HPE Community
Operating System - Linux
1827158 Members
2107 Online
109716 Solutions
New Discussion

Re: squid server configuration

 
SOLVED
Go to solution
K.C. Chan
Trusted Contributor

‎10-30-2003 09:35 AM

‎10-30-2003 09:35 AM

squid server configuration

All,
I am running "squid-2.4.STABLE6-6.7.3" on redhat-7.3. Let say I wan users to go to "proxy.com", which in turns query our internal web server (abc.com) for pages and caches the web pages if necessary. Part of this is done. But when I check the access log file, I see people using our "proxy.com" to get to other websites. How do lock this down so that people can still point their url to proxy.com but not able to set their browser setting to use "proxy.com" as their proxy server? Thanks.
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
10 REPLIES 10
Stuart Browne
Honored Contributor

‎10-30-2003 09:54 AM

‎10-30-2003 09:54 AM

Re: squid server configuration

If you want them to force users to use a local proxy, then you'll need firewall rules.

Basically, redirect anything for a remote port (3128, or 8080, whatever you use for your cache) to your local cache instead.

You might also want to implement transparent proxying to make the whole suite complete.
One long-haired git at your service...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎10-30-2003 09:58 AM

‎10-30-2003 09:58 AM

Re: squid server configuration

I personally stopped using proxy.

iptables can provide a stateless firewall eliminating the need to have a proxy. It has some logging features as well if thats why you use it.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
K.C. Chan
Trusted Contributor

‎10-30-2003 12:06 PM

‎10-30-2003 12:06 PM

Re: squid server configuration

Ok, I think I got this figured out, I used iptables on the squid server to allow outgoing traffic only to the internal webserver. This seems to work, I will check the access log later to find out if there are any footprint besides our internal web server.

FYI, I need to use squid for it's caching capabilities and reverse proxy. If any have any better suggestions or utils, please reference docs, I would like to learn more about it.

Now I need squid to cache a url or a domain, any idea? Thanks.
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
Murat SULUHAN
Honored Contributor

‎10-31-2003 12:20 AM

‎10-31-2003 12:20 AM

Re: squid server configuration

Hi

drop your connections from your trusted network to the internet, and try the squid redirector module

http://squirm.foote.com.au/

Best Regards
Murat
Murat Suluhan
0 Kudos
Reply
Jerome Henry
Honored Contributor

‎10-31-2003 02:07 AM

‎10-31-2003 02:07 AM

Re: squid server configuration

Hi,

If you want to cache some domains outside your company :
http://squid-docs.sourceforge.net/latest/book-full.html#AEN2075
Read this, it's about caching concepts and hierarchy.

If you want to cache your own server to sped the outside world browsing, then you need accelerator mode, which is also caching somehow :
http://squid-docs.sourceforge.net/latest/book-full.html#AEN2416

hth

J
You can lean only on what resists you...
0 Kudos
Reply
K.C. Chan
Trusted Contributor

‎10-31-2003 03:44 AM

‎10-31-2003 03:44 AM

Re: squid server configuration

Yes, I want to cache my own server to speed up access from the outside world. I have two server, one is running squid and the other is serving up my web page. Both are NATED, but the squid server can be access from outside via port 80. The outside world can get at my web server via the squid server. Besides using iptables to control traffic, how could I only allow access to my web site(e.g "abc.com) via squid? Thanks.
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
Jerome Henry
Honored Contributor

‎10-31-2003 04:17 AM

‎10-31-2003 04:17 AM

Re: squid server configuration

OK,
Say your we server is 10.0.0.1, your squid cache (accelerator) 10.0.0.2.
In squid.conf, you'll have :
httpd_accel_host 10.0.0.1
httpd_accel_port 80
If you use another port than port 80, replace 80 by the port used on your Web server.
Then, if you also want your proxy to act like a cache for the Internet content for the LAN, then add :
httpd_accel_with_proxy on
(if Squid just acts like an accelerator, forget about this line).

It should work...

J
You can lean only on what resists you...
0 Kudos
Reply
K.C. Chan
Trusted Contributor

‎10-31-2003 05:28 AM

‎10-31-2003 05:28 AM

Re: squid server configuration

Jerome, that's what I have done, but with this value set as well, http_port=80. All is working, but I noticed some scrupulous character is using the squid proxy to go to other website. I had shut them down via iptables. But I want to know if squid can do this, maybe block all web traffic going to all websites accept our webserver.

On another note, is there a way to check if it is caching properly and how do I make sure it is caching the right web pages? Is there a config parameter which I should be setting? Thanks.
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
Jerome Henry
Honored Contributor

‎10-31-2003 06:39 AM

‎10-31-2003 06:39 AM

Solution

Re: squid server configuration

Hi,

As for your last questions :

"maybe block all web traffic going to all websites accept our webserver" : yes, you can do that.
Define first an ACL, being kind of :
ACL all dst 0.0.0.0/0.0.0.0
ACL myserver dst 10.0.0.1/255.255.255.255
http_access allow myserver
http_access deny all

Thus, you allow destination to your webserver, and deny to any other machine. Of course, this example has to be modified according to your network complete config.


"with this value set as well, http_port=80" : yes, you use this to set up Squid to work on that port... 100% correct.

"is there a way to check if it is caching properly and how do I make sure it is caching the right web pages". Yes, there are many ways. One easy method is to look in your cache directory and check for the files (date, file list and so on).
You can also tail -f access.log in squid log directory, you'll have last connections, to which pages, and so on, it'll let you monitor it online. What I like to do is tail -f access.log > tty11, then Ctrl+Alt+F12 to switch at any time to the live log details...

hth

J

You can lean only on what resists you...
Reply
K.C. Chan
Trusted Contributor

‎10-31-2003 02:14 PM

‎10-31-2003 02:14 PM

Re: squid server configuration

Jerome,
that ACL seems to help, I took iptables offline and so far the web traffic foot print looks great. I've checked the access.log file, I see some TCP_MISS and TCP_HIT, I take it the TCP_MISS are those pages that are not cache. How should I go about and make sure these get cache as well. What squid param should I be looking into? Thanks.
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.