Proxy Server How To

Start by installing Arch Linux (or your chosen distribution) onto the hardware you selected. If you are in need of a little assistance with the installation, I recommend using this wiki guide and then set up yaourt. Once you have completed your standard Linux installation you need to ensure your network is configured properly. In the case of my transparent proxy, I plugged one network port directly into my cable router and allowed it to grab and IP address via DHCP. The second adapter is then given an IP address of your choice (I chose 10.4.20.1; other common IP addresses would be 192.168.x.x).

At this point you will want to test your network configuration. Start with trying to get out to the internet. If this works, plug your secondary network adapter into whatever switch/router you have available. Take your desktop or laptop that's plugged into the same switch and assign it an IP address in your 10.4.20.x range. (For DHCP setups, see below.) You should now be able to ping your new proxy server (10.4.20.1) from your desktop/laptop. As a quick note for the users who only have a wireless cable modem, it is okay to have both interfaces of your proxy server and desktop plugged into the same cable modem hub.

Now that we have the configuration of the network cards complete, we just need to do a quick installation and configuration of Shorewall/Squid. That may sound like a daunting task to the Linux initiate, but this is actually very simple. First go ahead and install both Squid and Shorewall. Arch has both readily available in the package repository (from a command prompt: yaourt –S shorewall squid). If you are not utilizing Arch, you can download the packages manually from www.shorewall.net and www.squid-cache.org.

Whether you installed Arch Linux or another distribution as your base OS, Shorewall has one simple command to get it set up: cp /usr/share/shorewall/Samples/two-interfaces/* /etc/shorewall. (This copies the base two-NIC example to your live Shorewall directory, which saves a lot of manual work.) Make a quick edit to /etc/shorewall/shorewall.conf and change the Startup_Enabled to yes and you now have a functioning Shorewall. The only thing you need to do for Shorewall at this point is add the following rule into the /etc/shorewall/rules file: REDIRECT loc 3128 tcp www. Start Shorewall by typing: shorewall start from the command line, and add it to your boot process by putting shorewall into the DAEMONS section of /etc/rc.conf.

Now that Shorewall is fully functional and configured, we need to configure Squid. I found a short wiki guide that will assist with the initial set up of Squid. Once you have completed the configuration in the wiki guide, you need to pay close attention to a few configuration settings located in /etc/squid/squid.conf. The cache_memline should be set to half of your installed ram on your proxy server. In my case I have 512MB of total memory so I configured cache_mem to 256. The other setting that you need to pay attention to is maximum_object_size. This setting is the maximum file size your proxy will retain. I set my maximum size to 2048MB in order to retain everything up to a CD ISO. Be cautious of using 2048 if you have anything less than a 120gb drive as your storage space could be gone in the matter of a few days. To get the caching proxy in place and running, the most important line to add is http_port 3128 transparent. The key here is the addition of "transparent", which turns squid into a caching proxy that won't require any additional configuration on your client PCs.

If you followed all of the directions correctly, you're now ready to configure all the machines on your network with a 10.4.20.x IP address with the gateway set as 10.4.20.1. Don't forget to configure your DNS as well (in /etc/resolve.conf). Now that you have everything fired up give your new proxy a spin around the internet. If you would like to do a good test, download a decent size file (i.e. larger than 1MB). Once the download is complete, you should be able to download it again a second time and get LAN speeds on the download. If you have multiple computers, use another machine on your network and attempt to download the same file and you should again see LAN download speeds.

Proxy Server with DHCP

Although I wanted to keep this short and to the point, a common question inevitably comes up: what if you still want to use DHCP? There are a few ways to tackle this issue. If you're lucky enough to have a router/cable modem that will allow you to change what IP addresses it assigns to the network, simply change it over to your new 10.4.20.x subnet and have it assign the gateway of 10.4.20.1. If this is not the case, you will need to disable DHCP on your router and install the DHCP server package (in Arch: pacman –S dhcp). The configuration can be a bit of a hassle, so here's my /etc/dhcpd.conf.

Start the DHCP service on your proxy (/etc/rc.d/dhcpd start) and test DHCP on your desktop/laptop. Assuming all goes well, add dhcpd to your DAEMONS in /etc/rc.conf. If you happen to reboot your Linux box, after a minute or so your proxy should be back up and running.

Introduction to Proxy Servers Linux Neophyte Troubleshooting
POST A COMMENT

97 Comments

View All Comments

  • rahvin - Tuesday, May 11, 2010 - link

    Jetway motherboards can be configured with daughterboards that don't use the PCI slot. One of these daughterboards contains 4 gigabit realtek network interfaces. I'm running this on my linux firewall/router and it works beautifully. The only issue that was an eye catcher was the original 10/100 ethernet on the MB got configured as eth4 after adding the daughterboard which I didn't expect. Reply
  • Zok - Tuesday, May 11, 2010 - link

    Wow. You're right. Jetway AD3RTLANG gives 3 x 10/100/1000. Pair that up with one of their fanless Atom board with daughert board support (NF92-270-LF or perhaps the dual-core version) and we might have a winner. Reply
  • Zok - Tuesday, May 11, 2010 - link

