School Server Network Structure With Squid


Here is the network structure for the school server with proxy setup.

# vi /etc/sysctl.conf

net.ipv4.ip_forward = 1
service network restart

Then ip-forwarding through ip-tables

# iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE
# iptables –append FORWARD –in-interface eth2 -j ACCEPT


install and cofigure squid


http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
access_log /var/log/squid/access.log squid
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern . 0 20% 4320
acl all src
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
# Add more acl rules here if we want more
acl purge method PURGE
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
acl lan src
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname sugaroffice.ole
always_direct allow all
coredump_dir /var/spool/squid

Direct port 80 requests to squid listen port (On the machine runnning the cache server)

iptables -t nat -A PREROUTING -i eth2 -p tcp –dport 80 -j DNAT –to
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128

Comments , corrections  and  ideas are  welcome.

4 Responses

  1. Alan Jenkins February 13, 2008 / 4:12 am

    Suggestion: don’t assume Squid is the right solution.

    I use polipo as a personal proxy. It’s less well developed, and it’s designed mainly for personal use.

    However, it has three features which I believe Squid lacks. It is designed for low latency and efficient HTTP usage; it supports offline operations (the Ubuntu package integrates this into ifupdown so it goes offline/online automatically), and it will cache partial downloads. The backing store is also very straightforward and easy to administer (1 file per URL).

    Polipo would also be happy running on a multi-purpose server; I don’t know whether Squid likes sharing much.

    The problem with polipo is it’s difficult to find evidence that it will scale. But if you are attracted by some of the above features, perhaps it’d be worth testing yourself.

    The author claims “Polipo is a small and fast caching web proxy (a web cache, an HTTP proxy, a proxy server). While Polipo was designed to be used by one person or a small group of people, there is nothing that prevents it from being used by a larger group.”

    Oo, I just found another link. The author comments on “large polipi” here:

  2. sulochan February 14, 2008 / 11:40 am

    Hi Alan,
    thanks for the insights. I have to look into Polipo, it sounds like a good deal.

  3. sulochan acharya March 6, 2008 / 11:31 pm


    Just make a small change in the DNAT ipatables command:
    iptables -t nat -A PREROUTING -i eth2 -p tcp –dport 80 -j DNAT –to
    –Note that now its going on port 8080 where dansguardian is listening. Dansguardian by default looks at squid at port 3128 so no additional routing is needed.
    On the OLPC school server your apache is also literning on 3128 so you might want to change that.

Leave a Reply

Your email address will not be published. Required fields are marked *