The advantages of using a proxy server within a company, or even a small network are endless, ranging from bandwidth savings, using the cache to a decent content filter.
\nIn this tutorial I will show how to configure a proxy using CentOS.
\nResources used<\/p>\n
Hardware<\/strong> Squid<\/strong> PORT # # CACHE MEMORY DISCK CACHE # # LOG AUTH # # ACLs # HTTP_ACCESES # OTHERS # LANGUAGE # Logs LogLocation = ‘\/ usr \/ local \/ var \/ log \/ dansguardian \/ access.log’<\/p>\n # Network Settings nonstandarddelimiter = on<\/p>\n # LOCKED IMAGES # Filter groups options # Authentication files <\/p>\n # WORDS – WEIGHT # Positive (clean) result caching for URLs # Age Before They are stale and Should be ignored in seconds # Clean cache for content (AV) scan results # Smart, Raw and Meta \/ Title phrase content filtering options # Lower casing options \/ 0 = force lower case (default) # Hex decoding options # Force Quick Search rather than DFA search algorithm # Reverse lookups for banned site and URLs # Reverse lookups for banned and exception IP lists. # Perform reverse lookups on client IPs for successful requests. # Build bannedsitelist bannedurllist and cache files. # POST protection (web upload and forms) # Max content filter size # Max content ram cache scan size # Max content file cache scan size # File cache dir # Delete file cache after user completes download # Initial Trickle delay # Trickle delay # Download <\/p>\n # Content scanner timeout # Content scan exceptions # Auth <\/p>\n # Re-check URLs Replaced # Misc settings # Fork pool options # Sets the maximum number client IP addresses allowed to connect at once. # IPC filename # URL list IPC filename # IP list IPC filename # PID filename # Disable logging process # Enable logging of “ADs” category blocks # Enable logging of client User-Agent # Soft restart # Remaining iptables # FUNCTIONS bloqueia_ip () { # # # # # # # # # # # # # # # # #<\/p>\n BLOCK IPs # # BEARS MODULOS IPTABLES # BLOCKS AGAINST DEATH AND PING DoS # OPEN CONNECTION TO A LOCAL AREA NETWORK AT THE DOOR 8080 # RELEASE FOR NAVIGATION WITHOUT PROXY SERVERS # Ends squid dansguardian sh \/ iptables – load cbq compile cbq start echo “READY” The advantages of using a proxy server within a company, or even a small network are endless, ranging from bandwidth savings, using the cache to a decent content filter. In this tutorial I will show how to configure a proxy using CentOS. Resources used<\/p>\n Hardware In our specific case, I was fortunate to have a […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[37],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2316"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2316"}],"version-history":[{"count":16,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2316\/revisions"}],"predecessor-version":[{"id":2332,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2316\/revisions\/2332"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2316"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2316"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2316"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nIn our specific case, I was fortunate to have a fine machine Parruda to implement the proxy, one Xeon Quad with 4Gb Ram and SAS disks. Recalling that the server has to have at least two network interfaces.
\nSystem
\nWe use CentOS 5.7 64bit. Reached our needs very well.<\/p>\n
\nWe use Squid to control users and cache.
\nDansguardian
\nWhat is our dansguardian content filter, the great advantage of it’s own filters by heuristics, which blocks sites based on words within pages.
\nIptables
\nUse iptables to control the IPs of servers that do not pass through squid \/ dansguardian
\nCBQ
\nWe bandwidth control using the CBQ, existing on CentOS.
\nInstallation
\nInstalling the System
\nDownload here the latest version of CentOS, always remember to look for a server in Brazil, oo close as possible, there are more chances of having a higher speed. Give preference to the DVD too.
\nConfigure network interfaces, one pointing to the external network (in our case eth0) and one for the internal (eth1). Edit the resolv.conf for your DNS server. If the server is resolving names normally, we will proceed to the next step.
\nInstalling Squid
\nNo mystery here, squid already in the repository for CentOS:
\nyum install squid
\nInstalling Dansguardian
\nThe Dansguardian is not the repository of CentOS, portanta have to compile it on hand.
\nBefore installing dansguardian, treat some dependencies:
\nyum install pkgconfig gcc gcc – c + + libstdc + + – devel zlib – devel pcre – make devel wget bzip2 – devel
\nYou may need to include the environment variable pkgconfig:
\nexport PKG_CONFIG_PATH = \/ usr \/ lib \/ pkgconfig
\nDownload the latest version here , unzip it on your server and compile:
\ntar xzfv dansguardian – 2:10 . 1.1 . tar . gz
\ncd dansguardian – 2:10 . 1.1
\n.\/configure
\nmake
\nmake install
\nConfiguring Squid
\nBelow is my Squid configuration (\/etc\/squid\/squid.conf). Already prepared for basic authentication of squid directed to file (\/etc\/squid\/passwd). And with the cache settings (\/var\/squid\/cache).
