The wikis are now using the new authentication system.
If you did not migrate your account yet, visit https://idp-portal-info.suse.com/

SDB:Basic Configuration of a Proxy Server

Şuraya atla: kullan, ara


Version: 8.0

Situation

You want to set up an Internet connection for your local network.

In addition to masquerading and routing as described e.g. in the article SDB:ISDN Gateway for Private Networks in SuSE Linux 8.0 or Higher, you can also setup a proxy server on the router.

The advantage of a proxy server is that it does not allow direct access to the local network to any packet from the Internet. TCP packets are processed by the proxy itself and the results are made available to the local network. The proxy also enables a detailed configuration of access rights and logging.
The cache proxies described in these lines are mainly used to access the Internet via a web browser. Services like Real Audio, news, or video conferences are not supported. If you want the e-mail traffic to be directed via SMTP through the router, a Mail Transfer Agent must be set up, too.

Please note that a proxy server is as safe as its configuration. Thus, you should use at least the personal firewall to protect your router from unauthorized access from the Internet.
To do this, insert the following line in the file /etc/sysconfig/personal-firewall:

	REJECT_ALL_INCOMING_CONNECTIONS=< outgoing device >

< outgoing device > is either ippp0 or ppp0t, depending on the connection (ISDN or DSL).
For further information, please refer to the article: SDB:Firewall Activation

Procedure

The professional version of SuSE Linux includes the proxy servers squid and wwwoffle. The following instructions refer to the setup of squid.

Install the package squid from the package group:

	Network/Server

The configuration of squid is included in the file:

	/etc/squid/squid.conf

Most settings can be left unchanged with their preset values. To allow access from the client, only the entries at acl and http_access must be changed. In addition and for security reasons, the settings for http_port should also be adjusted.

To do this, search for the following entries in squid.conf:

	acl all src 0.0.0.0/0.0.0.0
	acl manager proto cache_object
	acl localhost src 127.0.0.1/255.255.255.255

and change them to:

        acl all src 0.0.0.0/0.0.0.0
        acl manager proto cache_object
        acl localhost src 127.0.0.1/255.255.255.255
	acl SSL_ports port 443 563
	acl Safe_ports port 80 21 443 563 70 210 280 488 591 777 1025-65535
	acl CONNECT method CONNECT
        acl allowed_hosts src 192.168.10.0/255.255.255.0

In acl allowed_hosts src 192.168.10.0/255.255.255.0, both the network address 192.168.10.0 and the netmask 255.255.255.0 should be replaced with your own.

Then change the entries at:

	http_access allow localhost
	http_access deny all

to:

	http_access allow manager localhost
	http_access deny manager
	http_access allow localhost
	http_access deny !Safe_ports
	http_access deny CONNECT !SSL_ports
	http_access allow allowed_hosts
	http_access deny all

To enable access to the proxy server from the router, leave the entry http_access allow localhost in the configuration.

Finally change the entry

	# http_port 3128

to

	http_port < ip-to internal > :3128


Replace the entry < ip-to internal > with the IP address of the network card attached to the local network. Assuming this is 192.168.0.1, the entry will be similar to:

        http_port 192.168.0.1:3128

The proxy server can already be started as root with the command: rcsquid start. If you want the proxy server to be automatically launched at every system startup, set the requested runlevel in the runlevel properties in Yast2 Control Center's System > Runlevel-Editor.

Do not forget to configure your client's web browser for Internet access on your proxy server. To do this, enter the IP address and port from squid.conf's variable http_port in the browser's proxy settings.

Depending on the application field, it might be advisable to change additional default parameters for squid.
For example, you might not want the complete URLs of all visited http pages to be logged. To disable the logging function altogether, perform the following changes:

	cache_access_log /dev/null
	cache_log /dev/null
	cache_store_log none

The Chapter Proxy-Server: Squid in the Administration Manual contains a detailed parameter description.

Please note that the setup of a proxy server exceeds the scope of both the free-of-charge installation support and the Advanced Support Services. <keyword>Proxy,squid,wwwoffle,gateway</keyword>