The advantages of using a proxy server within a company, or even a small network are endless, ranging from bandwidth savings, using the cache to a decent content filter.
In this tutorial I will show how to configure a proxy using CentOS.
Resources used
Hardware
In our specific case, I was fortunate to have a fine machine Parruda to implement the proxy, one Xeon Quad with 4Gb Ram and SAS disks. Recalling that the server has to have at least two network interfaces.
System
We use CentOS 5.7 64bit. Reached our needs very well.
Squid
We use Squid to control users and cache.
Dansguardian
What is our dansguardian content filter, the great advantage of it’s own filters by heuristics, which blocks sites based on words within pages.
Iptables
Use iptables to control the IPs of servers that do not pass through squid / dansguardian
CBQ
We bandwidth control using the CBQ, existing on CentOS.
Installation
Installing the System
Download here the latest version of CentOS, always remember to look for a server in Brazil, oo close as possible, there are more chances of having a higher speed. Give preference to the DVD too.
Configure network interfaces, one pointing to the external network (in our case eth0) and one for the internal (eth1). Edit the resolv.conf for your DNS server. If the server is resolving names normally, we will proceed to the next step.
Installing Squid
No mystery here, squid already in the repository for CentOS:
yum install squid
Installing Dansguardian
The Dansguardian is not the repository of CentOS, portanta have to compile it on hand.
Before installing dansguardian, treat some dependencies:
yum install pkgconfig gcc gcc – c + + libstdc + + – devel zlib – devel pcre – make devel wget bzip2 – devel
You may need to include the environment variable pkgconfig:
export PKG_CONFIG_PATH = / usr / lib / pkgconfig
Download the latest version here , unzip it on your server and compile:
tar xzfv dansguardian – 2:10 . 1.1 . tar . gz
cd dansguardian – 2:10 . 1.1
./configure
make
make install
Configuring Squid
Below is my Squid configuration (/etc/squid/squid.conf). Already prepared for basic authentication of squid directed to file (/etc/squid/passwd). And with the cache settings (/var/squid/cache).
# NAME
visible_hostname name rmohan.com
PORT #
http_port 3128 transparent
# CACHE MEMORY
cache_mem 1024 MB
maximum_object_size_in_memory 20 KB
memory_replacement_policy heap GDSF
DISCK CACHE #
cache_dir ufs /var/squid/cache 5000 16 256
cache_replacement_policy heap LFUDA
minimum_object_size 15 KB
maximum_object_size 5 MB
cache_swap_low 90
cache_swap_high 95
# LOG
access_log none
cache_log /var/log/squid/cache.log
AUTH #
auth_param basic program / ??usr / lib64 / squid / ncsa_auth / etc / squid / passwd
auth_param basic children 8
auth_param basic realm Enter your Usu will river and Password
auth_param basic credentialsttl 15 minute
# ACLs
acl all src 0.0 . 0.0 / 0.0 . 0.0
acl manager proto cache_object
acl localhost src 127.0 . 0.1 / 255,255 . 255,255
acl dst to_localhost 127.0 . 0.0 / 8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025 – 65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # http multiling
acl CONNECT method CONNECT
acl-time team SMTWHFA 0 : 00 – 24 : 00
REQUIRED acl authenticated proxy_auth
# HTTP_ACCESES
http_access allow authenticated hours
http_access allow manager localhost
http_access deny manager
http_access deny ! Safe_ports
http_access deny CONNECT ! SSL_ports
# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all
icp_access allow all
# OTHERS
hierarchy_stoplist cgi – bin ?
access_log /var/log/squid/access . squid log
acl QUERY urlpath_regex cgi – bin \?
cache deny QUERY
refresh_pattern ^ ftp : in 1440 20 % 10080
refresh_pattern ^ gopher : 1440 0 % 1440
refresh_pattern . 0 20 % 4320
acl apache rep_header Server ^ Apache
broken_vary_encoding allow apache
coredump_dir / var / spool / squid
To start the squid first run the command squid-z , so that it creates cache files, in other times simply call the command squid .
Configuring Dansguardian
First we will update the list of blocked sites, visit this site ( URLBlacklist.com ) and download the newest version. Unzip into / usr / local / etc / dansguardian / lists / blacklists.
Let’s edit the configuration file Dansguardian (/ usr / local / etc / dansguardian / dansguardian.conf)
REPORT #
reportinglevel = 3
# LANGUAGE
languagedir = ‘/ usr / local / share / dansguardian / languages’
language = ‘ptbrazilian’
# Logs
loglevel = 3
logexceptionhits = 2
logfileformat = 3
LogLocation = ‘/ usr / local / var / log / dansguardian / access.log’
# Network Settings
filterip =
filterport = 8080
proxyip = 127.0 . 0.1
proxyPort = 3128
nonstandarddelimiter = on
# LOCKED IMAGES
usecustombannedimage = on
custombannedimagefile = ‘/ usr/local/share/dansguardian/transparent1x1.gif’
# Filter groups options
filtergroups = 1
filtergroupslist = ‘/ usr / local / etc / dansguardian / lists / filtergroupslist’
