Difference between revisions of "Squid"
| (8 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | == The Squid Proxy Server == | |
| + | |||
| + | '''This is a quick and dirty howto about getting Squid up und running in 5min...''' | ||
| + | |||
| + | What benefits one may get from using an anonymous proxy server? Well, I would say many things but the most important one is that you can browse the web anonymously without exposing your IP, location etc.. out there. Anyhow, even though I usually use OpenVPN or PPTP for safe browsing and such things, having a private anonymous proxy server in your toolbox is a nice thing. | ||
| + | Furthermore, a cache is speeding up you daily internet connection with repeating objects getting out of the cache instead of downloading it again. Advanced filtering technics (Antivirus, Content, Ad-Blocks, etc) are also possible. | ||
| + | |||
| + | Please start always by refreshing your portage tree, like: | ||
# emerge --sync | # emerge --sync | ||
then I’ve searched the portage tree for ‘squid’ using my pkgfile function and got this: | then I’ve searched the portage tree for ‘squid’ using my pkgfile function and got this: | ||
| + | <pre> | ||
# pkgfile squid | # pkgfile squid | ||
=> net-analyzer/squid-graph | => net-analyzer/squid-graph | ||
| Line 11: | Line 19: | ||
=> net-proxy/squidguard | => net-proxy/squidguard | ||
=> sec-policy/selinux-squid | => sec-policy/selinux-squid | ||
| + | </pre> | ||
ok, then emerged ‘net-proxy/squid’ using: | ok, then emerged ‘net-proxy/squid’ using: | ||
| Line 22: | Line 31: | ||
ok, so the auth helper is located in ‘/usr/libexec/squid/ncsa_auth’ so let’s setup Squid’s configuration file (/etc/squid/squid.conf). Make sure you change ‘XXX.XX.XX.XXX’ with your actual server’s IP address and edit anything else you want to suit your needs. | ok, so the auth helper is located in ‘/usr/libexec/squid/ncsa_auth’ so let’s setup Squid’s configuration file (/etc/squid/squid.conf). Make sure you change ‘XXX.XX.XX.XXX’ with your actual server’s IP address and edit anything else you want to suit your needs. | ||
| − | # cp /etc/squid/squid.conf{,_orig} && \cat > /etc/squid/squid.conf <<EOF | + | |
| + | <pre># cp /etc/squid/squid.conf{,_orig} && \cat > /etc/squid/squid.conf <<EOF | ||
auth_param basic program /usr/libexec/squid/ncsa_auth /etc/squid/passwd | auth_param basic program /usr/libexec/squid/ncsa_auth /etc/squid/passwd | ||
auth_param basic children 5 | auth_param basic children 5 | ||
| Line 34: | Line 44: | ||
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 | acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 | ||
acl localnet src 10.0.0.0/8 | acl localnet src 10.0.0.0/8 | ||
| − | # | + | # RFC 1918 possible internal network |
acl localnet src 172.16.0.0/12 | acl localnet src 172.16.0.0/12 | ||
| − | # | + | # RFC 1918 possible internal network |
acl localnet src 192.168.0.0/16 | acl localnet src 192.168.0.0/16 | ||
| − | # | + | # RFC 1918 possible internal network |
acl localnet src fc00::/7 | acl localnet src fc00::/7 | ||
| − | # | + | # RFC 4193 local private network range |
acl localnet src fe80::/10 | acl localnet src fe80::/10 | ||
| − | # | + | # RFC 4291 link-local (directly plugged) machines |
acl SSL_ports port 443 | acl SSL_ports port 443 | ||
acl Safe_ports port 80 # http | acl Safe_ports port 80 # http | ||
| Line 78: | Line 88: | ||
visible_hostname ViruSzZ | visible_hostname ViruSzZ | ||
maximum_object_size 20 MB | maximum_object_size 20 MB | ||
| + | cache_dir ufs /var/cache/squid 512 32 512 | ||
| + | |||
forwarded_for off | forwarded_for off | ||
request_header_access Allow allow all | request_header_access Allow allow all | ||
| Line 110: | Line 122: | ||
shutdown_lifetime 3 seconds | shutdown_lifetime 3 seconds | ||
EOF | EOF | ||
| + | </pre> | ||
proceed with creating the ‘/etc/squid/passwd’ file and adding your user by executing: | proceed with creating the ‘/etc/squid/passwd’ file and adding your user by executing: | ||
| Line 115: | Line 128: | ||
(note that you need to omit the ‘-c’ switch when adding another user to the file) | (note that you need to omit the ‘-c’ switch when adding another user to the file) | ||
| + | then do a <code># squid -z</code> to create the cache direcory. | ||
Finally, restart your squid server and check if it’s actually listening using: | Finally, restart your squid server and check if it’s actually listening using: | ||
# /etc/init.d/squid restart | # /etc/init.d/squid restart | ||
| Line 122: | Line 136: | ||
# rc-update add squid default | # rc-update add squid default | ||
To test it, for example I use Opera for this so I just go to ‘Settings → Preferences → Advanced → Network → Proxy Servers’ and set the browser to use the proxy server we just created. | To test it, for example I use Opera for this so I just go to ‘Settings → Preferences → Advanced → Network → Proxy Servers’ and set the browser to use the proxy server we just created. | ||
| + | |||
| + | |||
| + | [[Category:HOWTO]] | ||
Latest revision as of 03:04, 12 January 2013
[edit] The Squid Proxy Server
This is a quick and dirty howto about getting Squid up und running in 5min...
