mirror of https://github.com/tLDP/LDP
updated
This commit is contained in:
parent
07cbc1f4a4
commit
41232d76fe
|
@ -723,7 +723,7 @@ TransparentProxy</ULink>, <CiteTitle>
|
|||
Transparent Proxy with Squid mini-HOWTO</CiteTitle>
|
||||
</Para><Para>
|
||||
<CiteTitle>
|
||||
Updated: October 2000</CiteTitle>.
|
||||
Updated: January 2001</CiteTitle>.
|
||||
Provides information on how to setup a transparent
|
||||
caching HTTP proxy server using only Linux and squid. </Para>
|
||||
</ListItem>
|
||||
|
|
|
@ -1295,7 +1295,7 @@ TransparentProxy</ULink>, <CiteTitle>
|
|||
Transparent Proxy with Squid mini-HOWTO</CiteTitle>
|
||||
</Para><Para>
|
||||
<CiteTitle>
|
||||
Updated: October 2000</CiteTitle>.
|
||||
Updated: January 2001</CiteTitle>.
|
||||
Provides information on how to setup a transparent
|
||||
caching HTTP proxy server using only Linux and squid. </Para>
|
||||
</ListItem>
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -4,7 +4,7 @@
|
|||
|
||||
<title>Transparent Proxy with Squid mini-HOWTO</title>
|
||||
<author>Daniel Kiracofe</author>
|
||||
<date>v1.2, 10 October 2000</date>
|
||||
<date>v1.3, January 2001</date>
|
||||
<abstract>
|
||||
This document provides information on how to setup a transparent caching
|
||||
HTTP proxy server using only Linux and squid.
|
||||
|
@ -35,7 +35,10 @@ This manual may be reproduced in whole or in part, without fee, subject
|
|||
The copyright notice above and this permission notice must be preserved
|
||||
complete on all complete or partial copies
|
||||
<item>
|
||||
Any translation or derived work must be approved by the author in writing
|
||||
Translation to another language is permitted, provided that the author
|
||||
is notified prior to the translation.
|
||||
<item>
|
||||
Any derived work must be approved by the author in writing
|
||||
before distribution.
|
||||
<item>
|
||||
If you distribute this work in part, instructions for obtaining the complete
|
||||
|
@ -82,10 +85,12 @@ You want clients to be proxied, but don't want to go to all the work of
|
|||
</p><p>
|
||||
This is where transparent proxying comes in. A web request can be intercepted
|
||||
by the proxy, transparently. That is, as far as the client software knows,
|
||||
it is talking to the origin server itself, when it is really the proxy server.
|
||||
it is talking to the origin server itself, when it is really talking to
|
||||
the proxy server.
|
||||
</p>
|
||||
<p>
|
||||
Cisco routers support transparent proxying. But, (surprisingly enough)
|
||||
Cisco routers support transparent proxying. So do many switches. But,
|
||||
(surprisingly enough)
|
||||
Linux can act as a router, and can perform transparent proxying by redirecting
|
||||
TCP connections to local ports. However, we also need to make our web proxy
|
||||
aware of the affect of the redirection, so that it can make connections to
|
||||
|
@ -95,30 +100,28 @@ Cisco routers support transparent proxying. But, (surprisingly enough)
|
|||
The first is when your web proxy is not transparent proxy aware. You can
|
||||
use a nifty little daemon called transproxy that sits in front of your web
|
||||
proxy and takes care of all the messy details for you. transproxy was written
|
||||
by John Saunders, and is available from ftp://ftp.nlc.net .au/pub/linux/www/
|
||||
by John Saunders, and is available from
|
||||
|
||||
<htmlurl url="ftp://ftp.nlc.net.au/pub/linux/www/" name="ftp://ftp.nlc.net.au/pub/linux/www/">
|
||||
or your local metalab mirror. transproxy will not be discussed further in this
|
||||
document.
|
||||
</p>
|
||||
<p>
|
||||
A cleaner solution is to get a web proxy that is aware of transparent proxying
|
||||
itself. The one we are going to focus on here is squid. Squid is an Open Source
|
||||
caching proxy server for Unix systems. It is available from www.squid-cache.org
|
||||
caching proxy server for Unix systems. It is available from <htmlurl url="http://www.squid-cache.org" name="www.squid-cache.org">
|
||||
</p>
|
||||
<sect1>
|
||||
Scope of this document
|
||||
<p>
|
||||
This document will focus on squid version 2.3 and linux kernel version
|
||||
2.2, the most current stable releases as of this writing (March 2000). It should
|
||||
also work with squids as early as 2.0 and the later 2.1 linux kernels. Should
|
||||
you need information about earlier releases, you may find some earlier documents
|
||||
at www.unxsoft.com.
|
||||
2.4, the most current stable releases as of this writing (Jan 2001). It should
|
||||
also work with squids as early as 2.0, and most of the later 2.3 kernels.
|
||||
If you need information about earlier releases, you may find some earlier
|
||||
documents at <htmlurl url="http://www.unxsoft.com" name="www.unxsoft.com">.
|
||||
</p>
|
||||
<p>
|
||||
If you want to use linux 2.3, you will have to use a thing called netfilter
|
||||
instead of ipchains. However, it is assumed that if you are running a development
|
||||
kernel, you can figure out netfilter on your own from the provided documentation.
|
||||
If not, you really shouldn't be running a development kernel (trust me on this).
|
||||
Once linux 2.4 is released, this document will be updated to cover netfilter.
|
||||
If you are using a development kernel or a development version of squid, you are on your own. This document may help you, but YMMV.
|
||||
</p>
|
||||
<p>
|
||||
Note that this document focuses only on HTTP proxing. I get many emails asking
|
||||
|
@ -132,7 +135,7 @@ Configuring the Kernel
|
|||
<p>
|
||||
First, we need to make sure all the proper options are set in your kernel.
|
||||
If you are using a stock kernel from your distribution, transparent proxying
|
||||
may or may not be enabled (IIRC, it is in RH 6.1, but don't quote me on that).
|
||||
may or may not be enabled.
|
||||
If you are unsure, the best way to tell is to simply skip this section, and
|
||||
if the commands in the next section give you weird errors, it's probably because
|
||||
the kernel wasn't configured properly.
|
||||
|
@ -141,8 +144,7 @@ First, we need to make sure all the proper options are set in your kernel.
|
|||
If your kernel is not configured for transparent proxying, you will need
|
||||
to recompile. Recompiling a kernel is a complex process (at least at first),
|
||||
and it is beyond the scope of this document. If you need help compiling a kernel,
|
||||
please see <a href="http://metalab.unc.edu/pub/Linux/do cs/HOWTO/Kernel-HOWTO">The
|
||||
Kernel HOWTO.</a>
|
||||
please see <htmlurl url="http://metalab.unc.edu/pub/Linux/docs/HOWTO/Kernel-HOWTO" name="The Kernel HOWTO">
|
||||
</p>
|
||||
<p>
|
||||
The options you need to set in your configuration are as follows (Note:
|
||||
|
@ -151,18 +153,25 @@ The options you need to set in your configuration are as follows (Note:
|
|||
<p>
|
||||
<itemize>
|
||||
<item>
|
||||
Networking support
|
||||
<item>
|
||||
Sysctl support
|
||||
<item>
|
||||
Network packet filtering
|
||||
<item>
|
||||
TCP/IP networking
|
||||
<item>
|
||||
IP: firewalling
|
||||
Connection tracking (Under ``IP: Netfilter Configuration'' in menuconfig)
|
||||
<item>
|
||||
IP: always defragment
|
||||
IP tables support
|
||||
<item>
|
||||
IP: transparent proxy support
|
||||
Full NAT
|
||||
<item>
|
||||
REDIRECT target support
|
||||
<item>
|
||||
/proc filesystem support
|
||||
</itemize>
|
||||
You must say NO to ``Fast switching''
|
||||
</p><p>
|
||||
Once you have your new kernel up and running, you may need to enable IP
|
||||
forwarding. IP forwarding allows your computer to act as a router. Since this
|
||||
|
@ -170,14 +179,14 @@ Once you have your new kernel up and running, you may need to enable IP
|
|||
explicitly enabled at run-time. However, your distribution might do this for
|
||||
you already. To check, do ``cat /proc/sys/net/ipv4/ip_forward''. If you see
|
||||
``1'' you're good. Otherwise, do ``echo '1' > /proc/sys/net/ipv4/ip_forward''.
