tomclegg.net


Diary
Examples
    256-router
    adzap
    apache-double-reverse
    cacti-adodb-php4
    debian-quota
    diskonmodule
    dollarsperbyte
    dynip
    ezmlm-linux
    fbsdhabits
    freebsdclone
    macbook-quantal-sound
    maildirpop3d-awfulhak
    mandy
    md
    mrtg
    net-snmp
    nodefaultroute
    oracle9i
    oracle9i-bsd5
    oracle9i-client
    oracle9i-nat
    php-cgi
    php-commandline
    php-image
    php-kics
    php-mini_httpd
    pinouts
    pizzaperdollar
    plesk-symlink-php
    pxe
    qmail-linux
    qmail-qfilter
    racoon-sonicwall
    redundant-vpn
    rewriterule
    seahorse-workaround
    setting-locale-failed
    smalldog
    snmpv3-cacti
    spamassassin
  >squid-tproxy<
    supfile
    suse73
    svc-nmbd
    svc-smbd
    svc-smtpd
    switch-virtualbox-virsh
    toyotastereo
    vm
    vn-file
    wmp-invalid
    xcode-remote-install
    xen-eth0-renamed
    xen-monowall
    xen3-ubuntu-dapper
    zz-update-grub-fail
Hire Tom
Mostly Mozart
Patches
School
Scrapbook
Software
Telephones




colocation
comments
davidireland
edsgranola
faq
funsites
goodlooking
goodmovies
google-earth-saucy-amd64
houserules
liberating
resume
resume2
scratch
shopping
snacks
todo
university
warisbogus

Squid transparent proxy
Posted May 5, 2003

To set up squid as a transparent proxy using FreeBSD...

Install FreeBSD. Set up NAT or whatever, and install this machine as your gateway.

Log in as root.

Install squid from ports.

cd /usr/ports/www/squid && make install

Move cache directory to /tmp.

mkdir /tmp/squid
mv /usr/local/squid/cache /tmp/squid/cache
ln -s /tmp/squid/cache /usr/local/squid/

Set up a "squid" user account.

pw useradd squid -d /nonexistent -s /usr/bin/true
chown -R squid:squid /tmp/squid/cache /usr/local/squid/logs

Edit /usr/local/etc/squid/squid.conf

# diff squid.conf.default squid.conf
474a475
> cache_mem 48 MB
524a526
> maximum_object_size_in_memory 128 KB
670a673
> cache_dir ufs /usr/local/squid/cache 200 64 128
982a986
> #redirect_program /usr/local/libexec/adzap
1311a1316
> request_body_max_size 4 MB
1753c1758,1759
< #http_access allow our_networks
---
> acl our_networks src 10.129.0.0/16 199.60.150.0/24
> http_access allow our_networks
1937a1944
> cache_mgr YOUR@EMAIL.ADDRESS.HERE
1953a1961,1962
> cache_effective_user squid
> cache_effective_group squid
1963a1973
> visible_hostname YOUR.HOST.NAME.HERE
2051a2062,2063
> httpd_accel_host virtual
> httpd_accel_port 0
2080a2093
> httpd_accel_with_proxy on
2100a2114
> httpd_accel_uses_host_header on
2540a2555,2556
> header_access Via deny all
> header_access X-Forwarded-For deny all

Create the cache directories.

squid -z

Start squid.

/usr/local/etc/rc.d/squid.sh start

Enable firewall and transparent proxy support in kernel. Example using FreeBSD 4:

cd /usr/src/sys/i386/conf
cp -i GENERIC MYKERNEL
cat <<EOF >>MYKERNEL
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT # if you intend to use NAT
EOF
config MYKERNEL
cd ../../compile/MYKERNEL
make depend && make && make install && reboot

Make sure squid is listening on port 3128.

ps axw | grep squid
netstat -a -n | grep -w 3128

Redirect all HTTP traffic passing through the machine to squid.

echo firewall_type=/etc/firewall.local >>/etc/rc.conf
cat <<EOF >>/etc/firewall.local
fwd YOUR.IP.ADDR.HERE,3128 tcp from not me to any 80
EOF

Watch the log file as you load web pages.

tail -f /usr/local/squid/logs/access.log