LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity

updated

This commit is contained in:
gferg 2001-01-29 14:28:16 +00:00
parent 07cbc1f4a4
commit 41232d76fe
4 changed files with 1878 additions and 344 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
LDP/howto/docbook/HOWTO-INDEX/appsSect.sgml
View File

@ -723,7 +723,7 @@ TransparentProxy</ULink>, <CiteTitle>
Transparent Proxy with Squid mini-HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>
Updated: October 2000</CiteTitle>.
Updated: January 2001</CiteTitle>.
Provides information on how to setup a transparent
caching HTTP proxy server using only Linux and squid. </Para>
</ListItem>

2
LDP/howto/docbook/HOWTO-INDEX/miniChap.sgml
View File

@ -1295,7 +1295,7 @@ TransparentProxy</ULink>, <CiteTitle>
Transparent Proxy with Squid mini-HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>
Updated: October 2000</CiteTitle>.
Updated: January 2001</CiteTitle>.
Provides information on how to setup a transparent
caching HTTP proxy server using only Linux and squid. </Para>
</ListItem>

2091
LDP/howto/linuxdoc/Intkeyb.sgml
View File

File diff suppressed because it is too large Load Diff

127
LDP/howto/linuxdoc/TransparentProxy.sgml
View File

@ -4,7 +4,7 @@
<title>Transparent Proxy with Squid mini-HOWTO</title>
<author>Daniel Kiracofe</author>
<date>v1.2, 10 October 2000</date>
<date>v1.3, January 2001</date>
<abstract>
This document provides information on how to setup a transparent caching
HTTP proxy server using only Linux and squid.
@ -35,7 +35,10 @@ This manual may be reproduced in whole or in part, without fee, subject
The copyright notice above and this permission notice must be preserved
complete on all complete or partial copies
<item>
Any translation or derived work must be approved by the author in writing
Translation to another language is permitted, provided that the author
is notified prior to the translation.
<item>
Any derived work must be approved by the author in writing
before distribution.
<item>
If you distribute this work in part, instructions for obtaining the complete
@ -82,10 +85,12 @@ You want clients to be proxied, but don't want to go to all the work of
</p><p>
This is where transparent proxying comes in. A web request can be intercepted
by the proxy, transparently. That is, as far as the client software knows,
it is talking to the origin server itself, when it is really the proxy server.
it is talking to the origin server itself, when it is really talking to
the proxy server.
</p>
<p>
Cisco routers support transparent proxying. But, (surprisingly enough)
Cisco routers support transparent proxying. So do many switches. But,
(surprisingly enough)
Linux can act as a router, and can perform transparent proxying by redirecting
TCP connections to local ports. However, we also need to make our web proxy
aware of the affect of the redirection, so that it can make connections to
@ -95,30 +100,28 @@ Cisco routers support transparent proxying. But, (surprisingly enough)
The first is when your web proxy is not transparent proxy aware. You can
use a nifty little daemon called transproxy that sits in front of your web
proxy and takes care of all the messy details for you. transproxy was written
by John Saunders, and is available from ftp://ftp.nlc.net .au/pub/linux/www/
by John Saunders, and is available from
<htmlurl url="ftp://ftp.nlc.net.au/pub/linux/www/" name="ftp://ftp.nlc.net.au/pub/linux/www/">
or your local metalab mirror. transproxy will not be discussed further in this
document.
</p>
<p>
A cleaner solution is to get a web proxy that is aware of transparent proxying
itself. The one we are going to focus on here is squid. Squid is an Open Source
caching proxy server for Unix systems. It is available from www.squid-cache.org
caching proxy server for Unix systems. It is available from <htmlurl url="http://www.squid-cache.org" name="www.squid-cache.org">
</p>
<sect1>
Scope of this document
<p>
This document will focus on squid version 2.3 and linux kernel version
2.2, the most current stable releases as of this writing (March 2000). It should
also work with squids as early as 2.0 and the later 2.1 linux kernels. Should
you need information about earlier releases, you may find some earlier documents
at www.unxsoft.com.
2.4, the most current stable releases as of this writing (Jan 2001). It should
also work with squids as early as 2.0, and most of the later 2.3 kernels.
If you need information about earlier releases, you may find some earlier
documents at <htmlurl url="http://www.unxsoft.com" name="www.unxsoft.com">.
</p>
<p>
