What is a Proxy Server?
A Proxy server is an intermediary machine, between a
client and the actual server, which is used to filter or cache requests made by
the client.
Types of Proxy
1) Caching Proxy
2) Transparent Proxy
3) Reverse Proxy
Normal (Regular/Caching) Proxy:
A regular caching proxy server is a server which
listens on a separate port (e.g. 3128) and the clients (browsers) are
configured to send requests for connectivity to that port. So the proxy server
receives the request, fetches the content and stores a copy for future use. So
next time when another client requests for the same webpage the proxy server
just replies to the request with the content in its cache thus improving the
overall request-reply speed.
Transparent Proxy:
A transparent proxy server is also a caching server
but the server is configured in such a way that it eliminates the client side
(browser side) configuration. Typically the proxy server resides on the gateway
and intercepts the WWW requests (port 80, 443 etc.) from the clients and
fetches the content for the first time and subsequently replies from its local
cache. The name Transparent is due to the fact that the client doesn't know
that there is a proxy server which mediates their requests. Transparent proxy
servers are mostly used in big corporate organizations where the client side
configuration is not easy (due to the number of clients). This type of server
is also used in ISP's to reduce the load on the bandwidth usage.
Reverse Proxy:
A reverse proxy is totally different in its usage
because it is used for the benefit of the web server rather than its clients.
Basically a reverse proxy is on the web server end which will cache all the
static answers from the web server and reply to the clients from its cache to
reduce the load on the web server. This type of setup is also known as Web
Server Acceleration
Configuration file - /etc/squid/squid.conf
You need to add three lines to the squid.conf file in
the /etc/squid/ directory before activating Squid. First editing is about hostname locate
visible_hostname tag near about line no 2835
Go in the end of this tag near about line no and add
the hostname which you have checked in pervious command
eg : visible hostname
By default squid works on port no 3128 but can change
this. Port tag is located near line no 73
ACL Syntax - acl <acl name> <acl module> <acl argument>
We will create three access list.
First to block host with ip address 192.168.1.7 from
accessing internet.
Second to block a particular site.
Third to allow our lab network for accessing internet.
Go in the end of access control tag near about line
2410 and create access list as show here
access list tag in squid.conf
Final editing is to implement whatever access list you
have configured in access list tag go to http access tag near line no 2482
http access tag
In the end of this tag near line no 2529 apply the
configured access list
http access
Be very careful about the order of access list alway
put http_access deny all line in the end of all line. Whatever access list
defined below the http_access deny all line will never be checked.
You have made necessary changed in squid.conf now save
it and return to command prompt.
We have created a access list web_deny to filter the
web traffic. We have set http_access deny web_deny tag in squid.conf. Now you
can add the url of those websites in this file which you want block.
acl Safe_ports port
777 II multiling http
acl CONNECT method
CONNECT
acl deny_host src
192.168.1.7
acl allow_network src 192.168.1.0/24
acl web_deny
dstdomain "/etc/squid/web_deny:
it And finally deny all other access to this
proxy
http_access allow localhost
http_access deny deny_host
http_access deny web_deny
http_access allow allow_network
http_access
deny all
it TAG:
http_access2
SAMPLE ACL's
acl allowfacebooktime
time MTWHF 12:15-13:45
# Facebook ACL
acl
facebookdotcom dstdomain .facebook.com
# Only allow Facebook
as described by allowfacebooktime
http_access allow
facebookdotcom allowfacebooktime
# Else block facebook
http_access deny
facebookdotcom
ACL TYPES
src: source (client) IP addresses
dst: destination (server) IP addresses
myip: the local IP address of a client's connection
arp: Ethernet (MAC) address matching
srcdomain: source (client) domain name
dstdomain: destination (server) domain name
srcdom_regex: source (client) regular expression
pattern matching
dstdom_regex: destination (server) regular expression
pattern matching
src_as: source (client) Autonomous System number
dst_as: destination (server) Autonomous System number
time: time of day, and day of week
url_regex: URL regular expression pattern matching
urlpath_regex: URL-path regular expression pattern
matching, leaves out the protocol and hostname
port: destination (server) port number
myport: local port number that client connected to
myportname: name tag assigned to the squid listening
port that client connected to
proto: transfer protocol (http, ftp, etc)
method: HTTP request method (get, post, etc)
http_status: HTTP response status (200 302 404 etc.)
browser: regular expression pattern matching on the
request user-agent header
maxconn: a limit on the maximum number of connections
from a single client IP address
max_user_ip: a limit on the maximum number of IP
addresses one user can login from
req_mime_type: regular expression pattern matching on
the request content-type header
req_header: regular expression pattern matching on a
request header content
rep_mime_type: regular expression pattern matching on
the reply (downloaded content) content-type header. This is only usable in the
http_reply_access directive, not http_access.
rep_header: regular expression pattern matching on a
reply header content. This is only usable in the http_reply_access directive,
not http_access.
external: lookup via external acl helper defined by
external_acl_type
user_cert: match against attributes in a user SSL
certificate
ca_cert: match against attributes a users issuing CA
SSL certificate
ext_user: match on user= field returned by external
acl helper defined by external_acl_type
ext_user_regex: regular expression pattern matching on
user= field returned by external acl helper defined by external_acl_type
Combining ACLs (AND/OR)
Often you need to combine ACLs. Let’s say you want to allow access to google.com only for the back office. This combines two ACLS with an AND. This would look like this:
http_access allow accesses_to_google.com
accesses_from_back_office
If you wanted to use an OR and say either accesses from the back office or accesses to google.com are allowed then the line would look like this:
http_access allow accesses_to_google.com
http_access allow accesses_from_back_office
To summarize: AND means putting the conditions in one line. OR means using seperate lines.
Custom error pages (deny_info)
By default when you deny access the user gets the error page that is stored in the ERR_ACCESS_DENIED file. But luckily you can define your own custom error pages and display them when you deny certain accesses. A simple example:
acl google dstdomain google.com
deny_info error-google google
http_access deny google
Put an error page into the directory where the HTML files are stored (look for error_directory in your squid.conf) and name it error-google. If the user tries to access www.google.com the access is denied and your error page is shown.
Careful when you combine ACLs on a http_access line.
Example:
acl google dstdomain google.com
acl admin src 10.0.5.16
deny_info google error-google
http_access deny admin google
This will deny access only for the user from the IP address 10.0.5.16 when www.google.com is accessed. As you can see I have combined the ACLs admin and google. In such a combination the last ACL in the line is taken into account for lookups of deny_info. So it’s important that you define a deny_info for the google ACL.
How to enable Proxy in Linux
Type the following command to set proxy server:
$ export http_proxy=http://proxy-server.example.com:3128/
If the proxy server requires a username and password
then add these to the URL. For example, to include the username foo and the
password bar:
$ export http_proxy=http://USERNAME :PASSWORD@proxy
server:port/
No comments:
Post a Comment