Setting up squid as a transparent proxy

This guide is particularly aimed at novice owners of Linux servers at home, such as the one described in a guide on this blog.

A transparent web proxy caches web content without having to make any changes on the clients on the network. For a proxy to run transparently, it must be running on a Linux server that’s acting as your network gateway/firewall/router. If you have a standalone server on your LAN, you can still set up a non-transparent proxy, but this guide isn’t for you.

To get started, install squid:

[root@zeus ~]# yum install squid

Backup and edit the original squid config:

[root@zeus ~]# cp /etc/squid/squid.conf /etc/squid/squid.conf.old
[root@zeus ~]# vim /etc/squid/squid.conf

Erase all of the original contents and replace them with the blurb below.

The important lines are in bold, and in my case:

  • I’ve asked squid to use 50MB of RAM for the cache…
  • …and 4096MB (4GB) of disk space. You can change the path if you want to use a different disk or even a memory card for low seek time.
  • I also increased the maximum object size from its default small size to a larger size of 40MB. (This is so it can cache updates from the Fedora repository – after the first PC on my LAN has updated, the rest can then fetch the same updates from the local cache at high speed.)

http_port 3128 transparent
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
cache_mem 50 MB
maximum_object_size_in_memory 50 KB
cache_dir ufs /var/cache/squid 4096 256 256
maximum_object_size 40000 KB
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
coredump_dir /var/spool/squid

With the squid config in place, let’s start the service and set it to run on boot:

[root@zeus ~]# service squid start
[root@zeus ~]# chkconfig --level 2345 squid on

This is only half the problem though. Squid is running now, but no requests are being sent to it. So we need to tweak the firewall config to send passing web traffic through the squid server. Open /etc/sysconfig/iptables for editing and just before the line

-A POSTROUTING -o eth1 -j MASQUERADE

add this line:

-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Restart your firewall…

[root@zeus ~]# service iptables restart

…and now all web traffic from your clients should be being sent through the transparent proxy.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s