Proxy Server How To
Start by installing Arch Linux (or your chosen distribution) onto the hardware you selected. If you are in need of a little assistance with the installation, I recommend using this wiki guide and then set up yaourt. Once you have completed your standard Linux installation you need to ensure your network is configured properly. In the case of my transparent proxy, I plugged one network port directly into my cable router and allowed it to grab and IP address via DHCP. The second adapter is then given an IP address of your choice (I chose 10.4.20.1; other common IP addresses would be 192.168.x.x).
At this point you will want to test your network configuration. Start with trying to get out to the internet. If this works, plug your secondary network adapter into whatever switch/router you have available. Take your desktop or laptop that's plugged into the same switch and assign it an IP address in your 10.4.20.x range. (For DHCP setups, see below.) You should now be able to ping your new proxy server (10.4.20.1) from your desktop/laptop. As a quick note for the users who only have a wireless cable modem, it is okay to have both interfaces of your proxy server and desktop plugged into the same cable modem hub.
Now that we have the configuration of the network cards complete, we just need to do a quick installation and configuration of Shorewall/Squid. That may sound like a daunting task to the Linux initiate, but this is actually very simple. First go ahead and install both Squid and Shorewall. Arch has both readily available in the package repository (from a command prompt: yaourt –S shorewall squid). If you are not utilizing Arch, you can download the packages manually from www.shorewall.net and www.squid-cache.org.
Whether you installed Arch Linux or another distribution as your base OS, Shorewall has one simple command to get it set up: cp /usr/share/shorewall/Samples/two-interfaces/* /etc/shorewall. (This copies the base two-NIC example to your live Shorewall directory, which saves a lot of manual work.) Make a quick edit to /etc/shorewall/shorewall.conf and change the Startup_Enabled to yes and you now have a functioning Shorewall. The only thing you need to do for Shorewall at this point is add the following rule into the /etc/shorewall/rules file: REDIRECT loc 3128 tcp www. Start Shorewall by typing: shorewall start from the command line, and add it to your boot process by putting shorewall into the DAEMONS section of /etc/rc.conf.
Now that Shorewall is fully functional and configured, we need to configure Squid. I found a short wiki guide that will assist with the initial set up of Squid. Once you have completed the configuration in the wiki guide, you need to pay close attention to a few configuration settings located in /etc/squid/squid.conf. The cache_memline should be set to half of your installed ram on your proxy server. In my case I have 512MB of total memory so I configured cache_mem to 256. The other setting that you need to pay attention to is maximum_object_size. This setting is the maximum file size your proxy will retain. I set my maximum size to 2048MB in order to retain everything up to a CD ISO. Be cautious of using 2048 if you have anything less than a 120gb drive as your storage space could be gone in the matter of a few days. To get the caching proxy in place and running, the most important line to add is http_port 3128 transparent. The key here is the addition of "transparent", which turns squid into a caching proxy that won't require any additional configuration on your client PCs.
If you followed all of the directions correctly, you're now ready to configure all the machines on your network with a 10.4.20.x IP address with the gateway set as 10.4.20.1. Don't forget to configure your DNS as well (in /etc/resolve.conf). Now that you have everything fired up give your new proxy a spin around the internet. If you would like to do a good test, download a decent size file (i.e. larger than 1MB). Once the download is complete, you should be able to download it again a second time and get LAN speeds on the download. If you have multiple computers, use another machine on your network and attempt to download the same file and you should again see LAN download speeds.
Proxy Server with DHCP
Although I wanted to keep this short and to the point, a common question inevitably comes up: what if you still want to use DHCP? There are a few ways to tackle this issue. If you're lucky enough to have a router/cable modem that will allow you to change what IP addresses it assigns to the network, simply change it over to your new 10.4.20.x subnet and have it assign the gateway of 10.4.20.1. If this is not the case, you will need to disable DHCP on your router and install the DHCP server package (in Arch: pacman –S dhcp). The configuration can be a bit of a hassle, so here's my /etc/dhcpd.conf.
Start the DHCP service on your proxy (/etc/rc.d/dhcpd start) and test DHCP on your desktop/laptop. Assuming all goes well, add dhcpd to your DAEMONS in /etc/rc.conf. If you happen to reboot your Linux box, after a minute or so your proxy should be back up and running.
