Transparent proxy : Squid configuration

I’m going to write now all proxy history or why you should have a proxy on your router/server/gateway but I’m going to explain how to setup one.

First of all it’s recommended to have a separate partition for the proxy cache.( as big as you can afford ). In my case I have /var/squid , 40 GB.

Installing squid on freebsd is as simple as :

cd /usr/ports/www/squid

make install clean

echo ‘squid_enable=”YES”‘ >> /etc/rc.conf

The next step is editing the config file , /usr/local/etc/squid/squid.conf :

vi /usr/local/etc/squid/squid.conf

and make it look like this :

######CONFIG START
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin ?
no_cache deny QUERY
cache_mem 8 MB
maximum_object_size 50960 KB
maximum_object_size_in_memory 16 KB
cache_dir diskd /var/squid/cache 40000 16 256
cache_access_log /var/squid/log/access.log
cache_log none
cache_store_log none
pid_filename /var/run/squid.pid
hosts_file /etc/hosts
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 10080
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 8080 #also http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl blacklist dstdomain ./usr/local/etc/squid/blacklist.txt.
http_access deny blacklist
http_access allow manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#change below 10.0.1.0/24 to what matches your LAN IP address space
acl our_networks src 192.168.1.0/24
http_access allow our_networks
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr dante@new-order.org
cache_effective_user squid
visible_hostname neptun.new-order.org
cachemgr_passwd secret all
coredump_dir /var/squid/coredump
######CONFIG END

If you want to know what every line does , you can read the documentation on http://www.squid-cache.org/

Now all you have to do is to redirect the http traffic trough your proxy server. Since I’m using pf ( OpenBSD’s packed filter ) here is how I did it :

vi /etc/pf.conf

and I’ve added the following lines :

#squid transparent
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128

#### Squid Proxy
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state

Now all you need to do is restart your firewall and start squid :

/etc/rc.d/pf reload

/usr/local/etc/rc.d/squid start

Congratulations , now you have a transparent proxy server. Further more you can filter sites like this by following the next steps :

- Add the following line to /usr/local/etc/squid/squid.conf

acl porn url_regex “/usr/local/etc/squid/porn.txt”

acl notporn url_regex “/usr/local/etc/squid/notporn.txt”

http_access allow notporn

http_access deny porn

Now create the files porn.txt and notporn.txt

touch /usr/local/etc/squid/notporn.txt

touch /usr/local/etc/squid/porn.txt

In porn.txt add the words that you want to filter ( sex , fuck , anal etc ), one each line and on notporn.txt inserd words like analytics , analysis etc.

You may receive complains about “non-porn” sits not working. No problem just add the words to noporn.txt and restart squid.

/usr/local/etc/rc.d/squid restart

Enjoy!

Be Sociable, Share!

4 Comments

SandersAugust 10th, 2007 at 12:17 am

How about Linux ? Do you have a iptables example for the http redirect ?

danteAugust 10th, 2007 at 11:02 pm

Hello,

I don’t have root acces on a linux box to test but I’ve read the iptables manual and I think it would be something like this :

iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to 192.168.0.1:3128

God luck ! :-)

[...] few months ago I posted a tutorial explaining how to make a transparent proxy using squid and pf. In the mean time (because of the [...]

Transparent proxy : squid + havp + clamav | Csatpk! CS & IT One stop SolutionsAugust 15th, 2009 at 4:10 pm

[...] proxy : squid + havp + clamav Easy AdSense by UnrealA few months ago I posted a tutorial explaining how to make a transparent proxy using squid and pf. In the mean time (because of the [...]

Leave a comment

You must be logged in to post a comment.