If you want to use linux 2.3, you will have to use a thing called netfilter
instead of ipchains. However, it is assumed that if you are running a development
kernel, you can figure out netfilter on your own from the provided documentation.
If not, you really shouldn't be running a development kernel (trust me on this).
Once linux 2.4 is released, this document will be updated to cover netfilter.
If you are using a development kernel or a development version of squid, you are on your own. This document may help you, but YMMV.
</p>
<p>
Note that this document focuses only on HTTP proxing. I get many emails asking
@ -132,7 +135,7 @@ Configuring the Kernel
<p>
First, we need to make sure all the proper options are set in your kernel.
If you are using a stock kernel from your distribution, transparent proxying
may or may not be enabled (IIRC, it is in RH 6.1, but don't quote me on that).
may or may not be enabled.
If you are unsure, the best way to tell is to simply skip this section, and
if the commands in the next section give you weird errors, it's probably because
the kernel wasn't configured properly.
@ -141,8 +144,7 @@ First, we need to make sure all the proper options are set in your kernel.
If your kernel is not configured for transparent proxying, you will need
to recompile. Recompiling a kernel is a complex process (at least at first),
and it is beyond the scope of this document. If you need help compiling a kernel,
please see &lt;a href=&quot;http://metalab.unc.edu/pub/Linux/do cs/HOWTO/Kernel-HOWTO&quot;&gt;The
Kernel HOWTO.&lt;/a&gt;
please see <htmlurl url="http://metalab.unc.edu/pub/Linux/docs/HOWTO/Kernel-HOWTO" name="The Kernel HOWTO">
</p>
<p>
The options you need to set in your configuration are as follows (Note:
@ -151,18 +153,25 @@ The options you need to set in your configuration are as follows (Note:
<p>
<itemize>
<item>
Networking support
<item>
Sysctl support
<item>
Network packet filtering
<item>
TCP/IP networking
<item>
IP: firewalling
Connection tracking (Under ``IP: Netfilter Configuration'' in menuconfig)
<item>
IP: always defragment
IP tables support
<item>
IP: transparent proxy support
Full NAT
<item>
REDIRECT target support
<item>
/proc filesystem support
</itemize>
You must say NO to ``Fast switching''
</p><p>
Once you have your new kernel up and running, you may need to enable IP
forwarding. IP forwarding allows your computer to act as a router. Since this
@ -170,14 +179,14 @@ Once you have your new kernel up and running, you may need to enable IP
explicitly enabled at run-time. However, your distribution might do this for
you already. To check, do ``cat /proc/sys/net/ipv4/ip_forward''. If you see
``1'' you're good. Otherwise, do ``echo '1' &gt; /proc/sys/net/ipv4/ip_forward''.
You will then want to add that command to your appropriate bootup script in
/etc/rc.d/.
You will then want to add that command to your appropriate bootup scripts (depending on your distribution, these may live in /etc/rc.d, /etc/init.d, or maybe somewhere else entirely).
</p>
<sect>
Setting up squid
<p>
ow, we need to get squid up and running. Download the latest source tarball
from www.squid-cache.org. Make sure you get a STABLE version, not a DEVEL version.
Now, we need to get squid up and running. Download the latest source tarball
from <htmlurl url="http://www.squid-cache.org" name="www.squid-cache.org">.
Make sure you get a STABLE version, not a DEVEL version.
The latest as of this writing was squid-2.3.STABLE4.tar.gz.
</p>
<p>
@ -186,13 +195,12 @@ Now, untar and gunzip the archive (use ``tar -xzf &lt;filename&gt;'').
then install (``make install'').
</p>
<p>
Now, we need to edit the default squid.conf file (installed to /usr/local/squid/
etc/squid.conf, unless you changed the defaults). The squid.conf file is heavily
Now, we need to edit the default squid.conf file (installed to /usr/local/squid/etc/squid.conf, unless you changed the defaults). The squid.conf file is heavily
commented. In fact, some of the best documentation available for squid is in
the squid.conf file. After you get it all up and running, you should go back
and reread the whole thing. But for now, let's just get the minimum required.
Find the following directives, uncomment them, and change them to the appropriate
values:
Find the following directives, uncomment them, and change them to the
appropriate values:
</p>
<p>
<itemize>
@ -210,8 +218,8 @@ Finally, look at the http_access directive. The default is usually ``http_access
probably want to read the directions on ACLs (Access Control Lists), and setup
the cache such that only people on your local network (or whatever) can access
