www.marskarthik.

com
Written by Karthikeyan [email protected]
Setting up Squid Proxy Server

Except hardware all other things are free. Relax from licensing problems.

Hardware Requirements:

1. Its good to have some machine which is bought a year before, to avoid adding new
drivers manually to the Linux. You can try with new machine, if Linux detects your
network card perfectly then no issues else we have to find and install the driver for it
manually. This will take some time. Use #ifconfig command to find the details of
Ethernet card.
2. No need for monitor/Keyboard/Mouse after installation. You can monitor and control
through web. This can be done only after installing Webmin software. You can also
telnet or SSH to work on it.
3. Its better to have at least 1GB memory if you want everyone to go through proxy.
4. It would be better if the machine is Wake-On-Lan enabled because sometimes you may
need to start it from remote else someone has to power-on manually. Linux also has
inbuilt command #ether-wake for starting other computers in the network.

Software Requirements:

For Installation:

For Linux
1. Download Fedora Core 9 version ISO from any one link below and burn it to DVD
http://mirror.web-ster.com/fedora/releases/9/Fedora/i386/iso/Fedora-9-i386-DVD.iso
http://astromirror.uchicago.edu/fedora/linux/releases/9/Fedora/i386/iso/Fedora-9-i386-
DVD.iso
http://mirror.yandex.ru/fedora/linux/releases/9/Fedora/i386/iso/Fedora-9-i386-DVD.iso

2. Download Webmin software from www.webmin.com . Select RPM package or download from
the link below
http://sourceforge.net/project/downloading.php?groupname=webadmin&filename=webmin-
1.430-1.noarch.rpm&use_mirror=nchc

Note: You can also download this software from Linux using browser or using wget utility from
command line. Only if your Linux detects graphic card you can get into GUI mode else you have
to work in command mode. If you are unable to download Webmin from command mode, you
can download from any windows and bring it to Linux using a CD.

Command to Install Webmin
#rpm -i webmin-1.430-1.noarch.rpm

Command to Uninstall Webmin
#rpm -e webmin-1.430-1.noarch.rpm

Command to Upgrade Webmin
#rpm -Uvh webmin-1.430-1.noarch.rpm

Command to find whether any package is installed like squid and Webmin
#rpm -q webmin (No need to use full file name here)
#rpm -q squid (This will show all squid related packages)
#rpm -qi squid (This will display full package information)

www.marskarthik.com
Written by Karthikeyan [email protected]
Note: Above three commands will show results only if packages are installed using rpm module
(filename.rpm). If installation is done using filename.tar.gz format, you wont get any
information. Alternatively you find can using command

#whereis squid
#whereis webmin

This will show exact application path. Its always better to use rpm installation module for any
installation rather than tar.gz format because you need to configure manually and compile the
package to install.

Installation:

1. Boot with Fedora core 9 DVD and installation will continue to ask usual questions like
machine name, password, IP address (use static), DNS, Gateway etc.
2. Go for full setup or in custom mode select all components because some components
may be needed for future use. Adding everything will not degrade the performance
unless the components are going to be used.
3. Installation will take at least 30 to 40 minutes to complete depending upon your
machine configuration.
4. Once installation is over, try telnet with installed machine from other machine. If its
ok then you are almost done with installation.
5. Last but not the least is installing Webmin software (Use commands mentioned in
software requirements for installation). Once this is done you are ready to keep the
machine in your desired place and start configuring from remote.

After Installation:

For Windows
1. Download Kraken Reports to analyze Squid log file from
http://www.krakenreports.com/index.php?subPage=download
2. Putty for telnet or SSH


Configuring:

1. Use the browser and type https://ipaddress:10000
2. Login with user root and root password.
3. You should see the similar screen below
www.marskarthik.com
Written by Karthikeyan [email protected]


4. Before proceeding with Squid configuration, if you want to change any network settings
for that machine. Select Networking, from the menu in the left and select Network
Configuration to make the required changes.

5. Now Select Servers from the menu and select Squid Proxy Server. This will not run
unless some initial configuration is made. Screenshot shown below is after changes are
made and squid server is running.
www.marskarthik.com
Written by Karthikeyan [email protected]


6. Screen shots of various settings as follows

Module Config
www.marskarthik.com
Written by Karthikeyan [email protected]



Ports and Networking
www.marskarthik.com
Written by Karthikeyan [email protected]

Default is 3128 and you change to some other number like 8080. If you are also going to have
public address for that server use different ports other than 3128 and 8080.



Logging
www.marskarthik.com
Written by Karthikeyan [email protected]


I often analyze access log files using Kraken Reports in Windows. This will show you what, who,
where, when and more details of a website. Its a difficult to understand just by seeing
www.marskarthik.com
Written by Karthikeyan [email protected]
access.log so use Kraken Reports software. Screenshot of Kraken Reports is shown below



Administrative Options


Last but not the least is Access Control, its where you will be playing all the time. No need to
change any other options under Squid Proxy Server.

www.marskarthik.com
Written by Karthikeyan [email protected]
Once configuration is made, try starting Squid from the link on the top-right. If it asks to
initialize cache in front screen, do that first and start the Squid. After starting squid try
configuring proxy server details in a browser and try browsing. This should work without any
restrictions.

