A Linux Based Proxy Server


I'm looking for a proxy server that runs on Linux that uses a user authentication. I have only ever set up Proxy Servers in a windows environment. I've looked around on Google and 90% of my google searches were pulling in how to set your IPTables and Routes on linux to do your proxy.

Other then that the other information was about Apache and squid. Squid looked nice, but I couldn't see if it supported a user authentication or not. Then Apache proxy looked to be more for the webserver of apache then a really proxy server.

See I'm wanting to move our proxy traffic off our internal network and put the server on one of our off-site servers. This way we free up more bandwidth in our VPN. the usernames and passwords define what sites (if any) they are allowed to browse too.

Any advise is really helpful. Not sure why this got classified as "Virus & Spyware" when I told it just plain Secruity >> Internet Security
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Apache is http, squid is the proxy.   The beauty of squid is that it can be configured to support alot of different requirements.  

Squid can be setup to use ldap (microsoft AD) for authentication....    A quick search yielded many hits with HOW TO links.
i.e. http://www.cyberciti.biz/tips/howto-configure-squid-ldap-authentication.html

But before you run off and look at squid...  Think about the ramifications of moving your proxy offsite.    I think this move would actually increase traffic across your wan link.  

Consider the following:
1) While internal, all authentication is on the inside network.   External, all that traffic must now flow outside the WAN...  plus you open your LDAP server to the public?   Never a good idea.  

2) Proxy servers can also function (to an extent) as a caching engine so that the same web page is pulled down once by the proxy, then multiple clients use the proxy cache to load the page instead of going outbound to load the same graphics multiple times.  

3) All web requests will now need to leave the network to get to the proxy anyway and the proxy must return the pages to the client across the WAN.   What's the difference between the proxy delivering pages vs. the real server delivering pages?  

4) This adds a level of complication to the service I don't think is needed.

PyromanciAuthor Commented:
Well I was not planning on doing any authentication to Microsoft AD. See we have 32 remote location, those locations only have 2 computers at them (except 1 which is a branch office and has 30 computers none of which are proxy restricted, the others are retail stores).  We only lock down internet is because the computers are in a retail stores for our Point of Sales software and keeping it locked down prevents the employee's from goofing off on facebook, myspace, email, ect and not doing there job.

By default all staff members are only allowed access to 20 sites outside the internal networ. These are sites that they all have to visit often for training and such. Randomly I have to add a new allowed site into the proxy or take one out because of new training procedures or something. Because of this programming in a deadend proxy address and filling the allowed urls in the proxy bypass in the browsers settings is just no way a doable solution. Since that would mean modifying 62 computers to make the change.

The Mangers and Facilities need open access when they are at the stores and they need it often. This creates tons of traffic on our VPN which slows down the over performance of our network. This is why I want to move the proxy server to a wan destination not a lan destination.

Hope that clears this up.
So the overall goal is to reduce the amount of traffic coming into your HQ network....  

If I read correctly... Each branch (32 of them) has internet service with a VPN tunnel back to the HQ.    The PCs at the branch need to be restricted so that they have access to only an approved set of websites.  However, managers need full access with no restrictions.  You would like this to be centrally managed as well.  

It sounds as if you will need some sort of authentication to tell the difference between a manager and normal staff so the right level of access can be provided.  

With all that understood...  have you considered a Group Policy solution?   If all the machines are running the same version of IE, then you should be able to create a GPO to only allow "approved" websites.     GPO can be centrally managed at the DC and pushed out to all machines on logon.    


Here's a question...  Are the site's VPN tunnels running split tunnel configs where network traffic is VPN'd but public traffic is not?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

PyromanciAuthor Commented:
Group Policy will no work either because the remote computers are not on the domain (we tired doing it this way in the past, but cause major problems when they couldn't login because internet or the VPN went down. So they couldn't use the POS software), and they all use the same login. Which is why I'm looking for a simple proxy server software for linux that can do a basic whitelist and then user authentication for anything outside the white list.

Yes the VPN connection is done in via our ActionTec GT724R's ADSL Routers at the remote locations are setup with split tunnels. the private IP range is sent into the HQ via
Gotcha...   So then, have a look at a colo location server that will let you run a CentOS or RHEL version with a squid setup.   Squid would be open source and if you use one of the larger colo companies, they might even have a package to deploy for it as well.  

You would need local auth to differentiate between managers and the other employees so one group has access and one does not.  

I suggest testing with a local proxy setup 1st to make sure it fits your needs before you sign up for a colo contract.   If it works, the conf files should be easily portable to the newe setup.  

Hope that helps.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PyromanciAuthor Commented:
Actually we already have 6 servers that are colo which i was planning on putting the proxy server on and they all run CentOS.

So quid would do a white list with simple authentication then for anything beyond the whitelist?
With Squid, there is a huge community with plenty of examples....  

A quick search of the squid Wiki got me these:

if you use blocking by ip range:

General help:

Just google it and youll find lots of hits....  

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.