the cache. This may seem silly, but you should put some kind of restrictions
on access to your cache. People behind filtering firewalls (such as porn filters,
or filters in nations where speech is not very free) often ``hijack'' onto
on access to your cache. People behind filtering firewalls (such as porn
filters, or filters in nations where speech is not very free) often ``hijack'' onto
wide open proxies and eat up your bandwidth.
</p>
<p>
@ -225,55 +233,47 @@ Now, run squid using the RunCache script in the /usr/local/squid/bin/ directory.
and access squid as a normal proxy.
</p>
<p>
For additional help configuring, see the squid FAQ at www.squid-cache.org.
For additional help configuring squid, see the squid FAQ at <htmlurl url="http://www.squid-cache.org" name="www.squid-cache.org">
</p>
<sect>
Setting up ipchains
Setting up iptables (Netfilter)
<p>
ipchains should be installed with almost every recent distribution (anything
based on kernel 2.2). However, should you not have ipchains, you can get it
from ftp://ftp.rustcorp.com/ipchains/. ipchains is a very powerful tool, and
we'll only scratch the surface here. For more information, please see http://www.rustcorp.com/linux/ipchains/HOWTO.html
for the ipchains HOWTO.
iptables is a new thing for Linux kernel 2.4 that replaces ipchains.
If your distribution came with a 2.4 kernel, it probably has iptables
already installed. If not, you'll have to download it (and possibly
compile it). The homepage is <htmlurl url="http://netfilter.kernelnotes.org/" name="netfilter.kernelnotes.org">.
You make be able to find binary RPMs elsewhere, I haven't looked. For the
curious, there is plenty of documentation on the netfilter site.
</p>
<p>
To set up the rules, you will need to know two things, the IP address of
the box (I'll use 192.168.1.1 as an example) and the port squid is running
on (I'll use the default of 3128 as an example).
To set up the rules, you will need to know two things, the interface that
the to-be-proxied requests are coming in on (I'll use eth0 as an example)
and the port squid is running on (I'll use the default of 3128 as an example).
</p>
<p>
First, we need to allow packets destined for any actual webserver on this
box through. We should setup both the loopback interface and the ethernet interface.
You should not skip this step even if you no actual webserver on your box,
as the absence of these rules can create infinite forwarding loops where the
proxy tries to connect to itself. Use the following commands:
</p>
<p>
<itemize>
<item>
ipchains -A input -p TCP -d 127.0.0.1/32 www -j ACCEPT
<item>
ipchains -A input -p TCP -d 192.168.1.1/32 www -j ACCEPT
</itemize>
</p><p>
Now, the magic words for transparent proxying:
</p>
<p>
<itemize>
<item>
ipchains -A input -p TCP -d any/0 www -j REDIRECT 3128
iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
</itemize>
</p><p>
You will want to add the above commands to your appropriate bootup script
under /etc/rc.d/.
under /etc/rc.d/. Readers upgrading from 2.2 kernels should note that,
as far as the author can tell, this is the only command needed. 2.2 kernels
required two extra commands in order to prevent forwarding loops. The
author was unable to generate any loops. If anyone can generate a forwarding
loop using this rule, please send an e-mail to drk@unxsoft.com.
</p>
<sect>
Put it all together
<p>
If everything has gone well so far, go to another machine, change it's
gateway to the IP of your new squid box, and surf away. To make sure that requests
are really being forwarded through your proxy instead of straight to the origin
server, check the log file /usr/local/squid/logs/acces s.log
gateway to the IP of your new squid box, and surf away. To make sure that
requests are really being forwarded through your proxy instead of straight
to the origin server, check the log file /usr/local/squid/logs/access.log
</p>
<sect>
Further Resources
@ -281,8 +281,13 @@ Further Resources
Should you still need assistance, you may wish to check the squid FAQ or
the squid mailing list at www.squid-cache.org. You may also e-mail me at drk@unxsoft.com, and I'll try to answer your questions if time permits (sometimes
it does, but sometimes it doesn't). Please, please, please, send the output of
``ipchains -L'' and relavent portions of any configuration files in your e-mail, or else I will probably not be able to help you out much...
``iptables -t nat -L'' and relavent portions of any configuration files in your e-mail, or else I will probably not be able to help you out much...
</p>
</article>