Now coming to Access Control

Note: Basically you can set restrictions in two ways using IP address or with MAC address. For
full access users, I use MAC address and for others I use IP address. If particular IP has full
access there may be possibility that someone can set IP address of a full user machine (when
that machine is off) and enjoy full access. So by going with MAC address we can eliminate
misuse. I have other ways to prevent making changes to proxy settings and I will mention it
later. Even you can set that only IE can access the proxy so if someone uses other browsers or
any other internet applications, proxy will reject. You can also set restrictions based on time
and day. More than number of rules will decrease the internet access time (client side) so
you may need to add more RAM to the proxy machine.

Below are the screenshots of Access control lists in my proxy server.

www.marskarthik.com
Written by Karthikeyan [email protected]

www.marskarthik.com
Written by Karthikeyan [email protected]

www.marskarthik.com
Written by Karthikeyan [email protected]

www.marskarthik.com
Written by Karthikeyan [email protected]

www.marskarthik.com
Written by Karthikeyan [email protected]

www.marskarthik.com
Written by Karthikeyan [email protected]


You will see only few lines in the initial setup stage under Access Control and more rules can be
added depending upon your need. This is similar to firewall rules. Just by adding here in Access
Control Lists (ACL) will not provide you restrictions. You have to add these rules in Proxy
restrictions section and order of rules (top to bottom) will decide the restrictions. You have to
edit the IP address range in localnet section and remove unwanted IP address range.

We have to create all the ACLs first and then set restrictions. To create a new ACL, select the
list you want from menu next to Create new ACL button and click the button to create.
www.marskarthik.com
Written by Karthikeyan [email protected]


Browser Regexp(Regular Expression)

This is rule to detect only IE explorer. ACL Name can be anything and use MSIE because this
is the code which browser sends to proxy for identification. I found this from access.log. If you
add Mozilla then all Mozilla based browser will be allowed to use Proxy.

Client Address
www.marskarthik.com
Written by Karthikeyan [email protected]

This rule is to specify one or many IP address. This can be clubbed with many other rules.


Ethernet Address

This rule is to specify one or more Ethernet address in your local network. Again this can be
clubbed with many other rules.


URL Regexp(Regular Expression)
www.marskarthik.com
Written by Karthikeyan [email protected]


This rule is very often used for various purposes. In general, the contents specified in this will
be detected from the URL (link) not from the page content. For example www.aol.com page
contains mobile or gmail word then this will not be blocked. But www.aol-gmail.com or
www.aolmobile.com or www.aol.com/mobile or www.aol.com/images/mobile.jpg will be
blocked. Dont forget to check Ignore Case option. You can have regular expression in this.

Web Server Regexp


This rule is to specify one or many websites. If you specify microsoft.com alone then by default
it will allow all sub domains *.microsoft.com. But when sub domains are in different network or
IP range you have enter all the domains manually. Here I have entered office.microsoft.com
and update.microsoft.com.

These are the major ACLs we need to set restrictions. For more advanced restrictions other
ACLs can be used.
www.marskarthik.com
Written by Karthikeyan [email protected]

For Enabling or Disabling ACLs we need to get into Proxy restrictions tab which is next to
Access control lists tab.



Again by default you will very few restrictions enabled in the initial setup. Rules are read from
top to bottom. Click Add proxy restriction link to apply a rule. Select one or many ACL (use
control key for multiple selections) you want and select whether the rule is to allow or deny.


www.marskarthik.com
Written by Karthikeyan [email protected]




www.marskarthik.com
Written by Karthikeyan [email protected]


Use the upward or downward arrows to move the rules order. Thats it, now you have control
over the browsing.


Overcoming smart users

Some people are smart to change the proxy settings from connections tab in IE settings. You
can do the below registry trick to disable it.

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"ConnectionsTab"=dword:00000001

Also you can mention list of address that can override proxy in a registry file and merge it.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"="208.28.64.*;172.19.20.*;172.19.10.*;125.17.1.*;<local>"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"="208.28.64.*;172.19.20.*;172.19.10.*;125.17.1.*;<local>"

You can also make a registry script to implement all the settings in one shot instead of
configuring manually. By placing in logon script will make your job easier.

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"ConnectionsTab"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000001
"ProxyOverride"="208.28.64.*;172.19.20.*;172.19.10.*;125.17.1.*;<local>"
"ProxyServer"="192.168.1.1:3128"


Now, what happens if they use firefox, netscape or opera and configure DNS manually to
browse?

www.marskarthik.com
Written by Karthikeyan [email protected]
You need to enable DNS Servers in gpedit.msc (group policy) with some local IP address so that
it will supersede DNS setting configured locally or via DHCP. Make sure the IP address doesnt
runs DNS service.


So, no matter what browser or application a user use, internet access is not possible. But they
can access with direct IP address.