[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

squid advice

Posted on 2012-03-14
14
Medium Priority
?
572 Views
Last Modified: 2012-03-29
I am about to install squid web proxy for an office.  I want to install it on linux.  Need some help...
1.  Which linux distro do you recommend and how do I get it?
2.  I can find and download the squid and follow the instructions on how to install it, but any installation tips?
3.  Once I install it, how do I configure it for my specific private LAN (they are on private IP 192.168.1.0/24 network)?
4.  What information do I need to gather in order to complete the installation?

Thank you.
0
Comment
Question by:mrkent
  • 7
  • 6
14 Comments
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 1720 total points
ID: 37725246
Well most any Linux distro will work.  Popular distros now are:

    CentOS
    Ubuntu
    Debian

For CentOS you can use yum to install to make life easy.  For Debian and Ubuntu you can use apt-get

The installation instructions will tell you how to configure for your subnet.

Basically all you need to know is the same information you would need to know to setup the box to be on your network and access the Internet.

One tip, do use DHCP, set it up with a static IP address.
0
 

Author Comment

by:mrkent
ID: 37725738
So, it's "yum squid", or for the others it's "apt-get squid" ?

I figured that was a typo, you meant do NOT use DHCP
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 1720 total points
ID: 37725878
Yes, no NOT use DHCP.

yum install squid
apt-get install squid
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:mrkent
ID: 37726204
Got it.  Then for the laptops on the subnet that are using that proxy how do I configure them to use that proxy.
(But still be able to use their laptops when they bring them home.)
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 1720 total points
ID: 37727783
To use a proxy at work and nothing at home you have two options (that I am aware of).

1) You can setup Squid to be a transparent in-line proxy.  Just search on those terms.
2) You setup IE to use a ".pac" file.   This is basically a javascript program that you can make decisions of when to use a proxy and when not to.

You can setup a central proxy .pac file and when they are at home they will not be able to find it and so no proxy.

The other thing you can do in a .pac file is for any web servers you host internally you can bypass the proxy and go direct to the server.

Just two quick links dealing with .pac files.  Search in Google and you will find ton's of samples.
http://nscsysop.hypermart.net/proxypac.html
http://blog.freyguy.com/archives/2006/03/01/proxy-auto-detect-ie-and-firefox/
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 280 total points
ID: 37728673
0
 

Author Comment

by:mrkent
ID: 37761511
The squid proxy will be behind an internet firewall, behind a nat wall.  Used by PCs that are also behind that nat wall and are on thier own private IP space.
Any special considerations as far as what I allow thru the firewall?
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 1720 total points
ID: 37761685
Not really.  From the firewalls point of view Squid will look just like a web browser accessing Web sites.
0
 

Author Comment

by:mrkent
ID: 37783260
And from the outside do I have to let port 80 in to my squid proxy?
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 1720 total points
ID: 37783708
Simple answer no.

Slightly complex answer.  

You need to allow traffic FROM port 80/443 inbound to squid, but most firewalls today automatically allow this if you specify a rule to allow outbound traffic to port 80/443.


Unless you are trying to use Squid as a reverse proxy server.  If so, then yes.
0
 

Author Comment

by:mrkent
ID: 37785137
I think I see what you're saying.  The firewall, being stateful, will allow return traffic from those web sites in which my internal workstations (but now in my case, the proxy) have initiated contact.

Since I want the squid to just proxy outgoing http/https requests, then you are correct in that I do not want it to be a reverse proxy.

That all correct?

Last question and I'll call it a day...I guess it is obvious that the proxy is the one that is hitting the DNS servers for all uncached DNS lookups.  Right?
0
 
LVL 57

Accepted Solution

by:
giltjr earned 1720 total points
ID: 37785161
--> That all correct?

Correct.

The proxy is doing the DNS lookups.  I don't know exactly why you are installing Squid, but there are at least two add on programs, DansGuardian, and SquidGuard you might be interested in.

SquidGuard allows you to block hosts based on IP address or host name.  DansGuardian allows you to block hosts based on content.  So if you want, and are allowed, you could use these to prevent access to specific sites.

I personally have used Squid along with both of these at my house to prevent my sons from "accidentally" stumbling across adult sites.
0
 

Author Comment

by:mrkent
ID: 37785207
Awesome, thank you!  I wish I had more points to give.  You've been a great source.
0
 

Author Closing Comment

by:mrkent
ID: 37785215
Thank you.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question