Welcome to the new location of Alien's Wiki, sharing a single dokuwiki install with the SlackDocs Wiki.
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
slackware:proxy [2006/06/07 18:57] – tinyproxy.conf alien | slackware:proxy [2006/06/08 14:40] – alien | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Transparent Proxy with contentfilter ====== | ====== Transparent Proxy with contentfilter ====== | ||
- | |||
- | **FIXME** UNDER CONSTRUCTION **FIXME** | ||
===== Introduction ===== | ===== Introduction ===== | ||
Line 7: | Line 5: | ||
This article describes the setup of a http proxy chained to a content filter (think " | This article describes the setup of a http proxy chained to a content filter (think " | ||
- | There are many cases, where is not desirable to grant unlimited Internet access to certain groups of people. The most obvious group are children, either at home, or in schools, whom you want to protect from hitting upon too explicit imagery or language. Or perhaps you just want to block certain sites from them.\\ | + | There are many cases, where is not desirable to grant unlimited Internet access to certain groups of people. The most obvious group are children, either at home, in schools |
Other uses for a content-filtering web proxy would be companies that want to limit the accessibility of the Internet facility they allow their employees. Content filtering does not stop at blocking undesirable content - blocking viruses in downloaded materials and malicious HTML code is another form of filtering incoming web traffic.\\ | Other uses for a content-filtering web proxy would be companies that want to limit the accessibility of the Internet facility they allow their employees. Content filtering does not stop at blocking undesirable content - blocking viruses in downloaded materials and malicious HTML code is another form of filtering incoming web traffic.\\ | ||
A web proxy is what you need in this case. The proxy server intercepts all browser requests for web pages, and in co-operation with one or more filtering programs, decides whether the browser will or won't be able to retrieve the full content it was requesting. | A web proxy is what you need in this case. The proxy server intercepts all browser requests for web pages, and in co-operation with one or more filtering programs, decides whether the browser will or won't be able to retrieve the full content it was requesting. | ||
Line 15: | Line 13: | ||
Ideally, you would want a solution where such a filtering proxy server is installed on the Internet Gateway Server, and the desktop computers would not have to be be reconfigured to make use of the proxy. This is called // | Ideally, you would want a solution where such a filtering proxy server is installed on the Internet Gateway Server, and the desktop computers would not have to be be reconfigured to make use of the proxy. This is called // | ||
- | I will show you how you can use [[http:// | + | I will show you how you can use [[http:// |
< | < | ||
+ | |||
+ | <note tip>This article focuses on the configuration of a transparent proxy on a gateway/ | ||
===== How it works ===== | ===== How it works ===== | ||
Line 36: | Line 37: | ||
| | ||
- | The browser request is again routed through the default gateway as in the first picture, only now we have an '' | + | The browser request is again routed through the default gateway as in the first picture, only now we have an '' |
- | < | + | < |
===== Network layout ===== | ===== Network layout ===== | ||
- | For the sake of simplicity, I will assume the proxy server and content filter will be installed on the server that is also acting as the Internet Gateway. This server has two network interfaces, one connecting to your ADSL/Cable router and the other is connected to your internal network.\\ This also means that this server' | + | For the sake of simplicity, I will assume the proxy server and content filter will be installed on the server that is also acting as the Internet Gateway. This server has two network interfaces, one connecting to your ADSL/Cable router and the other is connected to your internal network.\\ This also means that this server' |
The TCPIP configuration of our network will be as follows: | The TCPIP configuration of our network will be as follows: | ||
Line 48: | Line 49: | ||
//Table 1.// __Server:__ | //Table 1.// __Server:__ | ||
^ Interface | ^ Interface | ||
