July 12, 2009 by Ivan
[HowTo] Install and Configure Squid as Transparent Proxy
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
An intercepting proxy (also known as a “transparent proxy“) combines a proxy server with a gateway. Connections made by client browsers through the gateway are redirected through the proxy without client-side configuration (or often knowledge). Sothe client never realize and don’t have to configure the client machine to use the proxy, but they are using it.
Install Squid Cache Proxy
I will show you how to install Squid Web Proxy (*only for Ubuntu/Debian):
1. Open up your shell and type this command:
sudo apt-get install squid
2. Finish.
For other OS you can download the binary package here.
Configure Squid Cache Proxy as Transparent Proxy
To configure squid proxy as transparent proxy you need to edit squid.conf file in /etc/squid/squid.conf as follow:
acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl localnet src 192.168.1.0/24 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all http_reply_access allow localnet http_reply_access deny all icp_access allow localnet icp_access deny all http_port 8080 transparent hierarchy_stoplist cgi-bin ? cache_mem 256 MB cache_dir ufs /var/spool/squid 2048 16 256 cache_mgr admin@email.com cache_effective_user squid cache_effective_group squid access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 visible_hostname yourdomain.com icp_port 3130 always_direct allow all forwarded_for off coredump_dir /var/spool/squid
The most important line is
“http_port 8080 transparent” : This line means, Squid proxy run as transparent proxy at port 8080 (by default 3128). Later you need to edit the iptables to bypass every request/response connection through this port.
Note: That setting is for Squid v2.6 or v2.7. For later version like Squid v3.1, “transparent” option is being deprecated, you need to use option “intercept” instead.
There are many things that squid can do, like limiting download speed for certain ip, denied some “time wasting” sites, denied some ports, denied download some files in certain hours, and many more case that you can name. So take your time to read their documentation guide here.
Configure Iptables
To make Squid as the transparent proxy (“man in the middle”), you need to configure the iptables. I got this script to help you:
#!/bin/sh # ------------------------------------------------------------------------------------ # See URL: http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html # (c) 2006, nixCraft under GNU/GPL v2.0+ # ------------------------------------------------------------------------------------- # squid server IP SQUID_SERVER="192.168.1.1" # Interface connected to Internet INTERNET="eth0" # Interface connected to LAN LAN_IN="eth1" # Squid port SQUID_PORT="3128" # DO NOT MODIFY BELOW # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack modprobe ip_conntrack_ftp # For win xp ftp client #modprobe ip_nat_ftp echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # set this system as a router for Rest of LAN iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP
Okay, that’s all of it. If you like it please leave me a comment.
Hi,
I’m configuring my iptables and squid proxy like your’s. But can’t be transparent, sorry for my english.
I have two ethernet karts and eth1 > internet, eth0>LAN
configured them for my network but still runing normal proxy, not transparent.
Please help, and so thanks!
Hi Emre, there are some point you need to configure:
1. Please be sure this line is in your squid.conf
“http_port 8080 transparent” (without quotes), that’s mean you run squid on port 8080 as transparent.
2. You need to configure the iptables script:
SQUID_SERVER=”192.168.1.1″ => your squid’s ip
INTERNET=”eth0″ => your ethernet that go to the internet
LAN_IN=”eth1″ => your ethernet that go to the your network
SQUID_PORT=”3128″ => the squid’s port 3128 is the default squid port, for my example use 8080
Hope this help you. Cheers.
Ivan
how i can install anonymous proxy….
please help me with my config….
please make complete tutorial…
or just email me…
Hi Kevin,
To install squid as anonymous proxy,
you can do the following:
1. disable all log, edit your squid.conf to:
access_log none
cache_store_log none
2. you need to have a public ip and allow any ip you like, edit the squid.conf:
acl IPALLOW 210.83.0.0/19 (Note you can add as many ip you like here)
http_access allow IPALLOW
http_access deny all
3. Then you need to edit this line in squid.conf:
visible_hostname
4. restart your squid.
How do I connect(physical) the transparent proxy server in my network? I have a DSL modem and a LinkSys wireless router.
If you have a router with squid transaprent proxy installed, just point your computer gateway and dns to your router ip.
Hi all,
Can someone give me the configuration guide to make a Squid transparent proxy in Vista OS. I have tried but not succeeded.
Please guide me the Ethernet configuration(iptables script) on Vista also.
My network: DNS Modem –> [T-Proxy] –> Swtich –> Client machines
Thanks in advance,
Siva
Hi,
Can someone give the configuration steps of Squid Transparent proxy in Vista.
I have tried, but not able to succeed. Please give the ethernet NIC (iptable similar for Win) configuration info for Vista.
Thanks in advance,
Siva
Hi Siva,
i haven’t tried yet. But why do you want make your vista as cache server? isn’t that waste to much resources?
Thanks for the reply..! Yes you are right. I changed my plan now.
