lynnton
asked on
experts in squid 4 questions
Hi Experts,
How to install squid for proxying web pages.
(no problem with the networking side, i can manage this part)
wanted squid to be setup as transparent proxying so that we dont need to do anything on the client workstations.
We have a fresh freebsd v4.10 with internet access. Should I create a system account first? what kind of rights does it need?
Please kindly guide me step by step..(i'm using putty to login)
1. create an account to install/run squid
2. where to download squid
3. install squid
4. make neccesary changes to the config to get it online
Thanks.
How to install squid for proxying web pages.
(no problem with the networking side, i can manage this part)
wanted squid to be setup as transparent proxying so that we dont need to do anything on the client workstations.
We have a fresh freebsd v4.10 with internet access. Should I create a system account first? what kind of rights does it need?
Please kindly guide me step by step..(i'm using putty to login)
1. create an account to install/run squid
2. where to download squid
3. install squid
4. make neccesary changes to the config to get it online
Thanks.
ASKER
gheist,
I've read the link, http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.7
It was very helpfull, one question though, I'm not sure if I need "hijacked connection".
here's the design:
internet--firewall (nat)--windows box, using surf control (nat)- client workstations.
Thanks.
I've read the link, http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.7
It was very helpfull, one question though, I'm not sure if I need "hijacked connection".
here's the design:
internet--firewall (nat)--windows box, using surf control (nat)- client workstations.
Thanks.
Actually you are asking for them.
If I knew what does smurfcontrol mean....
If I knew what does smurfcontrol mean....
ASKER
gheist,
surf control is the one that manage/generate reports of allowed/unallowed sites.
so design is:
internet--firewall--proxy (freeBSD squid) ---windows blocking gateway---client workstations
I've finish the installing part. Please see below for the post-installation.
I know there are alot more to this then following the post install. (i.e. add this to start-up)
Please kindly guide me on the configuring part.
Thanks.
===> Post-installation informations for squid-2.5.9_2
o You can find the configuration files for this package
in the directory /usr/local/etc/squid.
o A cache directory has been created in /usr/local/squid/cache.
Log files will be written to /usr/local/squid/logs.
o The default configuration will deny everyone access to the
proxy service. Edit the "http_access" directives in
/usr/local/etc/squid/squid .conf to suit your needs.
o If you never ran squid on this system before, you need to
initialize the cache directory by running "squid -z"
as 'root' or 'squid' before starting squid.
Please note that /usr/local/etc/rc.d/squid. sh is now
an rcNG script by default. This means that squid will not
start automatically at boot time.
To enable squid, set squid_enable=yes in either
/etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/squid
See /usr/local/etc/rc.d/squid. sh for more
configuration options.
If you want to install an old style rc script, run
'make config' and deselect the option to install an
rcNG script.
===> Compressing manual pages for squid-2.5.9_2
===> Registering installation for squid-2.5.9_2
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/sbin/squid
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/squid. sh
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://www.squid-cache.org/
===> Cleaning for rc_subr-1.31
===> Cleaning for squid-2.5.9_2
surf control is the one that manage/generate reports of allowed/unallowed sites.
so design is:
internet--firewall--proxy (freeBSD squid) ---windows blocking gateway---client workstations
I've finish the installing part. Please see below for the post-installation.
I know there are alot more to this then following the post install. (i.e. add this to start-up)
Please kindly guide me on the configuring part.
Thanks.
===> Post-installation informations for squid-2.5.9_2
o You can find the configuration files for this package
in the directory /usr/local/etc/squid.
o A cache directory has been created in /usr/local/squid/cache.
Log files will be written to /usr/local/squid/logs.
o The default configuration will deny everyone access to the
proxy service. Edit the "http_access" directives in
/usr/local/etc/squid/squid
o If you never ran squid on this system before, you need to
initialize the cache directory by running "squid -z"
as 'root' or 'squid' before starting squid.
Please note that /usr/local/etc/rc.d/squid.
an rcNG script by default. This means that squid will not
start automatically at boot time.
To enable squid, set squid_enable=yes in either
/etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/squid
See /usr/local/etc/rc.d/squid.
configuration options.
If you want to install an old style rc script, run
'make config' and deselect the option to install an
rcNG script.
===> Compressing manual pages for squid-2.5.9_2
===> Registering installation for squid-2.5.9_2
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/sbin/squid
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/squid.
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://www.squid-cache.org/
===> Cleaning for rc_subr-1.31
===> Cleaning for squid-2.5.9_2
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
gheist,
Awsome guide!!!
problem, surf control won't work (AFAIK)
since it wouldn't know the ip address that is requesting the page.(the ip address of proxy box will always be the one used).
client request a page---->proxy doesn't have it---->surf control detects that proxy si requesting >?< please correct me if i'm wrong..
