Previously I have posted about installation proxy server withsquid3 on Ubuntu Server 12.04, on this post I’ll shown How to Set up/Configure Squid3 as Transparent Proxy. by activate squid3 as Transparent Proxy you no longer need to configure all the machines on your network to connect to Squid proxy server manually. All traffic will be routed to the Squid listening port automatically and your Ubuntu Server will act as routers.
Follow the guide Setup Transparent Proxy Server with Squid3 on Ubuntu server 12.04 LTS
Step 1. Make sure squid3 is installed correctly on ubuntu server, you can found tutorial squid3 the installation here
Step 2. Configure network interfaces with static IP address, on this case proxy server using 2 network card
sudo nano /etc/network/interfaces
auto eth0iface eth0 inet staticaddress 192.168.1.10netmask 255.255.255.0network 192.168.1.0broadcast 192.168.1.255gateway 192.168.1.1
post-up iptables-restore < /etc/iptables.up.rules
auto eth1iface eth1 inet staticaddress 192.168.2.10netmask 255.255.255.0network 192.168.2.0broadcast 192.168.2.255
sudo cp /etc/squid3/squid.conf /etc/squid3/squid.conf.originalsudo chmod a-w /etc/squid3/squid.conf.original
Step 3. Edit file /etc/squid/squid.conf, add the word “transparent” on “http_port 3128″
# NETWORK OPTIONS# —————#http_port 3128 transparent
Change IP address on options “acl localnet src 192.168.1.0/24 # Your network here”
acl localnet src 192.168.2.0/24 # LAN Ip Address
save and exit.
Step 4. Edit /etc/sysctl.conf
sudo nano /etc/sysctl.conf
Replace with configuration below:
net.ipv4.ip_forward=1net.ipv6.conf.all.forwarding=1
Save and exit
Step 5. define IPTABLE rules for port forwarding with Editing /etc/iptables.up.rules,
sudo nano /etc/iptables.up.rules
*nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.10:3128 -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE COMMIT
Save and exit..
Step 6. Edit /etc/rc.local, and add this script on end of file
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 –o eth0 -j MASQUERADE
Step 7. Restart squid3 and network
sudo /etc/init.d/squid3 restart && sudo /etc/init.d/networking restart
On client set IP address manually:
IP address : 192.168.2.11 Netmask: 255.255.255.0Gateway: 192.168.2.10DNS: 192.168.2.10 # or you can use Google DNS 8.8.8.8, 8.8.8.4;
# nano /usr/local/etc/squid/squid.conf ค้นหาบรรทัด bsex
แล้วแก้ไขคำสั่งการ Blockweb ใหม่ ดังนี้
#blockweb จันทร์-ศุกร์ ช่วงเวลา 08.00 - 17.00 น.
acl time_block time M T W H F 08:00-17:00
#blockweb เสาร์-อาทิตย์ ช่วงเวลา 08.00 - 14.00 น.
acl time_block time A S 08:00-14:00
#blockweb ต่ออีก วันเสาร์-อาทิตย์ ช่วงเวลา 18.10 - 21.10 น.
acl time_block time A S 18:10-21:10
acl bsex url_regex "/usr/local/etc/squid/bsex.txt"
http_access deny bsex time_block
deny_info http://www.google.co.th bsex time_block
Posted on February 19, 2014 by adilmehmoodbutt
The Squid proxy server server is an excellent solution to a variety of proxy and caching server needs, and scales from the branch office to enterprise level networks while providing extensive, granular access control mechanisms and monitoring of critical parameters via the Simple Network Management Protocol (SNMP). When selecting a computer system for use as a dedicated Squid proxy, or caching servers, ensure your system is configured with a large amount of physical memory, as Squid maintains an in-memory cache for increased performance
Log in on Ubuntu Server, then type command below to Install squid2 in Ubuntu 12.04
sudo apt-get install squid3 ccze
Create directory for Cache, on this case cache directory placed on directory/home/precise/cache/. Then change the permissions cache directory to 777 and ownerproxy:proxy
sudo mkdir -p /home/precise/cache/
sudo chmod 777 /home/precise/cache/
sudo chown proxy:proxy /home/precise/cache/
Before editing squid configuration, Make a backup of your /etc/squid3/squid.conf file for future reference. Squid.conf has nearly all the options listed and it is recommended to go through that file to know more about squid options.