Could you please tell me, can we install Squid Transparent proxy in “CentOS” if yes, please tell me which version I should download and configure.
Note: All my clients are running Vista. Guide me in IP setting also, we’ve one DNS Static IP.
My Network: DNS Modem –> [T-Proxy server] –> Swtich –> Client machines
Please aid me in the Ethernet card configuration.
Hi Siva,
Just follow my guide in this article, it also work for CentOS.
But replace command “apt-get install squid” to “yum install squid” (without quotes). It will install squid v2.6 STABLE21.
And the rest configuration is same.
Good luck.
Ivan, I have done all the configuration, but my Squid access.log is not populating.
And tell me do i need to configure DHCP in my squid server?
You don’t need to configure DHCP in your squid.
Did you miss iptables config?
Hi,
Thanks for info…
My current setup is
my two desktop machines gateway is CISCO PIX (IP 192.168.10.1) & DNS is my AD & DNS Server (192.168.10.10).. Currently I am running squid with manual proxy configuration….for squid as transparent proxy is it required to add rules on PIX firewall? to forward port 80 traffic to squid port 3128.. or is it required to change gateway of my all desktop machines to Squid proxy server IP? (192.168.10.20) please suggest…thanks in advance..
is it ok if I use eth0 & eth1 password from same subnet (e.g 192.168.10.5 & 192.168.10.6 for eth0 & eth1 respectively) for squid transparent proxy)
is it ok if I use eth0 & eth1 IP Address from same the subnet (e.g 192.168.10.5 & 192.168.10.6 for eth0 & eth1 respectively) for squid transparent proxy)
No I ran it, but I don’t know how to check it out… Can u please give me the configurations for squid as well as iptable.
I do no how to trace the issue when its not working.
My Server eth0= 192.168.1.21(From Modem) eth1= 192.168.2.31(To LAN N/W)
Guide me,no problem if i need to change the IP’s also.
Hi Santy,
Actually i don’t understand how your network structure.
Can you tell me more clear?
And yes, to run squid as transparent proxy you need to to edit rule in iptables. i provided that in my post.
Put that in rc.local so everytime your server boot it will automatically configured.
Hi Siva,
in the squid.conf please change
acl localnet src 192.168.1.0/24
To
acl localnet src 192.168.2.0/24
and in iptables config change to:
SQUID_SERVER=”192.168.1.21″
# Interface connected to Internet
INTERNET=”eth0″
# Interface connected to LAN
LAN_IN=”eth1″
# Squid port
SQUID_PORT=”8080″
Restart squid and run the script.
Please point all of your client computer gateway to 192.168.2.31
Cheers
Thanks a lot….!! I did as u said, now its working perfectly.
[Cheers]
Ivan, Presently I don’t have control over the client machines. (Like customer own PC) Can i achive this gateway setup through DHCP..? If yes, please guide in the DHCP configuration.
Thanks again..!!
Yes, you should use DHCP instead. Later i will make an article how to install a DHCP server.
Ivan, Please help me in this if you can. I have done with all even in reporting through SARG apps. Issue is, I could only view client host IP address in my report. Is there any possiblities to see the client host name instead of IP address in SARG report?
Like changing the Squid access.log format instead of IP address remote HOST NAME..!
Thanks in advance…!!
I’m sorry Siva, i don’t use SARG apps. So i don’t know about it.
But i’m using my own report, by see continuous log from the squid. I publish the article on my blog at http://www.ivankristianto.com/2009/07/tips-show-squid-log-continuously-squid-web-proxy/
Hope you like it.
Thanks.
hi dear i m using centos 5.3 &2.6 squid i m using so can u help me for transparent squid i got yahoo problem with this so help me for proper work plz mail me on this id whois_thebest2001@yahoo.com
plz help
Hi Ashar,
What is the problem?
Please follow my guide step by step. It will work.
I’m using CentOS 5.1 with Squid 2.6. And it running for 2 years now.
Cheers.
Is it possible to implement transparent proxy for https? I know it is not allowed because it will be a ‘man-in-the-middle attack’. Any options to allow https accesses through transparent proxy? Any help will be appreciated.
Thanks a lot in advance.
-RB
i save file in iptable.sh
Then i run :
root@cembeliq-laptop:/home/cembeliq/Documents# ./iptable.sh
1
./iptable.sh: 28: gt: not found
./iptable.sh: 28: /proc/sys/net/ipv4/ip_forward: Permission denied
Any solution for this?
Hi cembelig,
Please change “>” to “>” without quotes.
and save.
it will run now.
Thanks
yeah.. i finally got it
thank Mr. Ivan..
Mr. ivan i have 2 lines adsl and how to add the second line in your script? LAN is Eth0, modem 1 = Eth1,modem 2= Eth2 please send to my email. thx
best regards
andre
nseshop@gmail.com
Hi Andre,
why do you need 2 modem?
i don’t know how to set the script to provide your architecture.
If anyone know that, please share it with us here.
thanks.