|
||||
You will then want to add that command to your appropriate bootup script in
|
||||
/etc/rc.d/.
|
||||
You will then want to add that command to your appropriate bootup scripts (depending on your distribution, these may live in /etc/rc.d, /etc/init.d, or maybe somewhere else entirely).
|
||||
</p>
|
||||
<sect>
|
||||
Setting up squid
|
||||
<p>
|
||||
ow, we need to get squid up and running. Download the latest source tarball
|
||||
from www.squid-cache.org. Make sure you get a STABLE version, not a DEVEL version.
|
||||
Now, we need to get squid up and running. Download the latest source tarball
|
||||
from <htmlurl url="http://www.squid-cache.org" name="www.squid-cache.org">.
|
||||
Make sure you get a STABLE version, not a DEVEL version.
|
||||
The latest as of this writing was squid-2.3.STABLE4.tar.gz.
|
||||
</p>
|
||||
<p>
|
||||
|
@ -186,13 +195,12 @@ Now, untar and gunzip the archive (use ``tar -xzf <filename>'').
|
|||
then install (``make install'').
|
||||
</p>
|
||||
<p>
|
||||
Now, we need to edit the default squid.conf file (installed to /usr/local/squid/
|
||||
etc/squid.conf, unless you changed the defaults). The squid.conf file is heavily
|
||||
Now, we need to edit the default squid.conf file (installed to /usr/local/squid/etc/squid.conf, unless you changed the defaults). The squid.conf file is heavily
|
||||
commented. In fact, some of the best documentation available for squid is in
|
||||
the squid.conf file. After you get it all up and running, you should go back
|
||||
and reread the whole thing. But for now, let's just get the minimum required.
|
||||
Find the following directives, uncomment them, and change them to the appropriate
|
||||
values:
|
||||
Find the following directives, uncomment them, and change them to the
|
||||
appropriate values:
|
||||
</p>
|
||||
<p>
|
||||
<itemize>
|
||||
|
@ -210,8 +218,8 @@ Finally, look at the http_access directive. The default is usually ``http_access
|
|||
probably want to read the directions on ACLs (Access Control Lists), and setup
|
||||
the cache such that only people on your local network (or whatever) can access
|
||||
the cache. This may seem silly, but you should put some kind of restrictions
|
||||
on access to your cache. People behind filtering firewalls (such as porn filters,
|
||||
or filters in nations where speech is not very free) often ``hijack'' onto
|
||||
on access to your cache. People behind filtering firewalls (such as porn
|
||||
filters, or filters in nations where speech is not very free) often ``hijack'' onto
|
||||
wide open proxies and eat up your bandwidth.
|
||||
</p>
|
||||
<p>
|
||||
|
@ -225,55 +233,47 @@ Now, run squid using the RunCache script in the /usr/local/squid/bin/ directory.
|
|||
and access squid as a normal proxy.
|
||||
</p>
|
||||
<p>
|
||||
For additional help configuring, see the squid FAQ at www.squid-cache.org.
|
||||
For additional help configuring squid, see the squid FAQ at <htmlurl url="http://www.squid-cache.org" name="www.squid-cache.org">
|
||||
</p>
|
||||
<sect>
|
||||
Setting up ipchains
|
||||
Setting up iptables (Netfilter)
|
||||
<p>
|
||||
ipchains should be installed with almost every recent distribution (anything
|
||||
based on kernel 2.2). However, should you not have ipchains, you can get it
|
||||
from ftp://ftp.rustcorp.com/ipchains/. ipchains is a very powerful tool, and
|
||||
we'll only scratch the surface here. For more information, please see http://www.rustcorp.com/linux/ipchains/HOWTO.html
|
||||
for the ipchains HOWTO.