    My enthusiasm got the best of me... That does sound pretty slick, but I forgot my other major gripe - 802.11n AP support (dual-band/radio, if possible). Any advancements on this? Reply
  • rahvin - Tuesday, May 11, 2010 - link

    Use the PCI slot to add a PCI wireless card. Most of the Jetway boards come with a PCI expander that tips the PCI slot parallel to the motherboard. With the right case you just add the wireless PCI card (make sure it has FOSS drivers) and you are good to go. Or you can add a PCI card that takes a mini-pci card and then hook up an external antenna. Or you can do what I did and buy a wireless AP extender that connects via network, they are just the radio and a network interface so you just run DHCP and services over the network point and everything is automatic (although if you want security like WPA2 you have to run it on the firewall/server not the AP. Reply
  • JarredWalton - Tuesday, May 11, 2010 - link

    So I've ordered a USB to Ethernet adapter, and when it arrives I'm going to try setting this up on a laptop. The 100Mbit USB-Ethernet will connect to the Internet (since my broadband caps out at under 20Mbit) while the onboard 100/1000Mbit (depending on laptop) will serve the home network. I'll then give this sort of setup a shot using both an Atom netbook and a CULV laptop to see if there's a noticeable performance difference (other than the netbook being limited to 100Mbit).

    As a side note, I plugged my current box into a Kill-A-Watt device this morning to see how much power it's using. The final tally: 125W! Ouch. What's really odd is that using the acpi-cpufreq package didn't help power at all. The initial setup was for performance, with the CPU at 2.40GHz all the time. Changing to the ondemand governor dropped the CPU speed to 1.6GHz, but power draw remained essentially unchanged. (It may have dropped one or two watts on average, but nothing significant.)

    All of that points to the reason I included the comment on the end about old hardware and electricity costs. I thought the box would be closer to 100W, but obviously not. A CULV or Atom netbook on the other hand will get me down to ~10W I think. :-)
    Reply
  • Zok - Tuesday, May 11, 2010 - link

    I can do that now, with my current router/AP. The downside - I'm not removing any current hardware from my setup, which is my goal.

    In regards to my previous post, I was more concerned with Linux software support for 802.11n in AP mode. Last I checked, it only supported client mode. I'll do some research tonight and see if there have been any advances. It's hard to give up 300 Mbps (MIMO) for 54 802.11G or even 130 Mbps ("Plane Jane N").
    Reply
  • rahvin - Thursday, May 13, 2010 - link

    Is the goal to simply eliminate devices or are you concerned about power use and flexibility? A mini-itx platform with 2.5" drives and a wireless card is going to be far more flexible than a router and it's going to use far less power than both combined. See the beauty of the home server/firewall on linux is that you can run so many services that you can't on a router. Caching DNS, Caching transparant proxy, samba, email and web filtering and AV scanning, etc. I couldn't use just a router anymore because I would pull my hair out with the limited functionality. Reply
  • dezza - Tuesday, May 11, 2010 - link

    I know you told us you're relatively new to Linux, but I would like you to consider this:

    * A rolling release brings the newest exploits
    * Configs are not specialized for the distribution and configured to work in conjunction (Like Debian)
    * ArchLinux is primarily not a server operating system. I use it as a great workstation and the happiest I've had for years .. (Earlier running Debian, Gentoo, etc.), but I've never had any great experiences with it as a server. Most of the server-packages does not work out-the-box like on Debian.

    I would choose FreeBSD/Debian for a simple proxy.

    Also I would agree that anyone who is tempting to learn Linux starts with discovering ArchLinux and it's wiki http://wiki.archlinux.org there is everything you need to know and with a good friend by your side or a friendly IRC-channel you will be up and running quickly and will not encounter the same problems like people trying out Ubuntu, because you've already learned the hard steps by configuring it yourself. On Ubuntu people always stall on simple small problems and start bumping threads in the forums, simply because they're stuck with a default system looping around in driverproblems and Xorg configuration lines

    Ubuntu ends the same place as all other easy distributions - So you can just as well use your time to read a simple installation guide step-by-step like supplied by Gentoo and ArchLinux and learn much more in shorter time than you will use writing on the Ubuntu forums for common problems.
    Reply
  • JarredWalton - Tuesday, May 11, 2010 - link

    Chris is hardly new to Linux... I'm not even "new" per se -- I used Linux (Red Hat and SuSE, plus the HP boxes at the labs) back in college in the 90s. Chris is a senior Linux engineer/admin/whatever for a major company, so he deals with configuring and running large corporate systems on a daily basis. And he likes Arch. You don't have to update regularly with a rolling release, but it allows you to do so painlessly at any time. I think the bigger reason he likes it is that you can get an Arch install lean and mean. You only install what you feel is necessary and nothing else. Reply
  • dezza - Tuesday, May 11, 2010 - link

    No you don't have to update it, but that will leave exploits open ..

    If you update you have a new risk of newly forged exploits with the rolling release.

    There is a good reason why FreeBSD and Debian devs keep packages for a while .. I would not categorize ArchLinux as suited for servers.
    Reply

Log in

Don't have an account? Sign up now