how to Install and Configure Transparent Squid 2.7 On Ubuntu

Summary: Install Transparent Squid 2.7 on Ubuntu Server to surf the Internet and log the data from Network Users.

I have install and configure squid 2.7 transparently on Ubuntu 10.04 server successfully.

Following the tutorial step by step will lead you to the successful installation and configuration of transparent proxy server.

Step-1. Open up your shell and type this command:
sudo apt-get install squid squid-common

Step-2. Finish and Creating Squid Swap Directories
#/usr/local/squid/sbin/squid -z

3. Configure Squid Cache Proxy as Transparent Proxy
To configure squid proxy as transparent proxy you need to edit squid.conf
sudo vim /etc/squid/squid.conf

file in /etc/squid/squid.conf as follow:
#$cat /etc/squid/squid.conf | sed ‘/ *#/d; /^ *$/d’
acl all src all
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl localnet src
acl blockedsites dstdomain “/etc/squid/blocked.sites.acl”
acl purge method PURGE
http_access deny blockedsites
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
http_port transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
hosts_file /etc/hosts
coredump_dir /var/spool/squid

Step-4: Set the correct permissions.
sudo chown -R proxy:proxy /var/log/squid/
sudo chown proxy:proxy /etc/squid/squid.conf

Step-5: You will need to restart squid for the changes to take affect.
sudo /etc/init.d/squid restart

Step-6: Start, Stop & Restarting Squid
Start Squid #/usr/local/squid/sbin/squid
Stop Squid

Stopping squid .

#/usr/local/squid/sbin/squid -k shutdown

Options Available
-k reconfigure|rotate|shutdown|interrupt|kill|debug|check|parse
Parse configuration file, then send signal to
running copy (except -k parse) and exit.

Step-7: Specifying Cache Size
Cache size could be specified by
Using cache_dir directive in squid.conf,
cache_dir ufs /usr/local/squid/cache 100 16 256

Step-8: Redirect the all HTTP traffic.If you would like to redirect the all HTTP traffic through the proxy without needing to set up a proxy manually in all your applications you will need to add some rules
vim /etc/iptables.up.rules
-A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j DNAT –to-destination
-A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128
Step-9: See access log file /var/log/squid/access.log:

tail -f /var/log/squid/access.log

Step-10: Running test your squid performance. *type this command in your terminal
/usr/sbin/squid -NCd1

Step-11: Check Squid Status
To check whether squid is running the following command could be used.
#/usr/local/squid/sbin/squid -k check

Step-11: Limiting Bandwidth
Configuring Squid with Delay Pools
To enable delay pools option,
Compile squid with –enable-delay-pools
acl tech src
acl no_hotmail url_regex -i hotmail
acl all src
delay_pools 1 #Number of delay_pool 1
delay_class 1 1 #pool 1 is a delay_class 1
delay_parameters 1 100/100
delay_access 1 allow no_hotmail !tech

In the above example, hotmail users are limited to the speed specified in the delay_class. IP’s in the ACL tech are allowed in the normal bandwidth. You can see the usage of bandwidth through cachemgr.cgi.

Step-12: Configuring Squid for SMB
SMB Auth Module :
smb_auth is a proxy authentication module. With smb_auth we can authenticate proxy users against an SMB server like Windows NT or Samba.
Adding smb_auth in Squid.conf :
Squid Configuration :

To turn on SMB authentication, edit some directives in squid.conf.
authenticate_program /usr/local/squid/bin/smb_auth -W domain -S /share/path/to/proxyauth
This tells Squid where to find the authenticator. Next we have to create an ACL .
Acl configuration for smb_auth :
acl domainusers proxy_auth REQUIRED
http_access allow domainusers
http_access deny all

Step-13: Filtering a website
Filtering of websites could be made with ACL (Access Control List). Here is an example of denying a group of ip addresses to a specific domain.
acl block_ips src
acl block_domain dstdomain
http_access deny block_ips block_domain
http_access allow all

Step-14: Filter a particular port
Filtering a particular port could be done in ACL as follows
acl block_port port 3456
http_access deny block_port
http_access allow all

Step-15: Denying or allowing users
Denying access to websites for a particular timing could be done as follows.
To restrict the client from a source IP to access a particular domain during 10am-6pm on Monday,
acl names src
acl site dstdomain
acl acltime time M 10:00-18:00
http_access deny names site acltime
http_access allow all

Just Enjoy the world with magic!!!

Leave a Reply

Your email address will not be published. Required fields are marked *