Facebook
Twitter
RSS
96 Comments
View All Comments
SquattingDog - Tuesday, May 11, 2010 - link
This is a great article, and comes in a very timely fashion, as I am looking to set something like this up in our flat. We have a 20GB monthly cap, and need to distribute the per-GB costs out to each person based on their usage and possibly limit their usage if they exceed 5GB for example. Is this possible with a Linux Proxy or QoS tool? If so, what should I be looking at to do this - and are there any which are quick and easy (in relative terms) to set up? (I am a Linux noob atm)Second question has to do with latency for games. One of the people in our flat plays games like Bad Company 2 online a lot of the time. That, basic browing and MSN are the only things he uses the internet for. What is the added delay with a transparent proxy in place for gaming? I know you mentioned Steam updates not working with proxy caching during the article, Jarred, but what about the gaming itself? Is there a measurable/noticeable latency increase? An increase in the order of 2 - 5ms is acceptable, and we can always get interleaving turned off on our line to mitigate this.
ChrisRice - Tuesday, May 11, 2010 - link
With the setup mentioned in the article you will have no adverse effects to your gaming. I will look up your proxy quota question, I believe there are a bunch of solutions available.SquattingDog - Tuesday, May 11, 2010 - link
Thanks Chris, that would be outstanding!JarredWalton - Wednesday, May 12, 2010 - link
Yeah, I tested gaming and didn't notice any problems with the proxy. Steam works fine BTW, but it doesn't go out through the proxy so the updates aren't cached. (I tried sending the Steam update ports through the proxy but then Steam wouldn't connect... looking around online, numerous folks are saying Valve doesn't allow use of Steam through a proxy.) Bad Company 2 also works fine, as do quite a few other titles I've played.Squid can do a lot of things not discussed in this article, but how well it does them and how easy they are to configure is probably something for a follow-up. As something of a Linux router newbie myself, I'm not quite sure how you go about restricting access and putting download caps on the various clients, but the squid.conf file suggest all of that is possible.
I'll leave the rest to Chris. :-)
SquattingDog - Wednesday, May 12, 2010 - link
Thanks for coming back to me on this Jarred, great news for myself and my other flatmates then - I wouldn't be popular if suddenly everyone's ping went up 30 - 50ms ;)mariush - Wednesday, May 12, 2010 - link
Get a managed switch and use MRTG (http://en.wikipedia.org/wiki/Multi_Router_Traffic_... or Cacti or other solutions to log how much traffic each port does.With a proxy, you'd have to create a username and password for each member in your house or log traffic on the server based on MAC address or IP which is a bit more complicated than simply polling the switch with such software and logging the bytes transferred.
See here some managed switches http://www.newegg.com/Product/ProductList.aspx?Sub...
Though there may be cheaper unmanaged switches which have SNMP feature, the thing you need for logging traffic.
SquattingDog - Wednesday, May 12, 2010 - link
That is a good solution too, however I have existing hardware lying around that I could put to use for the Linux box, and that would require me shelling out for both a new switch and a new wireless router (everyone but me connects via wireless, and it's an all-in-on Netgear DG834G ADSL Modem/Router) - and our pricing here is not as good as yours over there, unfortunately :(SquattingDog - Wednesday, May 12, 2010 - link
This DG834G is v5, so I'm SOL for enabling built-in SNMP, as it doesn't support that. The Proxy server set up would work well for us also, as I frequently have to download Windows updates on various machines which come and go, and having them locally cached will reduce internet usage substantially. :)mindless1 - Tuesday, May 11, 2010 - link
Some of you talked about cost or especially power savings. Has it occurred to you that you can run a proxy on the windows box you probably already leave running most if not all the time and expect a trivial increase in power consumption from doing so?Sure, you'll need have the amount of memory you want to devote added over the amount your system would otherwise need, but in this day and age of multi-gigabyte endowed systems it isn't much to devote 1/4th your memory to the job... if you really need that much which many people won't.
JarredWalton - Wednesday, May 12, 2010 - link
I looked around at various options, but for the free stuff it appears that you'd need to manually configure each browser to go through the Windows proxy (i.e. instead of having a transparent proxy). Anyway, my Windows machines are all even more power hungry than my test proxy, so I don't leave them running at night. But I believe squid is even available for Windows platforms:http://wiki.squid-cache.org/SquidFaq/BinaryPackage...