What benefits one may get from using an anonymous proxy server? Well, I would say many things but the most important one is that you can browse the web anonymously without exposing your IP, location etc.. out there. Anyhow, even though I usually use OpenVPN or PPTP for safe browsing and such things, having a private anonymous proxy server in your toolbox is a nice thing. Furthermore, a cache is speeding up you daily internet connection with repeating objects getting out of the cache instead of downloading it again. Advanced filtering technics (Antivirus, Content, Ad-Blocks, etc) are also possible.
Please start always by refreshing your portage tree, like:
- emerge --sync
then I’ve searched the portage tree for ‘squid’ using my pkgfile function and got this:
# pkgfile squid => net-analyzer/squid-graph => net-analyzer/squidsites => net-analyzer/squidview => net-proxy/squid => net-proxy/squidclamav => net-proxy/squidguard => sec-policy/selinux-squid
ok, then emerged ‘net-proxy/squid’ using:
- emerge -av net-proxy/squid
once it got installed, since this squid proxy setup will be using authentication to authenticate users via the ‘ncsa_auth‘ helper, we need to know the location of this helper so we can use it in our squid.confconfiguration file. To find this I’ll be using a tool named as ‘qfile‘ which is shipped in ‘app-portage/portage-utils‘.
- qfile ncsa_auth
net-proxy/squid (/usr/libexec/squid/ncsa_auth)
ok, so the auth helper is located in ‘/usr/libexec/squid/ncsa_auth’ so let’s setup Squid’s configuration file (/etc/squid/squid.conf). Make sure you change ‘XXX.XX.XX.XXX’ with your actual server’s IP address and edit anything else you want to suit your needs.
# cp /etc/squid/squid.conf{,_orig} && \cat > /etc/squid/squid.conf <<EOF
auth_param basic program /usr/libexec/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm please login?
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8
# RFC 1918 possible internal network
acl localnet src 172.16.0.0/12
# RFC 1918 possible internal network
acl localnet src 192.168.0.0/16
# RFC 1918 possible internal network
acl localnet src fc00::/7
# RFC 4193 local private network range
acl localnet src fe80::/10
# RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access allow localhost
http_access deny all
http_port 2222
coredump_dir /var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_access allow localnet
icp_access deny all
acl ip1 myip XXX.XX.XX.XXX
tcp_outgoing_address XXX.XX.XX.XXX ip1
cache_mgr mail@maiwald.tk
cache_mem 128 MB
visible_hostname ViruSzZ
maximum_object_size 20 MB
cache_dir ufs /var/cache/squid 512 32 512
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
shutdown_lifetime 3 seconds
EOF
proceed with creating the ‘/etc/squid/passwd’ file and adding your user by executing:
- htpasswd -c /etc/squid/passwd your_user
(note that you need to omit the ‘-c’ switch when adding another user to the file)
then do a # squid -z to create the cache direcory.
Finally, restart your squid server and check if it’s actually listening using:
- /etc/init.d/squid restart
- netstat -tunlp | grep 2222
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 482/(squid) if you like it to start on your system’s start-up, then you can execute:
- rc-update add squid default
To test it, for example I use Opera for this so I just go to ‘Settings → Preferences → Advanced → Network → Proxy Servers’ and set the browser to use the proxy server we just created.
