Overview
Proxy servers operate as an intermediary between a local network and services available on a larger one, such as the Internet. Requests from local clients for Web services can be handled by the proxy server, speeding transactions as well as controlling access. Proxy servers maintain current copies of commonly accessed Web pages, speeding Web access times by eliminating the need to access the original site constantly. They also perform security functions, protecting servers from unauthorized access. Squid is a free, Open Source proxy-caching server for Web clients, designed to speed Internet access and provide security controls for Web servers. It implements a proxy-caching service for Web clients that caches Web pages as users make requests. Copies of Web pages accessed by users are kept in the Squid cache, and as requests are made, Squid checks to see if it has a current copy. If Squid does have a current copy, it returns the copy from its cache instead of querying the original site. If it does not have a current copy, it will retrieve one from the original site. In this way, Web browsers can then use the local Squid cache as a proxy HTTP server. Squid currently handles Web pages supporting the HTTP, FTP, and SSL protocols (Squid cannot be used with FTP clients). Replacement algorithms periodically replace old objects in the cache. You can find out more about Squid at squid.squid-cache.org.
As a proxy, Squid does more that just cache Web objects. It operates as an intermediary between the Web browsers (clients) and the servers they access. Instead of connections being made directly to the server, a client connects to the proxy server. The proxy then relays requests to the Web server. This is useful for situations where a Web server is placed behind a firewall server, protecting it from outside access. The proxy is accessible on the firewall, which can then transfer requests and responses back and forth between the client and the Web server. The design is often used to allow Web servers to operate on protected local networks and still be accessible on the Internet. You can also use a Squid proxy to provide Web access to the Internet by local hosts. Instead of using a gateway providing complete access to the Internet, local hosts can use a proxy to allow them just Web access (see Chapter 5). You can also combine the two, allowing gateway access, but using the proxy server to provide more control for Web access. In addition, the caching capabilities of Squid can provide local hosts with faster Web access.
Technically, you could use a proxy server to simply manage traffic between a Web server and the clients that want to communicate with it, without doing caching at all. Squid combines both capabilities as a proxy-caching server.
Squid also provides security capabilities that let you exercise control over hosts accessing your Web server. You can deny access by certain hosts and allow access by others. Squid also supports the use of encrypted protocols such as SSL (see Chapter 22). Encrypted communications are tunneled (passed through without reading) through the Squid server directly to the Web server.
Squid is supported and distributed under a GNU Public License by the National Laboratory for Applied Network Research (NLANR) at the University of California, San Diego. The work is based on the Harvest Project to create a Web indexing system that included a high-performance cache daemon called cached. You can obtain current source code versions and online documentation from the Squid home page at www.squid-cache.org. The Squid software package consists of the Squid server, a domain name lookup program called dnsserver, an FTP client called ftpget, and a cache manager script called cachemgr.cgi. The dnsserver resolves IP addresses from domain names, and the ftpget program is an FTP client Squid uses to retrieve files from FTP servers. cachemgr.cgi lets you view statistics for the Squid server as it runs.
On Red Hat, you can start, stop, and restart the Squid server using the squid script, as shown here:
service squid restart
You can also set the Squid server to start up automatically using the redhat-config-services tool or chkconfig.
Squid supports both standard proxy caches and transparent caches. With a standard proxy cache, users will need to configure their browsers to specifically access the Squid server. A transparent cache, on the other hand, requires no browser configuration by users. The cache is transparent, allowing access as if it were a normal Web site. Transparent caches are implemented by IPtables using net filtering to intercept requests and direct them to the proxy cache (see Chapter 19).
With a standard proxy cache, users need to specify their proxy server in their Web browser configuration. For this they will need the IP address of the host running the Squid proxy server as well as the port it is using. Proxies usually make use of port 3128. To configure use of a proxy server running on the local sample network described in Chapter 5, you would enter the following. The proxy server is running on turtle.mytrek.com (192.168.0.1) and using port 3128.
192.168.0.1 3128
On Mozilla and Netscape, the user on the sample local network would first select the Proxy panel located in Preferences under the Edit menu. Then, in the Manual proxy configuration’s View panel, enter the previous information. The user will see entries for FTP, Gopher, HTTP, and Security proxies. For standard Web access, enter the IP address in the FTP, Gopher, and Web boxes. For their port boxes, enter 3128.
For GNOME, select Network Proxy in the Preferences menu or window, and for Konqueror on the KDE Desktop, select the Proxies panel on the Preferences | Web Browsing menu window.
Here, you can enter the proxy server address and port numbers.
If your local host is using Internet Explorer (such as a Windows system does), you set the proxy entries in the Local Area Network settings accessible from the Internet Options window.
On Linux or Unix systems, local hosts can set the http_proxy, gopher_proxy and ftp_proxy shell variables to configure access by Linux-supported Web browsers such as lynx. You can place these definitions in your .bash_profile or /etc/profile file to have them automatically defined whenever you log in.
http_proxy=192.168.0.1:3128
ftp proxy=192.168.0.1:3128
gopher_proxy=192.168.0.1:3128
export http_proxy ftp_proxy gopher_proxy
Before a client on a local host could use the proxy server, access permission would have to be given to it in the server’s squid.conf file, described in the later section “Security.” Access can easily be provided to an entire network. For the sample network used here, you would have to place the following entries in the squid.conf file. These are explained in detail in the following sections.
acl mylan src 192.168.0.0/255.255.255.0
http_access allow mylan
|
|
Tip |
Web clients that need to access your Squid server as a standard proxy cache will need to know the server’s address and the port for Squid’s HTTP services, by default 3128. The Squid configuration file is squid.conf, located in the /etc/squid directory. In the /etc/squid/squid.conf file, you set general options such as ports used, security options controlling access to the server, and cache options for configuring caching operations. You can use a backup version called /etc/squid/squid.conf.default to restore your original defaults. The default version of squid.conf provided with Squid software includes detailed explanations of all standard entries, along with commented default entries. Entries consist of tags that specify different attributes. For example, maximum_object_size and maximum_object set limits on objects transferred. maximum_object_size 4096 KB As a proxy, Squid will use certain ports for specific services, such as port 3128 for HTTP services like Web browsers. Default port numbers are already set for Squid. Should you need to use other ports, you can set them in the /etc/squid/squid.conf file. The following entry shows how you would set the Web browser port: http_port 3128
|
