Siju George wrote:
On 10/9/07, Lars Noodin <[EMAIL PROTECTED]> wrote:
Tony Bruguier wrote:
...
I would like to install an HTTP proxy.
...
Squid is recommended. Read the directions carefully and you will have
to make one or two changes to the configuration.
Absolutely. Some folk use apache to proxy, it is in base.
Have squid listen localhost and then tunnel to get to it.
Rubbish. What a piece of nonsense. Ridiculous. Why secure plain http
traffic?
Have squid listen on on the public interface on the usual port of 3128
and either:
*) use authpf to grant access to the port
OR
*) set up authentication in squid, so your oriental luser has to login
to squid. Search for auth_param in /etc/squid/squid.conf and take it
from there. Kinda like htaccess for apache.
If you are worried about squid, run it chroot. Easy to do, if anyone
wants to know, I'll post back about this.
I make squid listen on 127.0.0.1 port 8080 in the squid configuration
file by editing
==============================
http_port 127.0.0.1:8080
===============================
the in pf.conf I use this redirection rule
=================================================================
rdr on $int_if proto tcp from any to any port 8080 -> 127.0.0.1 port 8080
=================================================================
Now people on the network will have to configure in their browser the
$int_if IP address and port 8080 for proxy settings.
Rubbish. This is pathetic and displays total ignorance of fundamental
networking protocols, esp WPAD: web proxy auto discovery
Have squid listen on the internal interface at the *standard* port of 3128.
Block (return) *all* access from the LAN to the Internet, disable NAT.
If you use NAT, what on earth is the point of using an application layer
proxy? Permit the LAN to access ports 3128, www, domain, submission, &
bootps on your dhcp, squid & mail gateway host, but do not redirect or
forward.
If you are going to use an app, be man enough to have it listen on the
correct interface. You gain nothing by running it on the loopback and
then using a packet filter to redirect packets to it. What a waste of time.
Set up /etc/dhcpd.conf like something like this:
option domain-name "example.org";
option domain-name-servers 192.168.1.1;
# http://www.wlug.org.nz/WPAD
option option-252 "http://wpad/wpad.dat\n";;
#http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch08_:_Configuring_the_DHCP_Server
option ip-forwarding off;
option ntp-servers 192.168.1.1;
option smtp-server 192.168.1.1;
option www-server 192.168.1.1;
max-lease-time 14400;
default-lease-time 7200;
shared-network LOCAL-NET {
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
range 192.168.1.50 192.168.1.250;
}
}
Set up /var/named/master/example.org like this:
$TTL 2D ; client caching [RFC 1035]
@ SOA (
ns ; master name server
hostmaster ; zone maintainer's email [RFC 2142]
2007100100 ; serial, todays date + todays serial #
1D ; refresh
2H ; retry
5W ; expire
2D ) ; client negative caching [RFC 2308]
NS ns
MX 10 smtp
puffy A 192.168.1.1
ns A 192.168.1.1
smtp A 192.168.1.1
wpad CNAME puffy
ntp CNAME puffy
imap CNAME puffy
wiki CNAME puffy
squid CNAME puffy
localhost A 127.0.0.1
$GENERATE 50-200 192-168-1-$.dhcp A 192.168.1.$
Distribute a wpad file to the LAN from apache:
$ ls -l /var/www/users/wpad/{proxy.pac,wpad.dat}
-r--r--r-- 1 wpad wpad .. /var/www/users/wpad/proxy.pac
lrwxr-xr-x 1 wpad wpad .. /var/www/users/wpad/wpad.dat@ -> proxy.pac
$ cat /var/www/users/wpad/wpad.dat
// http://www.wlug.org.nz/WPAD
//http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html#dnsDomainIs
// http://www.deckle.co.za/squid-users-guide/Browser_Configuration
//http://homepages.tesco.net/J.deBoynePollard/FGA/web-browser-auto-proxy-configuration.html
// http://nscsysop.hypermart.net/setproxy.html
// http://www.squid-cache.org/Doc/FAQ/FAQ-5.html
function FindProxyForURL(url,host)
{
if (isInNet(host, "192.168.1.0", "255.255.255.0"))
{
return "DIRECT";
}
return "PROXY squid:3128";
}
$ cat /var/www/users/wpad/index.html
<html>
<body>
<p>
Set your browser to "Auto detect proxy settings for this network"
</p>
</body>
</html>
In /var/www/conf/httpd.conf:
<VirtualHost *>
RewriteEngine On
RewriteCond %{HTTP_HOST} !^puffy.example.org$ [NC]
RewriteCond %{HTTP_HOST} !^puffy$ [NC]
RewriteRule .* http://wpad.example.org/ [L,R]
</VirtualHost>
<VirtualHost *>
ServerName wpad.example.org
ServerAlias wpad
# Maybe not needed, mainly for old versions of MSIE:
ServerAlias 192.168.1.1
DocumentRoot /var/www/users/wpad
AddType application/x-ns-proxy-autoconfig .dat
AddType application/x-ns-proxy-autoconfig .pac
</VirtualHost>
Start dhcpd, named, & apache, then have the lusers set their browsers to
"Auto detect proxy". Job done.
How this works:
1) LAN user starts PC
2) PC boots and gets DNS servers, domain name & option 252 from DHCP.
3) Lusers start browser, try to surf and constantly get a page that says
"Set your browser to "Auto detect proxy settings for this network"" from
apache. (You can include some info on how to do this on this page).
4) Luser obeys your instructions.
5) Browser auto detects the settings to use by:
5a) looking up the DNS record for wpad.example.org
5b) browser downloads 1 of these files depending on which browser is in use:
5b i) http://wpad/wpad.dat
5b ii) http://wpad.example.org/wpad.dat
5b iii) http://wpad/proxy.pac
5b iv) http://wpad.example.org/proxy.pac
5c) parses the file for proxies to use.
Your work is done.