- | | eth0 | dynamic | 10.111.111.129 | + | | eth0 | dynamic | 10.111.111.1 | 255.255.255.128 |
- | | eth1 | static | + | | eth1 | static |
//Table 2.// __Internal Network:__ | //Table 2.// __Internal Network:__ | ||
Line 128: | Line 129: | ||
===== Configuration ===== | ===== Configuration ===== | ||
- | That was it! Now, it is time to start configuring our proxy server. | + | That was it! Now, it is time to start configuring our proxying service. |
==== tinyproxy config ==== | ==== tinyproxy config ==== | ||
- | This is how the content of the tinyproxy configuration file ''/ | + | The content of the tinyproxy configuration file ''/ |
- | User nobody | + | I entered the domain name for my internal lan //my.net// in this configuration file. If yours is different, please change accordingly.\\ To show you where this differs from the tinyproxy defaults, here is a diff from the original file: <code diff> |
- | Group nogroup | + | |
- | Port 3128 | + | |
- | Listen 127.0.0.1 | + | |
- | Bind 10.111.111.1 | + | |
- | Timeout 600 | + | |
- | DefaultErrorFile "/ | + | |
- | StatFile "/ | + | |
- | Logfile "/ | + | |
- | LogLevel Info | + | |
- | PidFile "/ | + | |
- | XTinyproxy my.net | + | |
- | MaxClients 100 | + | |
- | MinSpareServers 5 | + | |
- | MaxSpareServers 20 | + | |
- | StartServers 10 | + | |
- | MaxRequestsPerChild 0 | + | |
- | Allow 127.0.0.1 | + | |
- | Allow 192.168.1.0/ | + | |
- | ViaProxyName " | + | |
- | ConnectPort 443 | + | |
- | ConnectPort 563 | + | |
- | </ | + | |
diff / | diff / | ||
20c20 | 20c20 | ||
Line 176: | Line 155: | ||
< Allow 192.168.1.0/ | < Allow 192.168.1.0/ | ||
--- | --- | ||
- | > Allow 192.168.1.0/24 | + | > Allow 192.168.2.0/24 |
</ | </ | ||
Port 3128 | Port 3128 | ||
Line 182: | Line 161: | ||
Bind 10.111.111.1 | Bind 10.111.111.1 | ||
Allow 127.0.0.1 | Allow 127.0.0.1 | ||
- | Allow 192.168.1.0/24 | + | Allow 192.168.2.0/24 |
These achieve the following: | These achieve the following: | ||
* make tinyproxy listen on '' | * make tinyproxy listen on '' | ||
* bind to the external interface (IP address '' | * bind to the external interface (IP address '' | ||
- | * allow the localhost (IP address 127.0.0.1, for dansguardian) as well as all the computers in your internal LAN (IP address range 192.168.1.0-192.168.1.255) access -implicitly denying access attempts from any other IP address but those. | + | * allow the localhost (IP address 127.0.0.1, for dansguardian) as well as all the computers in your internal LAN (IP address range 192.168.2.0-192.168.2.255) access -implicitly denying access attempts from any other IP address but those. |
==== dansguardian config ==== | ==== dansguardian config ==== | ||
+ | You will find the content of the dansguardian configuration file ''/ | ||
+ | diff / | ||
+ | 48a50 | ||
+ | > anonymizelogs = off | ||
+ | 74c76 | ||
+ | < filterip = | ||
+ | --- | ||
+ | > filterip = 192.168.2.1 | ||
+ | 97c99 | ||
+ | < accessdeniedaddress = ' | ||
+ | --- | ||
+ | > accessdeniedaddress = ' | ||
+ | </ | ||
+ | filterip = 192.168.2.1 | ||
+ | filterport = 8080 | ||
+ | proxyip = 127.0.0.1 | ||
+ | proxyport = 3128 | ||
+ | They show that dansguardian | ||
+ | * will listen at the // | ||
+ | * will look for a compatible proxy at IP address: | ||
+ | The line | ||
+ | accessdeniedaddress = ' | ||
+ | does not really matter, because in dansguardian' | ||
+ | |||
+ | Of course, there is a lot of fine-tuning possibilities in this configuration file, as well as many others in the ''/ | ||
- | **FIXME** UNDER CONSTRUCTION **FIXME** | ||
===== The iptables firewall ===== | ===== The iptables firewall ===== | ||
Line 221: | Line 225: | ||
-j REDIRECT --to-ports 8080 | -j REDIRECT --to-ports 8080 | ||
</ | </ | ||
+ | |||
+ | ===== Starting the programs ===== | ||
+ | |||
+ | If you configured your firewall rules in the file ''/ | ||
+ | if [ -x / | ||
+ | / | ||
+ | fi | ||
+ | </ | ||
+ | if [ -x / | ||
+ | / | ||
+ | fi | ||
+ | |||
+ | # Start dansguardian | ||
+ | if [ -x / | ||
+ | / | ||
+ | fi | ||
+ | </ | ||
+ | Both programs log their actions; to respectively ''/ | ||
+ | |||
+ | That is all there is to it! Now, test your rig by booting a client computer in your LAN and trying out a couple of URLs. I will leave it to your own imagination as to what URLs will be considered // | ||
+ | |||
+ | To stop these programs if you need to, you run < | ||
+ | / | ||
+ | killall -TERM tinyproxy | ||
+ | </ | ||
+ | |||
+ | ===== Adding virus scanning ===== | ||
+ | |||
+ | |||