sudo cp /etc/squid3/squid.conf /etc/squid3/squid.conf.origin
sudo chmod a-w /etc/squid3/squid.conf.origin
Now edit /etc/squid3/squid.conf file, delete all options in /etc/squid3/squid.conf then replace with squid3 configuration below
sudo nano /etc/squid3/squid.conf
Squid3 configuration:
# ACCESS CONTROLS OPTIONS# ====================#acl QUERY urlpath_regex -i cgi-bin \? \.php$ \.asp$ \.shtml$ \.cfm$ \.cfml$ \.phtml$ \.php3$ localhostacl all srcacl localnet src 10.0.0.0/8acl localnet src 192.168.1.0/24 # Your network hereacl localhost src 127.0.0.1/32acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 81 3128 1025-65535acl sslports port 443 563 81 2087 10000acl manager proto cache_objectacl purge method PURGEacl connect method CONNECTacl ym dstdomain .messenger.yahoo.com .psq.yahoo.comacl ym dstdomain .us.il.yimg.com .msg.yahoo.com .pager.yahoo.comacl ym dstdomain .rareedge.com .ytunnelpro.com .chat.yahoo.comacl ym dstdomain .voice.yahoo.comacl ymregex url_regex yupdater.yim ymsgr myspaceim#http_access deny ymhttp_access deny ymregexhttp_access allow manager localhosthttp_access deny managerhttp_access allow purge localhosthttp_access deny purgehttp_access deny !safeportshttp_access deny CONNECT !sslportshttp_access allow localhosthttp_access allow localnethttp_access deny all## NETWORK OPTIONS# —————#http_port 3128## OPTIONS WHICH AFFECT THE CACHE SIZE# ==============================#cache_mem 8 MBmaximum_object_size_in_memory 32 KBmemory_replacement_policy heap GDSFcache_replacement_policy heap LFUDAcache_dir aufs /home/precise/cache 10000 14 256maximum_object_size 128000 KBcache_swap_low 95cache_swap_high 99## LOGFILE PATHNAMES AND CACHE DIRECTORIES# ==================================#access_log /var/log/squid3/access.logcache_log /cache/cache.log#cache_log /dev/nullcache_store_log nonelogfile_rotate 5log_icp_queries off## OPTIONS FOR TUNING THE CACHE# ========================#cache deny QUERYrefresh_pattern ^ftp: 1440 20% 10080 reload-into-imsrefresh_pattern ^gopher: 1440 0% 1440refresh_pattern -i \.(gif|png|jp?g|ico|bmp|tiff?)$ 10080 95% 43200 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-privaterefresh_pattern -i \.(rpm|cab|deb|exe|msi|msu|zip|tar|xz|bz|bz2|lzma|gz|tgz|rar|bin|7z|doc?|xls?|ppt?|pdf|nth|psd|sis)$ 10080 90% 43200 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-privaterefresh_pattern -i \.(avi|iso|wav|mid|mp?|mpeg|mov|3gp|wm?|swf|flv|x-flv|axd)$ 43200 95% 432000 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-privaterefresh_pattern -i \.(html|htm|css|js)$ 1440 75% 40320refresh_pattern -i \.index.(html|htm)$ 0 75% 10080refresh_pattern -i (/cgi-bin/|\?) 0 0% 0refresh_pattern . 1440 90% 10080#quick_abort_min 0 KBquick_abort_max 0 KBquick_abort_pct 100store_avg_object_size 13 KB## HTTP OPTIONS# ===========vary_ignore_expire on## ANONIMITY OPTIONS# ===============#request_header_access From deny allrequest_header_access Server deny allrequest_header_access Link deny allrequest_header_access Via deny allrequest_header_access X-Forwarded-For deny all## TIMEOUTS# =======#forward_timeout 240 secondconnect_timeout 30 secondpeer_connect_timeout 5 secondread_timeout 600 secondrequest_timeout 60 secondshutdown_lifetime 10 second## ADMINISTRATIVE PARAMETERS# =====================#cache_mgr ninjacache_effective_user proxycache_effective_group proxyhttpd_suppress_version_string onvisible_hostname ninja#ftp_list_width 32ftp_passive onftp_sanitycheck on## DNS OPTIONS# ==========#dns_timeout 10 secondsdns_nameservers 192.168.1.1 8.8.8.8 8.8.4.4 # DNS Server## MISCELLANEOUS# ===========#memory_pools offclient_db offreload_into_ims oncoredump_dir /cachepipeline_prefetch onoffline_mode off##Marking ZPH#==========zph_mode toszph_local 0x04zph_parent 0zph_option 136### END CONFIGURATION ###
Create swap directory,
squid3 -z
Restart squid3:
sudo /etc/init.d/squid3 restart
sudo nano /etc/network/interfaces
auto eth0iface eth0 inet staticaddress 192.168.1.10netmask 255.255.255.0network 192.168.1.0broadcast 192.168.1.255gateway 192.168.1.1
post-up iptables-restore < /etc/iptables.up.rules
auto eth1iface eth1 inet staticaddress 192.168.2.10netmask 255.255.255.0network 192.168.2.0broadcast 192.168.2.255
Step 3. Edit file /etc/squid/squid.conf, add the word “transparent” on “http_port 3128″
# NETWORK OPTIONS# —————#http_port 3128 transparent
Change IP address on options “acl localnet src 192.168.1.0/24 # Your network here”
acl localnet src 192.168.2.0/24 # LAN Ip Address
save and exit.
Step 4. Edit /etc/sysctl.conf
sudo nano /etc/sysctl.conf
Replace with configuration below:
net.ipv4.ip_forward=1net.ipv6.conf.all.forwarding=1
Save and exit
Step 5. define IPTABLE rules for port forwarding with Editing /etc/iptables.up.rules,
sudo nano /etc/iptables.up.rules
*nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.10:3128 -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE COMMIT
Save and exit..
Step 6. Edit /etc/rc.local, and add this script on end of file
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 –o eth0 -j MASQUERADE
Step 7. Restart squid3 and network
sudo /etc/init.d/squid3 restart && sudo /etc/init.d/networking restart
On client set IP address manually:
IP address : 192.168.2.11 Netmask: 255.255.255.0Gateway: 192.168.2.10DNS: 192.168.2.10 # or you can use Google DNS 8.8.8.8, 8.8.8.4;
Thanks.