?
Solved

experts in squid 4 questions

Posted on 2005-03-12
12
Medium Priority
?
454 Views
Last Modified: 2013-11-22
Hi Experts,

How to install squid for proxying web pages.

(no problem with the networking side, i can manage this part)

wanted squid to be setup as transparent proxying so that we dont need to do anything on the client workstations.

We have a fresh freebsd v4.10 with internet access. Should I create a system account first? what kind of rights does it need?

Please kindly guide me step by step..(i'm using putty to login)

1. create an account to install/run squid
2. where to download squid
3. install squid
4. make neccesary changes to the config to get it online


Thanks.
0
Comment
Question by:lynnton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
12 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 13527643
1.
cd /usr/ports/www/squid
make install clean ( none of trandaprency options needed )

Then read http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.7

2.
www.squid-cache.org , not necessary when you use freebsd ports or packages

3.
read 1.

4.
If not obvious - with text editor, in config files.
0
 
LVL 1

Author Comment

by:lynnton
ID: 13535625
gheist,

I've read the link, http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.7

It was very helpfull, one question though, I'm not sure if I need "hijacked connection".

here's the design:

internet--firewall (nat)--windows box, using surf control (nat)- client workstations.

Thanks.

0
 
LVL 62

Expert Comment

by:gheist
ID: 13539062
Actually you are asking for them.
If I knew what does smurfcontrol mean....
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 1

Author Comment

by:lynnton
ID: 13539210
gheist,

surf control is the one that manage/generate reports of allowed/unallowed sites.

so design is:

internet--firewall--proxy (freeBSD squid) ---windows blocking gateway---client workstations

I've finish the installing part. Please see below for the post-installation.

I know there are alot more to this then following the post install. (i.e. add this to start-up)

Please kindly guide me on the configuring part.

Thanks.


===> Post-installation informations for squid-2.5.9_2

     o You can find the configuration files for this package
       in the directory /usr/local/etc/squid.

     o A cache directory has been created in /usr/local/squid/cache.
       Log files will be written to /usr/local/squid/logs.

     o The default configuration will deny everyone access to the
       proxy service. Edit the "http_access" directives in
       /usr/local/etc/squid/squid.conf to suit your needs.

     o If you never ran squid on this system before, you need to
       initialize the cache directory by running "squid -z"
       as 'root' or 'squid' before starting squid.

     Please note that /usr/local/etc/rc.d/squid.sh is now
     an rcNG script by default. This means that squid will not
     start automatically at boot time.

     To enable squid, set squid_enable=yes in either
     /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/squid
     See /usr/local/etc/rc.d/squid.sh for more
     configuration options.

     If you want to install an old style rc script, run
     'make config' and deselect the option to install an
     rcNG script.

===>   Compressing manual pages for squid-2.5.9_2
===>   Registering installation for squid-2.5.9_2
===> SECURITY REPORT:
      This port has installed the following files which may act as network
      servers and may therefore pose a remote security risk to the system.
/usr/local/sbin/squid

      This port has installed the following startup scripts which may cause
      these network services to be started at boot time.
/usr/local/etc/rc.d/squid.sh

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage:
http://www.squid-cache.org/
===>  Cleaning for rc_subr-1.31
===>  Cleaning for squid-2.5.9_2
0
 
LVL 62

Accepted Solution

by:
gheist earned 2000 total points
ID: 13540071
Sure, no problem.
Best if you place your workstation in place where surfcontrol will be i.e
internet
|
\NAT
 |
 +surfcontrol - coworkers
 |
 \squid - you
1) gain text editing capability, e.g. by installing /usr/ports/editors/nano
2) add squid_enable="YES" to /etc/rc.conf
3) browse through squid.conf
this part needs to be changed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
cache size can be grown to 1G or more, but not more than ten times RAM you have
4) now run squid -z to initialize cache directories
5) now start squid and check if it lets you browse internet if you set it as proxy in your browser
I hope fine so far.
6) now rebuild kernel with ipfirewall hijacking option and reboot
Squid now is started and you brose with it configured as proxy
7) edit /etc/rc.firewall and squid.conf as that FAQ says
8) add following to /etc/rc.conf ( taken from /etc/defaults/rc.conf )
firewall_enable="YES"
firewall_type="server"         # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO"             # Set to YES to suppress rule display
firewall_logging="NO"           # Set to YES to enable events logging

