DocNsane Squid Question

Unix/Linux users rejoice! This forum is just for you.

Moderators: EatMoreLead, Suck.

User avatar
Catalyst22
Elite Member
Posts: 3606
Joined: Sep 30th, 2004 at 8:21 pm

DocNsane Squid Question

Postby Catalyst22 » Apr 8th, 2005 at 1:25 am

I'm thinking about building a squid box, and you sound like the linux guru I wish I was :)

I had some basic questions that I thought you might be able to answer faster than I could find them in the documentation.

I understand that you sit your squid box between your router and the internet or between two routers. How do you secure your squid box? Does it setup as some kind of passive port 80/21/22/443 passthru? Is there any security concerns I should have running one? If it is on the far side of my router then my network is not at jeopardy, but I would rather not have to rebuild a config'd squid box that some hacker got into.

I enjoy doing linux but I sure could use someone to call on that has used it in a corporate environment. I got some Unix guys that I call on from time to time, but they aren't very versed in utilizeing Unix for web serveing or complex security for Linux.

any help will be appreciated.
“When you have the facts on your side, argue the facts. When you have the law on your side, argue the law. When neither is on your side, change the subject and question the motives of the opposition.â€

User avatar
Burzum
Benefactor
Posts: 4291
Joined: Oct 21st, 2004 at 1:05 pm

Postby Burzum » Apr 8th, 2005 at 8:55 am

At the risk of sounding like a noob...

What is a squid box?
Do not meddle in the affairs of dragons for you are crunchy and taste good with ketchup.

User avatar
Catalyst22
Elite Member
Posts: 3606
Joined: Sep 30th, 2004 at 8:21 pm

Postby Catalyst22 » Apr 8th, 2005 at 9:26 am

Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process.

Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests.

Squid supports SSL, extensive access controls, and full request logging. By using the lightweight Internet Cache Protocol, Squid caches can be arranged in a hierarchy or mesh for additional bandwidth savings.

Squid consists of a main server program squid, a Domain Name System lookup program dnsserver, some optional programs for rewriting requests and performing authentication, and some management and client tools. When squid starts up, it spawns a configurable number of dnsserver processes, each of which can perform a single, blocking Domain Name System (DNS) lookup. This reduces the amount of time the cache waits for DNS lookups.


My intent is to run a Squid box with Squid Guard in order to restrict access to specific resources on the interweb and track access from the computers in my pre-k classrooms.

My secondary goal is to force internet access across my DSL connections to be directed thru a proxy server in order to manage access from a central location. Currently I have each Zywall router setup for content filtering. This is a pain, so I'm trying to get more granular on my control. I am teh interweb nazi
“When you have the facts on your side, argue the facts. When you have the law on your side, argue the law. When neither is on your side, change the subject and question the motives of the opposition.â€

User avatar
Deleted User
*poof*
Posts: 7507
Joined: Jul 13th, 2006 at 3:41 am

Re: DocNsane Squid Question

Postby Deleted User » Apr 8th, 2005 at 2:57 pm

Catalyst22 wrote:How do you secure your squid box?


I've never set up a proxy server, but I'd assume it'd be like running any other server under linux. Do you know if you're going to need to multi-home the box (2 ethernet cards)?

You'll probably just need to setup a firewall and tweak it a bit. In which case, you'll just need to find an easy to use linux firewall script (most likely for IP Tables if you're using a modern kernel). SuSE linux comes with a decent script as part of the distribution (just edit a straightforward config file and it sets almost everything you need up for you), but there are pleanty that come up on google (I've mostly been using SuSE for my firewalls for the last 4 years or so, though, so I'm not too familiar with the multitude of other scripts).

You'll pretty much just want to set things up so that your internal subnet has the ability to connect to the machine but the outside world should only be able to respond to estabilished connections.

User avatar
Campsalot
Senior Member
Posts: 911
Joined: Jul 20th, 2003 at 7:17 pm

Postby Campsalot » Apr 8th, 2005 at 3:00 pm

I wouldn't run your firewall on your squid box. The firewall should be its own animal, for security reasons.

User avatar
Deleted User
*poof*
Posts: 7507
Joined: Jul 13th, 2006 at 3:41 am

Postby Deleted User » Apr 8th, 2005 at 3:12 pm

Campsalot wrote:I wouldn't run your firewall on your squid box. The firewall should be its own animal, for security reasons.


technically true. if you've got a real firewall, just put the squid box behind it and its default-deny stuff should protext the squid box just fine. or get something cheap and use it to do your firewall/masquerade.

but some people just can't afford the extra boxes/ups/etc and most router/firewall combos that come with DSl/etc. just plain suck, so it doesn't hurt to add a firewall to the squid box, since all it really will be is like 3 iptable statements.

