Proxy servers are between client computers that want to retrieve the information from the Internet and the Internet. The proxy server is on the site of the client computer. The proxy usually has a fixed IP address in the local network and forwards the requests of the client computers that have no ip address on the Internet.
The proxy separates the in-house network from other networks outside. In the better case, the proxy has two network cards and two fixed ip addresses. One ip address belongs (not in these examples ) to the own internal and the other to the external network. It is also possible for one network card to assign two ip addresses from different networks.
Further on the proxy stores the files, retrieved from the Internet. If the same files where requested again, they will be displayed from the cache. As a result, the page on the client appears much faster.
Access to the Internet can be controlled in different ways. For this purpose, here you can see some examples combined. This access can be set by a user name and password via htpasswd, must be installed on the server of the Apache2 web server or at least the ' apache2-utils.
That the user / inside manually have to authenticate to the proxy, is not a disadvantage. In email often are links to load content from the internet when the email is displayed. I do not like that. So I can always decide if I let more data loaded. If I enter username and password the external content is loaded. But the users don't want that. So later on I installed a second proxy, integrated in the windows domain. All users in a specific windows group can use the internet without being asked for unsername and password.
I used:
Debian Squeeze basic installation
+ apache2 Webserver - becaus of managing password. To install the 'apache2-utils' would be enough.
+ mc (to edit files)
+ squid
The procedure is as in Debian Lenny. The order in the squid.conf seems to me to be different.
# apt-get install squid
# apt-get install mc
Password are stored in this file.
# touch /etc/squid/passwd
# chmod 644 /etc/squid/passwd
With chmod 644 /etc/squid/passwd the permissions are set up. 644 were enough in my test environment. Although the password prompt appeared, but the input had no effect. In the alternative, you can try it with less strict permissions.
# chown root:root /etc/squid/passwd
In the terminal enter root htpasswd /etc/squid/passwd username, replace 'username' with a corresponding name. After this you enter the new password twice.
# htpasswd /etc/squid/passwd username
When a username is added ord deletet, you don't need to restart Squid. Just reload the configuration (with /etc/init.d/squid/reload). The access data are queried by the system when requesting access to the Internet.
To delete an access just delete the corresponding line from /etc/squid/passwd an reload the configuration.
You have to create two files. In one file the free accessible websites are listed. In the other file the blocked websites are listed. As entries are possible: IP address, URLs with and without prefix www - depending on the address given.
Example for content in /etc/squid/bad_domains or /etc/squid/good_domains:
123.123.123.123
domainname.de
www.domainname.de
Input:
# touch /etc/squid/bad_domains
# touch /etc/squid/good_domains
# chmod 640 /etc/squid/bad_domains
# chmod 640 /etc/squid/good_domains
In /etc/squid is a file is stored named blocked. It contains only one word in each line which has to be blocken in a word or ab web address.
# touch /etc/squid/blocked
Input
#/etc/squid/blocked
# List of blocked addresses
# List of blocked words
# one word per line
porno
The configuration file is: /etc/squid/squid.conf
Here the customized file. Most of comment lines I have omitted so that almost only activated settings are displayed. Notes are stored in this file.
# WELCOME TO SQUID 2.7.STABLE9
# ----------------------------
#
# This is the default Squid configuration file. You may wish
# to look at the Squid home page (http://www.squid-cache.org/)
# for the FAQ and other documentation.
#
# The default Squid config file shows what the defaults for
# various options happen to be. If you don't need to change the
# default, you shouldn't uncomment the line. Doing so may cause
# run-time problems. In some cases "none" refers to no default
# setting at all, while in other cases it refers to a valid
# option - the comments for that keyword indicate if this is the
# case.
#
# OPTIONS FOR AUTHENTICATION
#
#Recommended minimum configuration per scheme:
#auth_param negotiate program
#auth_param negotiate children 5
#auth_param negotiate keep_alive on
#auth_param ntlm program
#auth_param ntlm children 5
#auth_param ntlm keep_alive on
#auth_param digest program
#auth_param digest children 5
#auth_param digest realm Squid proxy-caching web server
#auth_param digest nonce_garbage_interval 5 minutes
#auth_param digest nonce_max_duration 30 minutes
#auth_param digest nonce_max_count 50
#auth_param basic program
### next line added
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
#auth_param basic children 5
### next line activated
auth_param basic realm Squid proxy-caching web server
### next line activated
auth_param basic credentialsttl 2 hours
### next line acitvated
auth_param basic casesensitive off
# TAG: acl
# Defining an Access List
# Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Recommended minimum configuration:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
### next line - blocked words
acl gesperrt url_regex -i "/etc/squid/gesperrt"
### next line - blocked domaind
acl bad_domains dstdom_regex -i "/etc/squid/bad_domains"
### next line - without authentification accessible domains
acl good_domains dstdom_regex -i "/etc/squid/good_domains"
### next lines - computer which get internet access
### list of computernames an their ip addresses start
acl computer001 src 123.123.123.123/255.255.255.255 # notice
acl computer002 src 124.124.124.124/255.255.255.255 # notice
### list of computernames an their ip addresses end
### next line - activate user authentification
acl AUTHUSERS proxy_auth REQUIRED
# TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to deny
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost
### use the defition which are defined in the lines above
### to admit or to block acces to the internet
### actiate the list of blocked words
http_access deny blocked
### activate the list of blocked domains
http_access deny bad_domains
### activate the list of free domains
http_access allow good_domains
### activate the list of computers
### defined in the lines above
http_access allow computer001
http_access allow computer002
### list end
### net line - activate access for authenticated users
http_access allow AUTHUSERS
# And finally deny all other access to this proxy
http_access deny all
# TAG: http_port
# Usage: port [options]
# hostname:port [options]
# 1.2.3.4:port [options]
#
# Squid normally listens to port 3128
http_port 3128
# TAG: cache_peer_access
# Similar to 'cache_peer_domain' but provides more flexibility by
# using ACL elements.
#
# cache_peer_access cache-host allow|deny [!]aclname ...
#
# The syntax is identical to 'http_access' and the other lists of
# ACL elements. See the comments for 'http_access' below, or
# the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html).
#
#Default:
# none
### If neccessary enter an ip address of an proxy which this
### proxy needs to connect to
### not neccessary if this proxy has free internet access
cache_peer 123.123.123.123 parent 8000 0 no-query default
# TAG: hierarchy_stoplist
# A list of words which, if found in a URL, cause the object to
# be handled directly by this cache. In other words, use this
# to not query neighbor caches for certain objects. You may
# list this option multiple times. Note: never_direct overrides
# this option.
#We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
#
#Suggested default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
# TAG: never_direct
#Default:
# none
never_direct allow all
# TAG: hosts_file
#Default:
# hosts_file /etc/hosts
#
hosts_file /etc/hosts
If in /etc/squid/squid.conf permissions have been changed you activate them by typingt /etc/init.d/squid reload in the terminal. To restart squid with /etc/init.d/squid restart is not neccessary and would need more time. Connections of the clients to the internet would be broken.
# /etc/init.d/squid reload