9) now run /etc/rc.firewall, then run squid -k reconfig and unconfigure proxy in your browser

If you are able to browse sites, all the setup is fine, restart FreeBSD machine to see if it configures perfectly at boot.
And add surfcontrol behind it.

That is probably all, errors are best examined using less command against /var/log/messages and /usr/local/squid/logs/access.log, feel free to ask if you have any problems.
0
 
LVL 1

Author Comment

by:lynnton
ID: 13543218
gheist,

Awsome guide!!!

problem, surf control won't work (AFAIK)
since it wouldn't know the ip address that is requesting the page.(the ip address of proxy box will always be the one used).

client request a page---->proxy doesn't have it---->surf control detects that proxy si requesting  >?<  please correct me if i'm wrong..

By the way, please kindly guide how can we config the squid box to be transparent, so that we dont need to hcange anything on the cient workstations\surf control.

Thanks.
0
 
LVL 62

Expert Comment

by:gheist
ID: 13546850
client requests from surfcontrol
smurfcontrol requests to connection-hijacking-squid which in turn is invisible to smurfcontrol
squid then requests via nat router ( without notising that there is one)

0
 
LVL 1

Author Comment

by:lynnton
ID: 13555305
ghiest,

Do we need connection hijacking with this design:

internet
    l
firewall (nat) 192.168.0.1/24
    l
squid <--------------connection hijack?   192.168.0.2/24
    l
surf control (nat) 192.168.0.3/24   and 192.168.1.1/24   (two ethernet cards)
    l
workstations 192.168.1.2 /24

Thanks.
0
 
LVL 62

Expert Comment

by:gheist
ID: 13558427
Yes, you need it.
0
 
LVL 62

Expert Comment

by:gheist
ID: 13558654
connection hijacking basically redirects web requests to squid instead of destination server.
0
 
LVL 1

Author Comment

by:lynnton
ID: 13558680
gheist,

Will we need to change anything on the config post you made? in regaard to the new design we formulated?

Thanks.

1) gain text editing capability, e.g. by installing /usr/ports/editors/nano
2) add squid_enable="YES" to /etc/rc.conf
3) browse through squid.conf
this part needs to be changed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
cache size can be grown to 1G or more, but not more than ten times RAM you have
4) now run squid -z to initialize cache directories
5) now start squid and check if it lets you browse internet if you set it as proxy in your browser
I hope fine so far.
6) now rebuild kernel with ipfirewall hijacking option and reboot
Squid now is started and you brose with it configured as proxy
7) edit /etc/rc.firewall and squid.conf as that FAQ says
8) add following to /etc/rc.conf ( taken from /etc/defaults/rc.conf )
firewall_enable="YES"
firewall_type="server"         # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO"             # Set to YES to suppress rule display
firewall_logging="NO"           # Set to YES to enable events logging

9) now run /etc/rc.firewall, then run squid -k reconfig and unconfigure proxy in your browser

If you are able to browse sites, all the setup is fine, restart FreeBSD machine to see if it configures perfectly at boot.
And add surfcontrol behind it.

That is probably all, errors are best examined using less command against /var/log/messages and /usr/local/squid/logs/access.log, feel free to ask if you have any problems.
0
 
LVL 62

Expert Comment

by:gheist
ID: 13558711
No, you set connection hijacking as described in squid faq in /etc/rc.firewall

I assumed this network layout at the beginning already
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question