+ | **FIXME** UNDER CONSTRUCTION **FIXME** | ||
===== Pitfalls ===== | ===== Pitfalls ===== | ||
There might be cases where you don't want transparent proxying. For instance, some applications will not correctly connect through a transparent proxy. The (client side) user agent does not know it passes a proxy, so it possibly will not send correct HTTP headers to the remote server. Most modern browsers are standards-compliant however and will work fine. If your users need Internet Explorer, it must be newer than 5.5_SP1. For those cases where transparent proxying is impossible, you must configure your browsers explicitly to use the proxy. How to do this in a semi-centralized way is described in [[# | There might be cases where you don't want transparent proxying. For instance, some applications will not correctly connect through a transparent proxy. The (client side) user agent does not know it passes a proxy, so it possibly will not send correct HTTP headers to the remote server. Most modern browsers are standards-compliant however and will work fine. If your users need Internet Explorer, it must be newer than 5.5_SP1. For those cases where transparent proxying is impossible, you must configure your browsers explicitly to use the proxy. How to do this in a semi-centralized way is described in [[# | ||
- | |||
===== Manual proxy configuration ===== | ===== Manual proxy configuration ===== | ||
A handy way of browser configuration is the //Proxy Auto-Configuration// | A handy way of browser configuration is the //Proxy Auto-Configuration// | ||
- | You can read more about PAC on the [[http:// | + | You can read more about PAC on the [[http:// |
To give an example, create a file on your Gateway server' | To give an example, create a file on your Gateway server' | ||
Line 265: | Line 298: | ||
===== Example configuration files ===== | ===== Example configuration files ===== | ||
+ | |||
+ | ''/ | ||
+ | < | ||
+ | User nobody | ||
+ | Group nogroup | ||
+ | Port 3128 | ||
+ | Listen 127.0.0.1 | ||
+ | Bind 10.111.111.1 | ||
+ | Timeout 600 | ||
+ | DefaultErrorFile "/ | ||
+ | StatFile "/ | ||
+ | Logfile "/ | ||
+ | LogLevel Info | ||
+ | PidFile "/ | ||
+ | XTinyproxy my.net | ||
+ | MaxClients 100 | ||
+ | MinSpareServers 5 | ||
+ | MaxSpareServers 20 | ||
+ | StartServers 10 | ||
+ | MaxRequestsPerChild 0 | ||
+ | Allow 127.0.0.1 | ||
+ | Allow 192.168.2.0/ | ||
+ | ViaProxyName " | ||
+ | ConnectPort 443 | ||
+ | ConnectPort 563 | ||
+ | </ | ||
+ | |||
+ | ''/ | ||
+ | < | ||
+ | reportinglevel = 3 | ||
+ | languagedir = '/ | ||
+ | language = ' | ||
+ | loglevel = 2 | ||
+ | logexceptionhits = on | ||
+ | logfileformat = 1 | ||
+ | anonymizelogs = off | ||
+ | filterip = 192.168.2.1 | ||
+ | filterport = 8080 | ||
+ | proxyip = 127.0.0.1 | ||
+ | proxyport = 3128 | ||
+ | accessdeniedaddress = ' | ||
+ | nonstandarddelimiter = on | ||
+ | usecustombannedimage = 1 | ||
+ | custombannedimagefile = '/ | ||
+ | filtergroups = 1 | ||
+ | filtergroupslist = '/ | ||
+ | bannediplist = '/ | ||
+ | exceptioniplist = '/ | ||
+ | showweightedfound = on | ||
+ | weightedphrasemode = 2 | ||
+ | urlcachenumber = 1000 | ||
+ | urlcacheage = 900 | ||
+ | scancleancache = on | ||
+ | phrasefiltermode = 2 | ||
+ | preservecase = 0 | ||
+ | hexdecodecontent = 0 | ||
+ | forcequicksearch = 0 | ||
+ | reverseaddresslookups = off | ||
+ | reverseclientiplookups = off | ||
+ | logclienthostnames = off | ||
+ | createlistcachefiles = on | ||
+ | maxuploadsize = -1 | ||
+ | maxcontentfiltersize = 256 | ||
+ | maxcontentramcachescansize = 2000 | ||
+ | maxcontentfilecachescansize = 20000 | ||
+ | filecachedir = '/ | ||
+ | deletedownloadedtempfiles = on | ||
+ | initialtrickledelay = 20 | ||
+ | trickledelay = 10 | ||
+ | downloadmanager = '/ | ||
+ | downloadmanager = '/ | ||
+ | contentscannertimeout = 60 | ||
+ | contentscanexceptions = off | ||
+ | recheckreplacedurls = off | ||
+ | forwardedfor = off | ||
+ | usexforwardedfor = off | ||
+ | logconnectionhandlingerrors = on | ||
+ | logchildprocesshandling = off | ||
+ | maxchildren = 120 | ||
+ | minchildren = 8 | ||
+ | minsparechildren = 4 | ||
+ | preforkchildren = 6 | ||
+ | maxsparechildren = 32 | ||
+ | maxagechildren = 500 | ||
+ | maxips = 0 | ||
+ | ipcfilename = '/ | ||
+ | urlipcfilename = '/ | ||
+ | ipipcfilename = '/ | ||
+ | nodaemon = off | ||
+ | nologger = off | ||
+ | logadblocks = off | ||
+ | softrestart = off | ||
+ | mailer = '/ | ||
+ | </ | ||
''/ | ''/ |