|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
Proxies can fulfill several different functions on network gateways. Two of the most popular are increasing speed, and increasing security and control. A proxy acts as a "middle man" between the client PC and the internet server. When a client requests a connection to a source outside the gateway, it sends the request to the proxy. The proxy examines the request, and forwards it to the server. The proxy then receives the response, and performs the appropriate actions before passing it on to the original host. A caching proxy will store the data, allowing it to be retrieved very quickly the next time it is requested. A security based proxy will examine the outgoing and incoming traffic for malevolent data and either block it or sanitize it.
One of the most popular Linux proxy programs is Squid (http://www.squid-cache.org). We'll be using this as our caching proxy. Later, we'll check out Privoxy (http://www.privoxy.org), which is a lighter solution designed to act as a security proxy.
System Requirements Notice: Toward the beginning of the tutorial series we noted how well a small obsolete computer can run a Linux gateway. While it remains true that a proxy will technically run fine on any small system, proxies often demand larger systems to really perform well. A caching proxy needs a lot of space to effectively store all the data that it requests from the internet. Any proxy needs RAM and processing power to parse all that data mid-stream. That said, if you really want to benefit from a proxy you'll want bigger hard disks, more RAM, and faster processing than a bare-bones router. How much you need is ultimately up to you and how you plan on using your new proxy.
First, we install Squid:
Firewall:~# apt-get install squid
|
|
|
Alternative Alert! - Squid
Proxying is anything but a small field, so of course there are a lot of alternatives. I personally recommend checking out Privoxy (covered below) if you're looking for security vs. caching. In both fields, there are plenty of alternatives.
|
|
|
|
|
|
Our configuration file for this daemon is /etc/squid/squid.conf
Firewall:~# nano -w /etc/squid/squid.conf
As with a lot of our services, proxies are powerful tools, so there's lots you can configure. As always, I recommend reading the configuration, and in this case check out the FAQ on the Squid website as well.
In this case, we're just going to change the listening interface and port. By default Squid listens on all its interfaces, on port 3128. We're going to change this to listen on only the internal interface, on the standard proxy port of 8080. To do this, uncomment and change the http_port parameter.
http_port 192.168.1.1:8080
Squid supports a lot of authentication options and access control lists (acls). These are important when your proxy is exposed to untrusted clients. For this example, we'll be running only on our trusted home network, so there's no need to restrict access. By default, Squid only accepts connections from the local machine. To change this, we have to tell it to accept all connections from local IP addresses:
Find this line in the configuration:
acl localhost src 127.0.0.1/255.255.255.255
and change it to this:
acl localhost src 192.168.1.0/255.255.255.0
This will allow any client on the 192.168.1.0 network to access the proxy. Only do this if you trust all your local machines. If you do not, read the comments and adjust the ACL to restrict access to certain machines only!
That's all we need. Save the file and exit, then run:
Firewall:~# /etc/init.d/squid restart
Now all you have to do is change the proxy settings for the web browser on your PC. Change the HTTP proxy host to 192.168.1.1, and the port to 8080 (assuming you change it as we did above). The next time you request a website, the browser will query the proxy rather than the website itself. If the process fails, check the log files in /var/log/squid/ (any errors should be printed there).
|
|
|
Alternative Alert! - HTTP Proxy
We just configured a passive proxy...you have to manually configure each web browser to access it. Squid can also be configured as a transparent proxy. Transparent proxies run on the standard HTTP port (80) and intercept all traffic to the web, without needing the browser to be specially configured. Transparent proxying is out of the scope of this article, but if you read the configuration files you can probably figure it out fairly easily.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Now that we've covered content caching, lets take a quick look at privacy caching with Privoxy. Keep in mind these are totally separate solutions and you can choose to implement one, both, or none, depending on your needs.
Firewall:~# apt-get install privoxy
Privoxy uses several configuration files in /etc/privoxy and you should explore all of them. /etc/privoxy/config provides the general program options. Open this file, and change listen-address to the address of your LAN interface:
listen-address 192.168.1.1:8118
Now restart Privoxy:
Firewall:~# /etc/init.d/privoxy restart
This is all you need for the base configuration. Direct your browser to the new proxy port (8118) and Privoxy will kick in. Privoxy is configured to protect your browsing privacy in several ways by default, including filtering certain fields out of your HTTP requests, and by blocking unwanted data from some much maligned advertising websites. For full details, check out the config files and http://www.privoxy.org. Of course, all of this is highly customizable. Check out the filters and customize them to meet your needs. Privoxy also has a cool web-based administration interface should you choose to enable it.
|
|
|
|
|
|
Proceed to Step 12 - Dynamic DNS |
|
|
|
|
|
|
|
|
|
|
| Copyright © 2006 Matt LaPlante. All rights reserved. |
|
Page created in 0.0027 seconds.
|
|