User avatar
Catalyst22
Elite Member
Posts: 3606
Joined: Sep 30th, 2004 at 8:21 pm

Postby Catalyst22 » Apr 8th, 2005 at 6:02 pm

Currently my network allows 0 inbound traffic. I have an external IP on the DMZ port and its own subdomain. This ip hosts my warftp server. I'm thinking what I will prob do is just drop one of my spare zywall 10II's in front of my squid box... However... I may not need any real firewall outside of my Zywall 70 since the Squid box will filter from inside my firewall? For some reason I keep thinking it has to sit between my firewall and the interweb... Actually all I have to do is setup the proxy in server 2k3 to point to my squid box right? So my existing firewall will suffice and I need not have outside access to the squid.
“When you have the facts on your side, argue the facts. When you have the law on your side, argue the law. When neither is on your side, change the subject and question the motives of the opposition.â€

User avatar
Deleted User
*poof*
Posts: 7507
Joined: Jul 13th, 2006 at 3:41 am

Postby Deleted User » Apr 11th, 2005 at 5:19 pm

once again... I''ve never set up a proxy box, but I can't imagine why the proxy server would require unrequested inbound traffic. So, I imagine that it could sit behind your existing firewall. It should just take internal requests (set your browser/whatever to point to squid box); then check its cache to see if it already has it, and if not run out and get it on its own copy that it will forward back to the requesting client.

User avatar
Deleted User
*poof*
Posts: 7507
Joined: Jul 13th, 2006 at 3:41 am

Postby Deleted User » Apr 12th, 2005 at 2:33 pm

hehe... Set up a few of these, and squidguard sucks. :)

Use dansguardian,http://www.dansguardian.org it's MUCH MUCH better, and if the box has any power whatsoever, you can also have it filter out virii and spyware. Set this up at the school system that I used to work at and it works great. Feel free to shoot me Q's in email if you would like, you know how I am a bit lax about checking in the forum all the time. :)

There are multiple ways that you can accomplish what you are wanting, and unfortunetely, it's not a lot like most other services in linux - especially if you want the proxy job to be done transparentally. I'm happy to help, but to be of much help I would need some more detailed information about your setup and what you want to accompllish. Just let me know

diamond
I've been deleted!!

User avatar
DocNsane
Moderator
Posts: 863
Joined: Sep 16th, 2002 at 9:20 pm

Postby DocNsane » Apr 12th, 2005 at 3:15 pm

Due to the lack of my replying, I think it's obviously I have no idea how to setup a squid box. I've never had a need to personaly.
Image

User avatar
Catalyst22
Elite Member
Posts: 3606
Joined: Sep 30th, 2004 at 8:21 pm

Postby Catalyst22 » Apr 12th, 2005 at 3:16 pm

Diamond,

I have a Dual p3 733 box running Redhat 9 that is a clean minimal install. It also has 512Mb RAM and 3 9Gb SCSI drives RAID 1 +Hot Spare.

I intend to use this box, but the Squid project is on hold until I get my supermicro server up and running. Still stuck on the Hostname/Kernel patch bug. Hope to have a solution for this soon as I have pulled out all my hair and now keep it in a shoebox next to another shoebox so I can pull it out again and put it in the other shoebox.
“When you have the facts on your side, argue the facts. When you have the law on your side, argue the law. When neither is on your side, change the subject and question the motives of the opposition.â€

User avatar
pyrox420
Elite Member
Posts: 1147
Joined: Nov 4th, 2004 at 5:42 pm

Postby pyrox420 » Apr 12th, 2005 at 4:39 pm

Diamond wrote:Use dansguardian,http://www.dansguardian.org it's MUCH MUCH better, and if the box has any power whatsoever, you can also have it filter out virii and spyware. Set this up at the school system that I used to work at and it works great. Feel free to shoot me Q's in email if you would like, you know how I am a bit lax about checking in the forum all the time. :)
Quoted for truth. I've setup 3 dansguardian boxes and it's much better than what you plan on doing. The interface is much nicer too... :)

User avatar
Catalyst22
Elite Member
Posts: 3606
Joined: Sep 30th, 2004 at 8:21 pm

Postby Catalyst22 » Apr 12th, 2005 at 5:02 pm

I'll use it then :) I just haven't researched it much yet.

Do any of you guys use Suse? If so, do you know anything about this patch?
http://support.novell.com/cgi-bin/searc ... b9ffa.html

After I apply this security/kernel patch the system no longer sees my SATA drives /dev/sda2

SATA drives BIOS Software RAID.
“When you have the facts on your side, argue the facts. When you have the law on your side, argue the law. When neither is on your side, change the subject and question the motives of the opposition.â€


Return to “*nix”

Who is online

Users browsing this forum: No registered users and 1 guest