/squid/squid.conf <<EOF
+auth_param basic program /usr/libexec/squid/ncsa_auth /etc/squid/passwd
+auth_param basic children 5
+auth_param basic realm please login?
+auth_param basic credentialsttl 2 hours
+auth_param basic casesensitive off
+acl ncsa_users proxy_auth REQUIRED
+http_access allow ncsa_users
+acl manager proto cache_object
+acl localhost src 127.0.0.1/32 ::1
+acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
+acl localnet src 10.0.0.0/8
+# RFC1918 possible internal network
+acl localnet src 172.16.0.0/12
+# RFC1918 possible internal network
+acl localnet src 192.168.0.0/16
+# RFC1918 possible internal network
+acl localnet src fc00::/7
+# RFC 4193 local private network range
+acl localnet src fe80::/10
+# RFC 4291 link-local (directly plugged) machines
+acl SSL_ports port 443
+acl Safe_ports port 80          # http
+acl Safe_ports port 21          # ftp
+acl Safe_ports port 443         # https
+acl Safe_ports port 70          # gopher
+acl Safe_ports port 210         # wais
+acl Safe_ports port 1025-65535  # unregistered ports
+acl Safe_ports port 280         # http-mgmt
+acl Safe_ports port 488         # gss-http
+acl Safe_ports port 591         # filemaker
+acl Safe_ports port 777         # multiling http
+acl Safe_ports port 901         # SWAT
+acl CONNECT method CONNECT
+http_access allow manager localhost
+http_access deny manager
+http_access deny !Safe_ports
+http_access deny CONNECT !SSL_ports
+http_access allow localnet
+http_access allow localhost
+http_access allow localhost
+http_access deny all
+http_port 2222
+coredump_dir /var/cache/squid
+refresh_pattern ^ftp:           1440    20%     10080
+refresh_pattern ^gopher:        1440    0%      1440
+refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
+refresh_pattern .               0       20%     4320
+icp_access allow localnet
+icp_access deny all
+acl ip1 myip XXX.XX.XX.XXX
+tcp_outgoing_address XXX.XX.XX.XXX ip1
+cache_mgr mail@maiwald.tk
+cache_mem 128 MB
+visible_hostname ViruSzZ
+maximum_object_size 20 MB
+forwarded_for off
+request_header_access Allow allow all
+request_header_access Authorization allow all
+request_header_access WWW-Authenticate allow all
+request_header_access Proxy-Authorization allow all
+request_header_access Proxy-Authenticate allow all
+request_header_access Cache-Control allow all
+request_header_access Content-Encoding allow all
+request_header_access Content-Length allow all
+request_header_access Content-Type allow all
+request_header_access Date allow all
+request_header_access Expires allow all
+request_header_access Host allow all
+request_header_access If-Modified-Since allow all
+request_header_access Last-Modified allow all
+request_header_access Location allow all
+request_header_access Pragma allow all
+request_header_access Accept allow all
+request_header_access Accept-Charset allow all
+request_header_access Accept-Encoding allow all
+request_header_access Accept-Language allow all
+request_header_access Content-Language allow all
+request_header_access Mime-Version allow all
+request_header_access Retry-After allow all
+request_header_access Title allow all
+request_header_access Connection allow all
+request_header_access Proxy-Connection allow all
+request_header_access User-Agent allow all
+request_header_access Cookie allow all
+request_header_access All deny all
+shutdown_lifetime 3 seconds
+EOF
 proceed with creating the ‘/etc/squid/passwd’ file and adding your user by executing:
 # htpasswd -c /etc/squid/passwd your_user
 (note that you need to omit the ‘-c’ switch when adding another user to the file)
 Finally, restart your squid server and check if it’s actually listening using:
-# /etc/init.d/squid restart # netstat -tunlp | grep 2222tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      482/(squid)
+# /etc/init.d/squid restart
+# netstat -tunlp | grep 2222
+tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      482/(squid)
 if you like it to start on your system’s start-up, then you can execute:
 # rc-update add squid default
 To test it, for example I use Opera for this so I just go to ‘Settings → Preferences → Advanced → Network → Proxy Servers’ and set the browser to use the proxy server we just created.