2012/05/18

Proxy Squid-cache

Introduccion:

Instalar Squid-cache en FreeBSD y dejarlo trabajando en modo intercept (transparente)

Requerimientos:

* Conexion a Internet
* FreeBSD instalado
* Firewall PF (para proxy transparente)
* Leer este manual

El proceso:


Actualizar el arbol de ports

# csup -h cvsup15.us.FreeBSD.org -g -L 2 /usr/share/examples/cvsup/ports-supfile

# cd /usr/ports/www/squid32

# make config

IMPORTANTE!
Para usar proxy transparente se deben desactivar AUTHENTICATION e IPv6

Options for squid 3.2.3_2

[X] ARP_ACL        Enable ARP/MAC/EUI based authentification
[X] FS_AUFS        Enable AUFS (async-io) support
[X] HTCP           Enable HTCP support
[X] IDENT          Enable Ident lookups (RFC 931)
[X] KQUEUE         Enable kqueue(2) support
[X] SNMP           Enable SNMP support
[X] TP_PF          Enable transparent proxying with PF
[X] WCCP           Enable Web Cache Coordination Protocol
[X] WCCPV2         Enable Web Cache Coordination Protocol v2

[ OK ]

# make install clean

Para que Squid-cache pueda trabajar en modo intercept necesita poder leer /dev/pf

Por defecto /dev/pf solo es accesible para el usuario root

Verificamos los permisos actuales de /dev/pf

# ls -al /dev/pf
crw-------  1 root  wheel    0, 108 Oct 26 11:01 /dev/pf

Para darle acceso a Squid-cache

# edit /etc/devfs.conf

Agregamos la linea

# Allow Squid read acess to /dev/pf
own     pf      root:squid
perm    pf      0640

Reiniciamos devfs

 # /etc/rc.d/devfs restart

Verificamos los permisos nuevos de /dev/pf

# ls -al /dev/pf
crw-r-----  1 root  squid    0, 108 Oct 26 11:01 /dev/pf

El archivo de configuracion se ve asi:

# grep -vE '^#|^;|^$' /usr/local/etc/squid/squid.conf
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
http_port 3129 intercept
cache_dir ufs /var/squid/cache/squid 1000 16 256
coredump_dir /var/squid/cache/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
access_log daemon:/var/log/squid/access.log squid

Crear el directorio

# mkdir -p /var/squid/cache/squid

Asignar el directorio al usuario squid

# chown -R squid:squid /var/squid

Inicializar el cache

# squid -z
# 2012/12/04 14:04:45 kid1| Creating Swap Directories
2012/12/04 14:04:45 kid1| /var/squid/cache/squid exists
2012/12/04 14:04:45 kid1| Making directories in /var/squid/cache/squid/00
2012/12/04 14:04:45 kid1| Making directories in /var/squid/cache/squid/01
2012/12/04 14:04:45 kid1| Making directories in /var/squid/cache/squid/02
2012/12/04 14:04:45 kid1| Making directories in /var/squid/cache/squid/03
2012/12/04 14:04:45 kid1| Making directories in /var/squid/cache/squid/04
2012/12/04 14:04:45 kid1| Making directories in /var/squid/cache/squid/05
2012/12/04 14:04:45 kid1| Making directories in /var/squid/cache/squid/06
2012/12/04 14:04:45 kid1| Making directories in /var/squid/cache/squid/07
2012/12/04 14:04:45 kid1| Making directories in /var/squid/cache/squid/08
2012/12/04 14:04:45 kid1| Making directories in /var/squid/cache/squid/09
2012/12/04 14:04:46 kid1| Making directories in /var/squid/cache/squid/0A
2012/12/04 14:04:46 kid1| Making directories in /var/squid/cache/squid/0B
2012/12/04 14:04:46 kid1| Making directories in /var/squid/cache/squid/0C
2012/12/04 14:04:46 kid1| Making directories in /var/squid/cache/squid/0D
2012/12/04 14:04:46 kid1| Making directories in /var/squid/cache/squid/0E
2012/12/04 14:04:47 kid1| Making directories in /var/squid/cache/squid/0F

Poner la linea para que squid inicie con el sistema

# echo '# Squid-cache' >> /etc/rc.conf
# echo 'squid_enable="YES"' >> /etc/rc.conf

Verificar el squid.conf

# squid -k parse

Iniciar squid

# /usr/local/etc/rc.d/squid start

Ver opciones de squid
# squid -v

Un ejemplo para PF en FreeBSD

Colocar la linea en la seccion de NAT de nuestro firewall PF:

# Redirect and allow outgoing to WWW requests to the squid, but
# not from LAN to my server
rdr pass on $int_if proto tcp from any to !$int_if port www \
    -> 127.0.0.1 port 3129

Para ver el log de navegacion de squid use el comando:

# tail -f /var/log/squid/access.log

Para verificar otras cosas, por ejemplo si squid inicia bien

# tail -f /var/log/squid/cache.log

Los comandos de squid son:

# /usr/local/etc/rc.d/squid stop|start|restart|reload

Si quiere aqui estan los archivos de configuracion:
Google Drive