Fedora 9: Transparent Proxy with Squid HowTo

One of the many tasks we could be facing from time to time in our work is setting up and building a production proxy server. Proxy implementation could be done in several ways to achieve the same goal. One best bet we could have with this kind of setup is by using Squid linux software - making it transparent provides more administration benefits.

Squid, by general configuration improves user's browsing experience while saving internet bandwidth up to 20% to 30% of your bandwidth usage by average. Squid can be configured to filter out websites, users, authentication, memory and disk cache and so on. Squid offers a wide variety of setup and configurations to suit one's needs.

Fedora 9: Transparent Proxy with Squid HowTo

Setting up a transparent proxy with Squid under Fedora 9.

Basic Transparent Proxy via Squid Requirements:

1. Existing Fedora 9 as Linux OS.

2. A server platform.

This proxy setup suits a server with two network interface cards (NICs). One ethernet interface would face the internet world and the other ethernet interface for proxy clients. Most likely, the IP address assignments would be allocated like so

eth0: LIVE or PUBLIC IP addresses ( 83.83.83.83 as an example )

eth1: private IP address ( 192.168.1.1 as an example proxy gateway IP address)

3. Proxy clients.

Proxy clients are those desktop systems that needs to browse the internet using the proxy server as their gateway IP address. Most likely , the assigned IP address for them would be from 192.168.1.2 to 192.168.1.254. That's like 253 IP addresses for possible 253 proxy client hosts.

Squid Installation and Configuration Steps

1. From Fedora, install squid package via yum installer. As root ,

# yum -y install squid

2. Backup and edit /etc/squid/squid.conf. Modify major squid directives shown below:

Having a "transparent" directive after the port number, operates squid in transparent mode.

http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

With cache memory and cache object directives, make sure its proportioned to server's memory capacity. Avoid over eating of server's available RAM. Most squid configuration and directive tweakings would be done progressively on production. This is because the squid was built to be a flexible and configurable proxy server, good enough to suit everybody's need of having a superb transparent proxy server.

cache_mem 512 MB
maximum_object_size  32768 KB
maximum_object_size_in_memory 512 KB
ipcache_size 1024
dns_children 10

Below is cache directory directives making use of 1GB as disk swap space. Simply avoid specifying the server's total disk space capacity. The line below also shows a 1GB secondary level disk swap space with 64MB of first level swap directory space.

cache_dir ufs /var/spool/squid 1000 64 1024

Now for log formats and log file locations

logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log

Explicit number specification of squid children to spawn. If you increase the value too much, they would probably your RAM resources too. If you specify a lesser children value and there's high demand for it, you could have higher backlog of URL for squid to fetch. Decision from this directive is logical and should be based on your hardware memory capacity and resource limits, it is a trade off thing.

url_rewrite_children 400

And for some default squid directives

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               700     20%     4320
quick_abort_min 0 KB
quick_abort_max 16 KB
connect_timeout 3 minute
peer_connect_timeout 180 seconds
read_timeout 8 minutes
persistent_request_timeout 3 minute

Now, we arrive on squid access list. This is where you specify permit and deny access to hosts or group of hosts. Explicit specification can be done by valid IP address mask as you can see below.
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

The IP address facing the internet is being included here as we are assuming the squid would be interface binded to all available (2) ethernet interfaces. Unless you need your public IP to serve with a proxy services, you can remove that from the below lines. If you wish to serve transparent proxy both from two ethernet interface, you need to specify the two access lists as shown below

acl eth0-IP src 83.83.83.83/255.255.255.255

Let us grant access and allow internal LAN and local proxy clients
acl local-LAN  src 192.168.1.0/255.255.255.0

if you wish to allow another host with public IP address, you can folow the format like so

acl another-IP src 83.83.83.100/255.255.255.255

Remember to change those IP addresses, they are above shown examples only.

The rest squid directives would follow by default, customize them to your needs

acl SSL_ports port 443
acl CONNECT method CONNECT

Finally, this is where you specify access list rules to permit or deny proxy clients.

Below, we are allowing both interface including the proxy clients

http_access allow eth0-IP

And allowing internal proxy clients and local IP addresses

http_access allow local-LAN

Optionally,we have made an example of allowing another host with public IP address assignment

http_access allow another-IP

Some default squid directives again.

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_reply_access allow all
icp_access allow all

And deny all other proxy requests
http_access deny all

store_avg_object_size 100 KB
coredump_dir /var/spool/squid
ie_refresh on

Basically, the below factors may degrade or improve squid proxy performance and efficiency

1. Operating System and Squid configuration tweaks

2. Server platform resources:

a. available memory (RAM)

b. hard drive capacity and hard drive speed (rpms)

c. server processor and speed

3. Internet Service Provider (ISP)

Firewall Configuration via IPTables

As super user, simply issue

# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

To load kernel module for client's NAT-FTP session, simply issue

# modprobe ip_nat_ftp

And immediately save your iptables.

# service iptables save

Alternative to saving iptables

# iptables-save > /etc/sysconfig/iptables

There are other varied ways to configure iptables but the above lines is enough to allow tcp packet and port redirection to squid ports and interface. Your iptables should more look like

# Generated by iptables-save v1.3.8 on Thu Jul  3 19:18:04 2008
*filter
:INPUT ACCEPT [111564:67913234]
:FORWARD ACCEPT [2552:1135900]
:OUTPUT ACCEPT [131780:85851525]
COMMIT
# Completed on Thu Jul  3 19:18:04 2008
# Generated by iptables-save v1.3.8 on Thu Jul  3 19:18:04 2008
*nat
:PREROUTING ACCEPT [5422:568562]
:POSTROUTING ACCEPT [3626:227109]
:OUTPUT ACCEPT [3509:221571]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 83.83.83.83:3128
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j SNAT --to-source 83.83.83.83
COMMIT
# Completed on Thu Jul  3 19:18:04 2008

To enable IP packet forwarding permanently, edit /etc/sysctl.conf and make sure the below line is present

net.ipv4.ip_forward = 1

Alternatively but temporarily, as root

# echo 1 > /proc/sys/net/ipv4/ip_forward

The above command should be included to your startup scripts like /etc/rc.local if you wish to execute the later command.

Then restart your network services

# service network restart

Desktop and Proxy Clients Configuration

Desktop and proxy client needs to have the ff:

a. a local IP addresses,

b. a default gateway, and

c. a working DNS IP address(es)

Since we are implementing a transparent squid proxy, there is no need to further configure their internet proxy settings.

Squid Swap Space Creation


Swap space needs to be created. By default rpm installation, it should be done automatically when squid is initially started. To do it manually, you can create initial squid swap like so

# squid -z

Starting Squid Daemon Service


# service squid start

To restart

# service squid restart

Starting IPTables Daemon Service

# service iptables start

To restart

# service iptables restart

Since we have edited /etc/sysctl.conf configuration, restart network daemon service

# service network restart

Start Squid and Iptables Permanently Between Reboots

# chkconfig squid on

# chkconfig iptables on

Monitoring Squid Proxy Clients

# tail -f /var/log/squid/access.log

# tailf /var/log/squid/access.log | grep '192.168.1.100'

Squid Log Rotation

# vi /etc/logrotate.d/squid

Squid Run-Time Parameters and Other Options

# vi /etc/sysconfig/squid

Checking Squid Process PID

# ps axuw | grep squid

Counting Squid Spawned Children

# ps axuw | grep squid | wc -l

Using the above configuration base for transparent proxy with squid provides a more convenient and effective approach of not having to attend and modify internet proxy settings to proxy desktop clients. Additionally, having a squid cached URL links and website objects makes browsing experience faster while saving internet bandwidth in the long run.

To read more of Squid configuration examples, guides, and FAQs, visit Squid website.