{ Berbagi, Menulis, Dan Mengajar } Ilmu… » 7. Operating System » Transparent Proxy Squid 2.6 Above
Transparent Proxy Squid 2.6 Above
Transparent Caching/Proxy
From Squid User’s Guide
[edit] Transparent Cache/Proxy with Squid version prior to 2.6
Prior to Squid 2.6 there was no quick and direct method of enabling Squid to be a transparent proxy. This has since changed in the latest stable version of Squid and it is highly recommended that the latest stable version of Squid be used in preference to any previous edition, unless there exists an overriding reason to use an older release of Squid.
In older versions of Squid, transparent proxy was almost a “hack”, achieved through the use of the httpd_accel options. Transparent proxy can be achieved in these versions of Squid by appending/uncommenting the following four lines of code in the squid.conf file:
httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on
The four lines inform Squid to run as a transparent proxy, below is a list of what each individual line acheives:
- httpd_accel_host virtual – This tells the accelerator to work for any URL that it is given (the usual usage for the accelerator is to inform it which URL it must accelerate)
- httpd_accel_port 80 – Informs the accelerator which port to listen to, the accelerator is a very powerful tool and much of its usage is beyond the scope of this section, the only knowledge required here is that this setting ensures that the transparent proxy accesses the websites we wish to browse via the correct HTTP port, where the standard is port 80.
- httpd_accel_with_proxy on – By default when Squid has its accelerator options enabled it stops being a cache server, to reinstate this (this is obviously important as the whole purpose behind this configuration is a cache server) we turn the httpd_accel_with_proxy option on
- httpd_accel_uses_host_header on – In a nutshell with this option turned on Squid is able to find out which website you are requesting
[edit] Transparent Cache/Proxy with Squid version 2.6 and beyond
In this version of Squid, transparent proxy has been given a dedicated parameter — the transparent parameter — and it is given as an argument to the http_port tag within the squid.conf file, as the following example demonstrates:
http_port 192.168.0.1:3128 transparent
In this example, the IP address that Squid is set to listen to is 192.168.0.1 using port number 3128. The transparent option is then used to inform squid that this IP and port should be listened to as a transparent proxy. This completes the configuration of Squid as a transparent proxy server (yes that’s right, all done! (apart from the ACL rules and generic settings that you have should have set by now after reading the sections of this guide prior to this one)).
Please note that if you intend to make the proxy server completely transparent through the use of port number redirect in iptables or some other network address redirect configuration (bar manual or automatic configuration of clients browser’s) then you will need to compile in the necessary feature into your Squid binary. Please read the information on transparent proxy in the Installing Squid section for more details on this. Do not be alarmed by a Squid binary recompile at this stage, Squid should not overwrite your edited squid.conf file but make sure to back it up just in case!
[edit] Allowing access to origin servers
Apart from the http_port directive above, the only other changes you will likely have to make to create a transparent proxy are ACL settings.
If you are getting the following error:
ERROR The requested URL could not be retrieved While trying to retrieve the URL: http://www.toyota.co.za/ The following error was encountered: * Unable to forward this request at this time. This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that: * The cache administrator does not allow this cache to make direct connections to origin servers, and * All configured parent caches are currently unreachable.
..you will need to specify:
always_direct allow all
This allows Squid to fetch content from the Web directly, and despite appearances will not prevent local caching. A few more ACL settings will allow your LAN users access to Squid.
For a full solution for Squid > 2.6, including Iptables, you can see this article: http://www.lesismore.co.za/2008/02/squid-3-transparent-proxy.html
Filed under: 7. Operating System