\n# NAME
\nvisible_hostname name rmohan.com<\/p>\n
\nhttp_port 3128 transparent<\/p>\n
\ncache_mem 1024 MB
\nmaximum_object_size_in_memory 20 KB
\nmemory_replacement_policy heap GDSF<\/p>\n
\ncache_dir ufs \/var\/squid\/cache 5000 16 256
\ncache_replacement_policy heap LFUDA
\nminimum_object_size 15 KB
\nmaximum_object_size 5 MB
\ncache_swap_low 90
\ncache_swap_high 95<\/p>\n
\naccess_log none
\ncache_log \/var\/log\/squid\/cache.log<\/p>\n
\nauth_param basic program \/ ??usr \/ lib64 \/ squid \/ ncsa_auth \/ etc \/ squid \/ passwd
\nauth_param basic children 8
\nauth_param basic realm Enter your Usu will river and Password
\nauth_param basic credentialsttl 15 minute<\/p>\n
\nacl all src 0.0 . 0.0 \/ 0.0 . 0.0
\nacl manager proto cache_object
\nacl localhost src 127.0 . 0.1 \/ 255,255 . 255,255
\nacl dst to_localhost 127.0 . 0.0 \/ 8
\nacl SSL_ports port 443
\nacl Safe_ports port 80 # http
\nacl Safe_ports port 21 # ftp
\nacl Safe_ports port 443 # https
\nacl Safe_ports port 70 # gopher
\nacl Safe_ports port 210 # wais
\nacl Safe_ports port 1025 – 65535 # unregistered ports
\nacl Safe_ports port 280 # http-mgmt
\nacl Safe_ports port 488 # gss-http
\nacl Safe_ports port 591 # filemaker
\nacl Safe_ports port 777 # http multiling
\nacl CONNECT method CONNECT
\nacl-time team SMTWHFA 0 : 00 – 24 : 00
\nREQUIRED acl authenticated proxy_auth<\/p>\n
\nhttp_access allow authenticated hours
\nhttp_access allow manager localhost
\nhttp_access deny manager
\nhttp_access deny ! Safe_ports
\nhttp_access deny CONNECT ! SSL_ports
\n # And finally deny all other access to this proxy
\nhttp_access allow localhost
\nhttp_access deny all
\nicp_access allow all<\/p>\n
\nhierarchy_stoplist cgi – bin ?
\naccess_log \/var\/log\/squid\/access . squid log
\nacl QUERY urlpath_regex cgi – bin \\?
\ncache deny QUERY
\nrefresh_pattern ^ ftp : in 1440 20 % 10080
\nrefresh_pattern ^ gopher : 1440 0 % 1440
\nrefresh_pattern . 0 20 % 4320
\nacl apache rep_header Server ^ Apache
\nbroken_vary_encoding allow apache
\ncoredump_dir \/ var \/ spool \/ squid
\nTo start the squid first run the command squid-z , so that it creates cache files, in other times simply call the command squid .
\nConfiguring Dansguardian
\nFirst we will update the list of blocked sites, visit this site ( URLBlacklist.com ) and download the newest version. Unzip into \/ usr \/ local \/ etc \/ dansguardian \/ lists \/ blacklists.
\nLet’s edit the configuration file Dansguardian (\/ usr \/ local \/ etc \/ dansguardian \/ dansguardian.conf)
\nREPORT #
\nreportinglevel = 3<\/p>\n
\nlanguagedir = ‘\/ usr \/ local \/ share \/ dansguardian \/ languages’
\nlanguage = ‘ptbrazilian’<\/p>\n
\nloglevel = 3
\nlogexceptionhits = 2
\nlogfileformat = 3<\/p>\n
\nfilterip =
\nfilterport = 8080
\nproxyip = 127.0 . 0.1
\nproxyPort = 3128<\/p>\n
\nusecustombannedimage = on
\ncustombannedimagefile = ‘\/ usr\/local\/share\/dansguardian\/transparent1x1.gif’<\/p>\n
\nfiltergroups = 1
\nfiltergroupslist = ‘\/ usr \/ local \/ etc \/ dansguardian \/ lists \/ filtergroupslist’<\/p>\n
\nshowweightedfound = on
\nweightedphrasemode = 2<\/p>\n
\nurlcachenumber = 1000<\/p>\n
\nurlcacheage = 900<\/p>\n
\nscancleancache = on<\/p>\n
\nphrasefiltermode = 2<\/p>\n
\npreservecase = 0<\/p>\n
\nhexdecodecontent = off<\/p>\n
\nforcequicksearch = off<\/p>\n
\nreverseaddresslookups = off<\/p>\n
\nreverseclientiplookups = off<\/p>\n
\nlogclienthostnames = off<\/p>\n
\ncreatelistcachefiles = on<\/p>\n
\nmaxuploadsize = – 1<\/p>\n
\nmaxcontentfiltersize = 256<\/p>\n
\nmaxcontentramcachescansize = 2000<\/p>\n
\nmaxcontentfilecachescansize = 20000<\/p>\n
\nfilecachedir = ‘\/ tmp’<\/p>\n
\ndeletedownloadedtempfiles = on<\/p>\n
\ninitialtrickledelay = 20<\/p>\n
\ntrickledelay = 10<\/p>\n
\ncontentscannertimeout = 60<\/p>\n
\ncontentscanexceptions = off<\/p>\n
\nrecheckreplacedurls = off<\/p>\n
\nforwardedfor = off
\nusexforwardedfor = off
\nlogconnectionhandlingerrors = on<\/p>\n
\nlogchildprocesshandling = off
\nmaxchildren = 120
\nminchildren = 8
\nminsparechildren = 4
\npreforkchildren = 6
\nmaxsparechildren = 32
\nmaxagechildren = 500<\/p>\n
\nmaxips = 0<\/p>\n
\nipcfilename = ‘\/ tmp \/ .dguardianipc’<\/p>\n
\nurlipcfilename = ‘\/ tmp \/ .dguardianurlipc’<\/p>\n
\nipipcfilename = ‘\/ tmp \/ .dguardianipipc’<\/p>\n
\nnodaemon = off<\/p>\n
\nnologger = off<\/p>\n
\nlogadblocks = on<\/p>\n
\nloguseragent = off<\/p>\n
\nsoftrestart = off
\nTwo items that are interesting in this configuration are the access log file (\/ usr \/ local \/ var \/ log \/ dansguardian \/ access.log) and editable HTML page locked (\/ usr \/ local \/ share \/ dansguardian \/ languages) that can be customized.
\nTo start simply call the command dansguardian dansguardian , and to recharge the rules: dansguardian-r.
\nIptables
\nFor iptables created a scrip to load the settings, because the rules this should be loaded when the servodor starts.
\nIn this script:
\n– Oblige all incoming connections going to port 8080 (dansguardian);
\n– Libero IP network to ‘leak’ so do not fall in dansguardian and squid, ideal for network servers;
\n– Blocking Ips;
\n– Blocking against Ping of Death and DoS;
\nSave this file with the name iptables-load , for example and call the sh iptables-load
\n#! \/ Bin \/ bash<\/p>\n
\n\/ etc \/ init . d \/ iptables restart<\/p>\n
\nlibera_ip () {
\niptables – t nat – I PREROUTING – s $ 1 – j ACCEPT
\niptables – t nat – I POSTROUTING – s $ 1 – eth0 – j MASQUERADE
\niptables – I FORWARD – s $ 1 – j ACCEPT
\n }<\/p>\n
\niptables – A INPUT – s $ 1 – j DROP
\n }<\/p>\n
\n# bloqueia_ip “192.168.0.199”<\/p>\n
\necho 1 & gt ; \/ proc \/ sys \/ net \/ ipv4 \/ ip_forward
\nmodprobe iptable_nat<\/p>\n
\niptables – A INPUT – p icmp – icmp – type echo – request – m limit – limit 1 \/ s – j ACCEPT
\niptables – A INPUT – p icmp – icmp – type echo – reply – m limit – limit 1 \/ s – j DROP<\/p>\n
\niptables – A INPUT – i eth1 – p tcp – dport 8080 – j ACCEPT<\/p>\n
\nlibera_ip “192.168.0.1” # SERV1
\nlibera_ip “192.168.0.2” # Serv2<\/p>\n
\necho “Iptables Ready”
\nCBQ
\nWith CBQ do bandwidth control network, first go to the \/ etc \/ sysconfig \/ cbq. For each rule you create a file down and another up. EX: cbq 0002.geral-in- and -cbq 0002.geral out.
\nFor each rule starts numbering from 0002, and continue, noting that this numbering is in hexadecimal.
\nSee my examples:
\ncbq-0002.geral-in
\nDEVICE = eth1 , 1000Mbit , 100Mbit
\nRATE = 2Mb
\nWEIGHT = 200Kbit
\nPRIO = 5
\nRULE = 192.168 . 0.0
\nBounded = in
\nISOLATED = in
\n0002.geral cbq-out
\nDEVICE = eth0 , 1000Mbit , 100Mbit
\nRATE = 100Kbit
\nWEIGHT = 10Kbit
\nPRIO = 5
\nRULE = 192.168 . 0.0 ,
\nBounded = in
\nISOLATED = in
\nCompile the CBQ with the command cbq compile and start with cbd start .
\nSee this tutorial more information about the CBQ.
\nStarting all
\nFinally created a scrip to start all the necessary services, just to facilitate:
\n#! \/ Bin \/ bash<\/p>\n
\necho “starting squid”<\/p>\n
\necho “Starting dansguardian”<\/p>\n
\necho “iptables loading”<\/p>\n
\necho “compiling cbq”<\/p>\n
\necho “starting cbq”<\/p>\n
\nAdditional
\nTo facilitate the administration of the server, I recommend installing webmin (a web interface facing server administration, now with the Squid module installed, great for keeping the users) and sarg with the webalizer. Reports To log dansguardian .
\nFinishing
\nI hope this article is helpful, of course does not answer all questions, and each installation will have their particular problems, but hopefully it will be a base for administrators. Leave your comments with questions and suggestions.
\nThanks for visiting and sharing this post!<\/p>\n","protected":false},"excerpt":{"rendered":"