SDB:Basic Configuration of a Proxy Server
Version: 8.0
Situation
You want to set up an Internet connection for your local network.
In addition to masquerading and routing as described e.g. in the article SDB:ISDN Gateway for Private Networks in SuSE Linux 8.0 or Higher, you can also setup a proxy server on the router.
The advantage of a proxy server is that it does not allow direct access to the local network to any packet from the Internet. TCP packets are processed by the proxy itself and the results are made available to the local network. The proxy also enables a detailed configuration of access rights and logging.
The cache proxies described in these lines are mainly used to access the Internet via a web browser. Services like Real Audio, news, or video conferences are not supported. If you want the e-mail traffic to be directed via SMTP through the router, a Mail Transfer Agent must be set up, too.
Please note that a proxy server is as safe as its configuration. Thus, you should use at least the personal firewall to protect your router from unauthorized access from the Internet.
To do this, insert the following line in the file /etc/sysconfig/personal-firewall:
REJECT_ALL_INCOMING_CONNECTIONS=< outgoing device >
< outgoing device > is either ippp0 or ppp0t, depending on the connection (ISDN or DSL).
For further information, please refer to the article: SDB:Firewall Activation
Procedure
The professional version of SuSE Linux includes the proxy servers squid and wwwoffle. The following instructions refer to the setup of squid.
Install the package squid from the package group:
Network/Server
The configuration of squid is included in the file:
/etc/squid/squid.conf
Most settings can be left unchanged with their preset values. To allow access from the client, only the entries at acl and http_access must be changed. In addition and for security reasons, the settings for http_port should also be adjusted.
To do this, search for the following entries in squid.conf:
acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255
and change them to:
acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 280 488 591 777 1025-65535 acl CONNECT method CONNECT acl allowed_hosts src 192.168.10.0/255.255.255.0
In acl allowed_hosts src 192.168.10.0/255.255.255.0, both the network address 192.168.10.0 and the netmask 255.255.255.0 should be replaced with your own.
Then change the entries at:
http_access allow localhost http_access deny all
to:
http_access allow manager localhost http_access deny manager http_access allow localhost http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow allowed_hosts http_access deny all
To enable access to the proxy server from the router, leave the entry http_access allow localhost in the configuration.
Finally change the entry
# http_port 3128
to
http_port < ip-to internal > :3128
Replace the entry < ip-to internal > with the IP address of the network card attached to the local network. Assuming this is 192.168.0.1, the entry will be similar to:
http_port 192.168.0.1:3128
The proxy server can already be started as root with the command: rcsquid start. If you want the proxy server to be automatically launched at every system startup, set the requested runlevel in the runlevel properties in Yast2 Control Center's System > Runlevel-Editor.
Do not forget to configure your client's web browser for Internet access on your proxy server. To do this, enter the IP address and port from squid.conf's variable http_port in the browser's proxy settings.
Depending on the application field, it might be advisable to change additional default parameters for squid.
For example, you might not want the complete URLs of all visited http pages to be logged. To disable the logging function altogether, perform the following changes:
cache_access_log /dev/null cache_log /dev/null cache_store_log none
The Chapter Proxy-Server: Squid in the Administration Manual contains a detailed parameter description.
Please note that the setup of a proxy server exceeds the scope of both the free-of-charge installation support and the Advanced Support Services.
<keyword>Proxy,squid,wwwoffle,gateway</keyword>