By the way, please kindly guide how can we config the squid box to be transparent, so that we dont need to hcange anything on the cient workstations\surf control.
Thanks.
Awsome guide!!!
problem, surf control won't work (AFAIK)
since it wouldn't know the ip address that is requesting the page.(the ip address of proxy box will always be the one used).
client request a page---->proxy doesn't have it---->surf control detects that proxy si requesting >?< please correct me if i'm wrong..
By the way, please kindly guide how can we config the squid box to be transparent, so that we dont need to hcange anything on the cient workstations\surf control.
Thanks.
client requests from surfcontrol
smurfcontrol requests to connection-hijacking-squid which in turn is invisible to smurfcontrol
squid then requests via nat router ( without notising that there is one)
smurfcontrol requests to connection-hijacking-squid
squid then requests via nat router ( without notising that there is one)
ASKER
ghiest,
Do we need connection hijacking with this design:
internet
l
firewall (nat) 192.168.0.1/24
l
squid <--------------connection hijack? 192.168.0.2/24
l
surf control (nat) 192.168.0.3/24 and 192.168.1.1/24 (two ethernet cards)
l
workstations 192.168.1.2 /24
Thanks.
Do we need connection hijacking with this design:
internet
l
firewall (nat) 192.168.0.1/24
l
squid <--------------connection hijack? 192.168.0.2/24
l
surf control (nat) 192.168.0.3/24 and 192.168.1.1/24 (two ethernet cards)
l
workstations 192.168.1.2 /24
Thanks.
Yes, you need it.
connection hijacking basically redirects web requests to squid instead of destination server.
ASKER
gheist,
Will we need to change anything on the config post you made? in regaard to the new design we formulated?
Thanks.
1) gain text editing capability, e.g. by installing /usr/ports/editors/nano
2) add squid_enable="YES" to /etc/rc.conf
3) browse through squid.conf
this part needs to be changed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
cache size can be grown to 1G or more, but not more than ten times RAM you have
4) now run squid -z to initialize cache directories
5) now start squid and check if it lets you browse internet if you set it as proxy in your browser
I hope fine so far.
6) now rebuild kernel with ipfirewall hijacking option and reboot
Squid now is started and you brose with it configured as proxy
7) edit /etc/rc.firewall and squid.conf as that FAQ says
8) add following to /etc/rc.conf ( taken from /etc/defaults/rc.conf )
firewall_enable="YES"
firewall_type="server" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" # Set to YES to suppress rule display
firewall_logging="NO" # Set to YES to enable events logging
9) now run /etc/rc.firewall, then run squid -k reconfig and unconfigure proxy in your browser
If you are able to browse sites, all the setup is fine, restart FreeBSD machine to see if it configures perfectly at boot.
And add surfcontrol behind it.
That is probably all, errors are best examined using less command against /var/log/messages and /usr/local/squid/logs/acce ss.log, feel free to ask if you have any problems.
Will we need to change anything on the config post you made? in regaard to the new design we formulated?
Thanks.
1) gain text editing capability, e.g. by installing /usr/ports/editors/nano
2) add squid_enable="YES" to /etc/rc.conf
3) browse through squid.conf
this part needs to be changed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
cache size can be grown to 1G or more, but not more than ten times RAM you have
4) now run squid -z to initialize cache directories
5) now start squid and check if it lets you browse internet if you set it as proxy in your browser
I hope fine so far.
6) now rebuild kernel with ipfirewall hijacking option and reboot
Squid now is started and you brose with it configured as proxy
7) edit /etc/rc.firewall and squid.conf as that FAQ says
8) add following to /etc/rc.conf ( taken from /etc/defaults/rc.conf )
firewall_enable="YES"
firewall_type="server" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" # Set to YES to suppress rule display
firewall_logging="NO" # Set to YES to enable events logging
9) now run /etc/rc.firewall, then run squid -k reconfig and unconfigure proxy in your browser
If you are able to browse sites, all the setup is fine, restart FreeBSD machine to see if it configures perfectly at boot.
And add surfcontrol behind it.
That is probably all, errors are best examined using less command against /var/log/messages and /usr/local/squid/logs/acce
No, you set connection hijacking as described in squid faq in /etc/rc.firewall
I assumed this network layout at the beginning already
I assumed this network layout at the beginning already
cd /usr/ports/www/squid
make install clean ( none of trandaprency options needed )
Then read http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.7
2.
www.squid-cache.org , not necessary when you use freebsd ports or packages
3.
read 1.
4.
If not obvious - with text editor, in config files.