# Authentication files
# WORDS – WEIGHT
showweightedfound = on
weightedphrasemode = 2
# Positive (clean) result caching for URLs
urlcachenumber = 1000
# Age Before They are stale and Should be ignored in seconds
urlcacheage = 900
# Clean cache for content (AV) scan results
scancleancache = on
# Smart, Raw and Meta / Title phrase content filtering options
phrasefiltermode = 2
# Lower casing options / 0 = force lower case (default)
preservecase = 0
# Hex decoding options
hexdecodecontent = off
# Force Quick Search rather than DFA search algorithm
forcequicksearch = off
# Reverse lookups for banned site and URLs
reverseaddresslookups = off
# Reverse lookups for banned and exception IP lists.
reverseclientiplookups = off
# Perform reverse lookups on client IPs for successful requests.
logclienthostnames = off
# Build bannedsitelist bannedurllist and cache files.
createlistcachefiles = on
# POST protection (web upload and forms)
maxuploadsize = – 1
# Max content filter size
maxcontentfiltersize = 256
# Max content ram cache scan size
maxcontentramcachescansize = 2000
# Max content file cache scan size
maxcontentfilecachescansize = 20000
# File cache dir
filecachedir = ‘/ tmp’
# Delete file cache after user completes download
deletedownloadedtempfiles = on
# Initial Trickle delay
initialtrickledelay = 20
# Trickle delay
trickledelay = 10
# Download
# Content scanner timeout
contentscannertimeout = 60
# Content scan exceptions
contentscanexceptions = off
# Auth
# Re-check URLs Replaced
recheckreplacedurls = off
# Misc settings
forwardedfor = off
usexforwardedfor = off
logconnectionhandlingerrors = on
# Fork pool options
logchildprocesshandling = off
maxchildren = 120
minchildren = 8
minsparechildren = 4
preforkchildren = 6
maxsparechildren = 32
maxagechildren = 500
# Sets the maximum number client IP addresses allowed to connect at once.
maxips = 0
# IPC filename
ipcfilename = ‘/ tmp / .dguardianipc’
# URL list IPC filename
urlipcfilename = ‘/ tmp / .dguardianurlipc’
# IP list IPC filename
ipipcfilename = ‘/ tmp / .dguardianipipc’
# PID filename
nodaemon = off
# Disable logging process
nologger = off
# Enable logging of “ADs” category blocks
logadblocks = on
# Enable logging of client User-Agent
loguseragent = off
# Soft restart
softrestart = off
Two items that are interesting in this configuration are the access log file (/ usr / local / var / log / dansguardian / access.log) and editable HTML page locked (/ usr / local / share / dansguardian / languages) that can be customized.
To start simply call the command dansguardian dansguardian , and to recharge the rules: dansguardian-r.
Iptables
For iptables created a scrip to load the settings, because the rules this should be loaded when the servodor starts.
In this script:
– Oblige all incoming connections going to port 8080 (dansguardian);
– Libero IP network to ‘leak’ so do not fall in dansguardian and squid, ideal for network servers;
– Blocking Ips;
– Blocking against Ping of Death and DoS;
Save this file with the name iptables-load , for example and call the sh iptables-load
#! / Bin / bash
# Remaining iptables
/ etc / init . d / iptables restart
# FUNCTIONS
libera_ip () {
iptables – t nat – I PREROUTING – s $ 1 – j ACCEPT
iptables – t nat – I POSTROUTING – s $ 1 – eth0 – j MASQUERADE
iptables – I FORWARD – s $ 1 – j ACCEPT
}
bloqueia_ip () {
iptables – A INPUT – s $ 1 – j DROP
}
# # # # # # # # # # # # # # # # #
BLOCK IPs #
# bloqueia_ip “192.168.0.199”
# BEARS MODULOS IPTABLES
echo 1 & gt ; / proc / sys / net / ipv4 / ip_forward
modprobe iptable_nat
# BLOCKS AGAINST DEATH AND PING DoS
iptables – A INPUT – p icmp – icmp – type echo – request – m limit – limit 1 / s – j ACCEPT
iptables – A INPUT – p icmp – icmp – type echo – reply – m limit – limit 1 / s – j DROP
# OPEN CONNECTION TO A LOCAL AREA NETWORK AT THE DOOR 8080
iptables – A INPUT – i eth1 – p tcp – dport 8080 – j ACCEPT
# RELEASE FOR NAVIGATION WITHOUT PROXY SERVERS
libera_ip “192.168.0.1” # SERV1
libera_ip “192.168.0.2” # Serv2
# Ends
echo “Iptables Ready”
CBQ
With CBQ do bandwidth control network, first go to the / etc / sysconfig / cbq. For each rule you create a file down and another up. EX: cbq 0002.geral-in- and -cbq 0002.geral out.
For each rule starts numbering from 0002, and continue, noting that this numbering is in hexadecimal.
See my examples:
cbq-0002.geral-in
DEVICE = eth1 , 1000Mbit , 100Mbit
RATE = 2Mb
WEIGHT = 200Kbit
PRIO = 5
RULE = 192.168 . 0.0
Bounded = in
ISOLATED = in
0002.geral cbq-out
DEVICE = eth0 , 1000Mbit , 100Mbit
RATE = 100Kbit
WEIGHT = 10Kbit
PRIO = 5
RULE = 192.168 . 0.0 ,
Bounded = in
ISOLATED = in
Compile the CBQ with the command cbq compile and start with cbd start .
See this tutorial more information about the CBQ.
Starting all
Finally created a scrip to start all the necessary services, just to facilitate:
#! / Bin / bash
squid
echo “starting squid”
dansguardian
echo “Starting dansguardian”
sh / iptables – load
echo “iptables loading”
cbq compile
echo “compiling cbq”
cbq start
echo “starting cbq”
echo “READY”
Additional
To facilitate the administration of the server, I recommend installing webmin (a web interface facing server administration, now with the Squid module installed, great for keeping the users) and sarg with the webalizer. Reports To log dansguardian .
Finishing
I hope this article is helpful, of course does not answer all questions, and each installation will have their particular problems, but hopefully it will be a base for administrators. Leave your comments with questions and suggestions.
Thanks for visiting and sharing this post!
Recent Comments