|
||||
iptables is a new thing for Linux kernel 2.4 that replaces ipchains.
|
||||
If your distribution came with a 2.4 kernel, it probably has iptables
|
||||
already installed. If not, you'll have to download it (and possibly
|
||||
compile it). The homepage is <htmlurl url="http://netfilter.kernelnotes.org/" name="netfilter.kernelnotes.org">.
|
||||
You make be able to find binary RPMs elsewhere, I haven't looked. For the
|
||||
curious, there is plenty of documentation on the netfilter site.
|
||||
</p>
|
||||
<p>
|
||||
To set up the rules, you will need to know two things, the IP address of
|
||||
the box (I'll use 192.168.1.1 as an example) and the port squid is running
|
||||
on (I'll use the default of 3128 as an example).
|
||||
To set up the rules, you will need to know two things, the interface that
|
||||
the to-be-proxied requests are coming in on (I'll use eth0 as an example)
|
||||
and the port squid is running on (I'll use the default of 3128 as an example).
|
||||
</p>
|
||||
<p>
|
||||
First, we need to allow packets destined for any actual webserver on this
|
||||
box through. We should setup both the loopback interface and the ethernet interface.
|
||||
You should not skip this step even if you no actual webserver on your box,
|
||||
as the absence of these rules can create infinite forwarding loops where the
|
||||
proxy tries to connect to itself. Use the following commands:
|
||||
</p>
|
||||
<p>
|
||||
<itemize>
|
||||
<item>
|
||||
ipchains -A input -p TCP -d 127.0.0.1/32 www -j ACCEPT
|
||||
<item>
|
||||
ipchains -A input -p TCP -d 192.168.1.1/32 www -j ACCEPT
|
||||
</itemize>
|
||||
</p><p>
|
||||
Now, the magic words for transparent proxying:
|
||||
</p>
|
||||
<p>
|
||||
<itemize>
|
||||
<item>
|
||||
ipchains -A input -p TCP -d any/0 www -j REDIRECT 3128
|
||||
iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
|
||||
</itemize>
|
||||
</p><p>
|
||||
You will want to add the above commands to your appropriate bootup script
|
||||
under /etc/rc.d/.
|
||||
under /etc/rc.d/. Readers upgrading from 2.2 kernels should note that,
|
||||
as far as the author can tell, this is the only command needed. 2.2 kernels
|
||||
required two extra commands in order to prevent forwarding loops. The
|
||||
author was unable to generate any loops. If anyone can generate a forwarding
|
||||
loop using this rule, please send an e-mail to drk@unxsoft.com.
|
||||
</p>
|
||||
|
||||
<sect>
|
||||
Put it all together
|
||||
<p>
|
||||
If everything has gone well so far, go to another machine, change it's
|
||||
gateway to the IP of your new squid box, and surf away. To make sure that requests
|
||||
are really being forwarded through your proxy instead of straight to the origin
|
||||
server, check the log file /usr/local/squid/logs/acces s.log
|
||||
gateway to the IP of your new squid box, and surf away. To make sure that
|
||||
requests are really being forwarded through your proxy instead of straight
|
||||
to the origin server, check the log file /usr/local/squid/logs/access.log
|
||||
</p>
|
||||
<sect>
|
||||
Further Resources
|
||||
|
@ -281,8 +281,13 @@ Further Resources
|
|||
Should you still need assistance, you may wish to check the squid FAQ or
|
||||
the squid mailing list at www.squid-cache.org. You may also e-mail me at drk@unxsoft.com, and I'll try to answer your questions if time permits (sometimes
|
||||
it does, but sometimes it doesn't). Please, please, please, send the output of
|
||||
``ipchains -L'' and relavent portions of any configuration files in your e-mail, or else I will probably not be able to help you out much...
|
||||
``iptables -t nat -L'' and relavent portions of any configuration files in your e-mail, or else I will probably not be able to help you out much...
|
||||
</p>
|
||||
|
||||
</article>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue