Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Saturday, July 3, 2010

Controlling Web Access with Squid

How to Setup Transparent Squid Proxy Server in Ubuntu

Ubuntu 10.04 Squid Proxy

Squid is a caching proxy server that can provide enhanced performance for HTTP,HTTPS  and FTP. Squid will cache commonly accessed sites so that it can improve performance by 10-20% for Internet connections.

Squid is compliant to the Harvest Cache architecture and uses the Inter-Cache Protocol (ICP) to transfer data between peer and /parent/child servers. Squid can accelerate traffic from the inside network to the Internet or it can be employed to act as a front-end accelerator for a Web server, increasing access to the web pages on the server.
Here is what Squid can do:
1.Accelerate Internet Connections for Internal Network
2.Protect the Internal Network When Surfing the Internet
3.Create Detailed Information About User Activity on the Internet
4.Prevent Inappropriate Activity by Users on the Internet
5.Enforce Use by Authorized Users Only
6.Filter Sensitive Material
7.Accelerate Web Server Pages
Squid acts both as a proxy, working in behalf of a user, and as a cache.   When squid works as a proxy and a user makes a request for a web site, squid retrieves the web page and then provides it to the user.  The user, in reality never reaches the Internet as the proxy server retrieves and caches all the sites the user makes requests for.
Install and Start Squid
Ubuntu now installs squid 2.7 as the default which is focused on high-performance with features aimed at high traffic volume.  This is in contrast to the other option squid 3.0 which has a greater focus on web filtering.  Be sure that any modifications you make are viewed as version specific.
sudo apt-get install squid
Start / Stop / Restart
Because squid is now integrated with upstart the best way to control squid is using these commands:
start squid
stop squid
restart squid
Important Locations
Once you install Squid, you will need to be familiar with these locations that are important for Squid.
/etc/squid                          config directory
/etc/squid/squid.conf     squid configuration file
/usr/share/doc/squid     documentation and examples
/usr/lib/squid                   support files
/usr/sbin/squid               squid daemon
/var/log/squid                 log directory
/var/spool/squid             cache directory
Basic  Squid Configuration
The complete configuration file is found at /etc/squid/squid.conf. However, since the Squid configuration file has over 4960 lines it is not the easiest to work with. A basic configuration of Squid only needs  one modification, if you are using private networks.
The hostname is automatically discovered by squid, however if you want to set a specific name you can use  visible hostname.
visible_hostname myserver
The only line that must be set is to create a http_access variable that will allow users on the internal network to access the Internet. The line should look something like this:
http_access allow localnet
This line needs to be placed in a specific location, included in the example is the line number so it is easier to locate, note that the localhost is configured to work by default.
677 http_access allow localhost
678 http_access allow localnet
This is possible because the default settings now include these three private networks.
acl localnet src
acl localnet src
acl localnet src
Once you have set this up restart squid with the following command.
restart squid
squid start/running, process 13551
Here is a tutorial with additional information on Squid ACLs
Point your browsers from those internal machines to the squid proxy.  Several points to note about the proxy settings.  The default port that you will connect to is 3128 and set squid to use all protocols.  Once that is set you should have Internet access.

You will need to configure your firewall. Limit access so that clients can only go through port 3128. This will force them to use the proxy which will provide speed, save resources and protect your internal machines.
  • Reduce Internet bandwidth charges
  • Limit access to the Web to only authorized users.
The Squid web caching proxy server can achieve both these goals fairly easily.
Users configure their web browsers to use the Squid proxy server instead of going to the web directly. The Squid server then checks its web cache for the web information requested by the user. It will return any matching information that finds in its cache, and if not, it will go to the web to find it on behalf of the user. Once it finds the information, it will populate its cache with it and also forward it to the user's web browser.
As you can see, this reduces the amount of data accessed from the web. Another advantage is that you can configure your firewall to only accept HTTP web traffic from the Squid server and no one else. Squid can then be configured to request usernames and passwords for each user that users its services. This provides simple access control to the Internet.
Download and Install The Squid Package
Most RedHat Linux software products are available in the RPM format. Downloading and installing RPMs isn't hard. If you need a refresher, Chapter 6, "Installing Linux Software", provides details. It is best to use the latest version of Squid.
Starting Squid
Use the chkconfig configure Squid to start at boot::
[root@bigboy tmp]# chkconfig squid on
Use the service command to start, stop, and restart Squid after booting:
[root@bigboy tmp]# service squid start
[root@bigboy tmp]# service squid stop
[root@bigboy tmp]# service squid restart
You can test whether the Squid process is running with the pgrep command:
[root@bigboy tmp]# pgrep squid
You should get a response of plain old process ID numbers.
The /etc/squid/squid.conf File
The main Squid configuration file is squid.conf, and, like most Linux applications, Squid needs to be restarted for changes to the configuration file can take effect.
The Visible Host Name
Squid will fail to start if you don't give your server a hostname. You can set this with the visible_hostname parameter. Here, the hostname is set to the real name of the server bigboy.
visible_hostname bigboy
Access Control Lists
You can limit users' ability to browse the Internet with access control lists (ACLs). Each ACL line defines a particular type of activity, such as an access time or source network, they are then linked to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL.
Squid matches each Web access request it receives by checking the http_access list from top to bottom. If it finds a match, it enforces the allow or deny statement and stops reading further. You have to be careful not to place a deny statement in the list that blocks a similar allow statement below it. The final http_access statement denies everything, so it is best to place new http_access statements above it
Note: The very last http_access statement in the squid.conf file denies all access. You therefore have to add your specific permit statements above this line. In the chapter's examples, I've suggested that you place your statements at the top of the http_access list for the sake of manageability, but you can put them anywhere in the section above that last line.
Squid has a minimum required set of ACL statements in the ACCESS_CONTROL section of the squid.conf file. It is best to put new customized entries right after this list to make the file easier to read.
Restricting Web Access By Time
Restricting Access to specific Web sites
# File: /usr/local/etc/allowed-sites.squid # File: /usr/local/etc/restricted-sites.squid # # Add this to the bottom of the ACL section of squid.conf # acl home_network src acl business_hours time M T W H F 9:00-17:00 acl GoodSites dstdomain "/usr/local/etc/allowed-sites.squid" acl BadSites dstdomain "/usr/local/etc/restricted-sites.squid" # # Add this at the top of the http_access section of squid.conf # http_access deny BadSites http_access allow home_network business_hours GoodSites
Restricting Web Access By IP Address

No comments: