Friday, March 19, 2010

Misc 6

(This uses the topology found in Misc 3)
Now I'm going to touch on Squid. Squid is a HTTP proxy server that normally listens to port 3128. Since it's a HTTP proxy, I'll walk you through on how to change it to the standard 8080, change permissions, as well as do some router configuration to make sure that a user must connect through the proxy.

First of all, do a basic installation of squid:
apt-get install squid

The good thing about squid is that it has only one configuration file. The bad thing is that everything is cramped into that configuration file. We first need to change the port to 8080. The configuration file is located in:

The keyword to look for here is the http_port. Press F6 and search for "TAG: http_port". There should be a line that looks like "http_port = 3128". Modify it so it reflects:
http_port = 8080

By default no traffic is allowed through the proxy. We have to define what is allowed through the proxy. Now we'll do a simple permit for our network. Look for a the localnet access-list declaration in the acl section. Add the network above the first line as shown:
acl localnet src

Next, scroll down and look for the following line and uncomment it:
http_access allow localnet

It should be above "http_access allow localhost". Right after you do this, do a restart and you'll have a fully functional HTTP proxy at your disposal. Use the http_access directive to specify the conditions which are allowed or disallowed. Check the "TAG: acl" section for syntax.

If you are in an environment similar to Temasek Polytechnic and wish to set up the squid to test for real internet connectivity in an environment with a proxy, you'll need to set up your squid proxy to connect to a proxy. A proxy hierarchically higher than your system is a parent cache peer, while one hierarchically equal or lower is a sibling.

Suppose we wish to point to Temasek Polytechnic's proxy.tp.edu.sg:80 proxy. Browse to the "TAG: cache_peer" section and add the following in:
cache_peer proxy.tp.edu.sg parent 80 80 proxy-only default

Next, you'll need to specify so that the proxy server will not try to connect directly. To do this, browse to the "TAG: never_direct" section and add in:
never_direct allow all

Finally, you'll want to allow only your proxy server through the router. To do this, use the following commands:
conf t
ip access-l standard PROXY
permit ip
in f0/0
ip access-g PROXY out

This will make it so that only requests from the proxy are let through. This is very strict but is a default starting point. Such proxy access-lists are usually deployed on the final router at the edge of your network perimeter. If anything breaks, just add them to the PROXY access-list.

No comments :

Post a Comment