Home | Wiki | Blog | Contact Us | Contribute

School Server Network Structure With Squid

February 12th, 2008 By:admin · 4 Comments

school-squid1.gif

Here is the network structure for the school server with proxy setup.

# vi /etc/sysctl.conf

make
net.ipv4.ip_forward = 1
service network restart

Then ip-forwarding through ip-tables

# iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE
# iptables –append FORWARD –in-interface eth2 -j ACCEPT

squid

install and cofigure squid

——————–squid.conf————————————-

http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
access_log /var/log/squid/access.log squid
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
# Add more acl rules here if we want more
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
acl lan src 192.168.0.113 192.168.1.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname sugaroffice.ole
always_direct allow all
coredump_dir /var/spool/squid

Direct port 80 requests to squid listen port (On the machine runnning the cache server)

iptables -t nat -A PREROUTING -i eth2 -p tcp –dport 80 -j DNAT –to 192.168.0.113:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128

Comments , corrections  and  ideas are  welcome.

Tags: Development · Testing

4 responses so far ↓

  • 1 Alan Jenkins // Feb 13, 2008 at 4:12 am

    Suggestion: don’t assume Squid is the right solution.

    I use polipo as a personal proxy. It’s less well developed, and it’s designed mainly for personal use.

    However, it has three features which I believe Squid lacks. It is designed for low latency and efficient HTTP usage; it supports offline operations (the Ubuntu package integrates this into ifupdown so it goes offline/online automatically), and it will cache partial downloads. The backing store is also very straightforward and easy to administer (1 file per URL).

    Polipo would also be happy running on a multi-purpose server; I don’t know whether Squid likes sharing much.

    The problem with polipo is it’s difficult to find evidence that it will scale. But if you are attracted by some of the above features, perhaps it’d be worth testing yourself.

    The author claims “Polipo is a small and fast caching web proxy (a web cache, an HTTP proxy, a proxy server). While Polipo was designed to be used by one person or a small group of people, there is nothing that prevents it from being used by a larger group.”

    Oo, I just found another link. The author comments on “large polipi” here:

  • 2 Alan Jenkins // Feb 13, 2008 at 4:18 am

    http://sourceforge.net/mailarchive/forum.php?thread_name=87bqc3lguv.fsf%40pps.jussieu.fr&forum_name=polipo-users

  • 3 sulochan // Feb 14, 2008 at 11:40 am

    Hi Alan,
    thanks for the insights. I have to look into Polipo, it sounds like a good deal.

  • 4 sulochan acharya // Mar 6, 2008 at 11:31 pm

    TO USE DANSGUARDIAN WITH THIS STRUCTURE

    Just make a small change in the DNAT ipatables command:
    iptables -t nat -A PREROUTING -i eth2 -p tcp –dport 80 -j DNAT –to 192.168.0.113:8080
    –Note that now its going on port 8080 where dansguardian is listening. Dansguardian by default looks at squid at port 3128 so no additional routing is needed.
    On the OLPC school server your apache is also literning on 3128 so you might want to change that.

Leave a Comment