Today, while setting up ip for my internal network, i found out that i have run out of IPs and the internet access was very slow. I ran into a situation called "bottleneck". A situation where a road becomes narrow with heavy traffic. How to speed up this? The answer is proxy server.
On with the theory
Proxy server is a server that can cache visited web pages. Dynamic web pages are not cached. When a client access a website, the proxy server , on behalf of the client access the website and cache it. the next the client or other client wants to connect to the site, the proxy server just give the cached site to the client. Thus reducing the response time from the actual site.
Transparent proxy
In a normal proxy case, you have to set manually for each client to connect to outside. It is not a practical solution if you have a lot of workstations + many apps to connect to the internet. What is more practical solution? The answer is "transparent proxy" and now iptables comes into play.
What you have to do first?
1. Setup a server
OS : Linux (whatever flavor you want)
proxy server : Squid (install the latest one)
utilities : netfilter packages (for iptables)
Squid.conf
Your squid.conf location is dependent on how you install squid package. If u use source code and compile it without tweaking ./configure options, meaning it is in /usr/local/squid/etc. If you use your package manager, it is in /etc. Wherever it is, you have to edit it before you can use it as a transparent proxy.
What to edit
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
Please change "lan" to suit your network environment. This file is heavily documented. Please read the comments before you change anything unless you know what you're doing.
I don't want to explain in detail on how to setup linux for your server. Please consult your spesific Linux distribution HOWTOs and FAQs. After you have complete setting up Linux, you should setup SQUID. More information on squid, pls visit http://www.squid-cache.org. squid usually readily packaged for your distro. You should check that first whether you can just install it from CD. If not, you have to download from the link above.
After you have edited squid.conf, this is the iptables command you should run on the proxy server.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128provided that your proxy server is using port 3128. If not, change it accordingly.
8 comments:
bang, nak tanya. kalo tak set kan:-httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
tapi setkan iptables untuk redirect ke port squid sahaja, boleh ke ?
bang.nak tanye , kenape pakai 192.168.1.0/24 ?
kenape tak pakai
192.168.1.0/255.255.255.0 ?
I follow:
http://muhdzamri.blogspot.com/2005/07/setting-up-transparent-proxy-server.html
What to edit:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
is giving me error...
bagaimana menggunakan direktif squid 2.6 yang baru untuk bikin transparent proxy? as from squid 2.6 accel is deprecated?
http://www.debian-administration.org/articles/71#comment_23
setting squid.conf is somewhat too technical for me. any help will be appreciated.
In squid 2.6, you don't need httpd_accel. You need something like this:
http_port ip-proxy:3128 transparent
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
Saya baru je involved dlm server proxy nih.. baru tadik setel whitelist.. tp tu lah.. seb bek user skit je.. buatnyer byk, kena gak wat transparent proxy nih.. tp mcm blur2 lah.. mgkn sbb kepenatan memikior camno nk buek nih.. camno ha???
Dah terang kat atas tu. Cuba dulu. Kalau tak jadi, refer dalam log dan buat troubleshoot dulu. Kalau tak boleh jugak bgtahu secara spesifik apa masalahnya.
saya tak cuba lagi.. tp dah tgk kandungan fail squid.conf tu.. takut jugak kalo2 memandai edit kang, tak jalan plak svr tuh.. utk jdkan transparent proxy, item ni yg kena add.. yg len dah ada sama mcm atas...
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
tp bila bca comment org len yg dpt error tu, buat saya tertanya2configuration apa lagi yg sepatutnya mesti betul & boleh berubah2 mengikut keadaan..
Org lain dapat error sebab guna squid version lain. Kdg2 sebab2 lain yg saya sendiri tak tau. So better cuba dulu and kalau ada problem then we can discuss and troubleshoot.
Post a Comment