tomclegg.net


Diary
Examples
    256-router
    adzap
    debian-quota
    diskonmodule
    dynip
    ezmlm-linux
    fbsdhabits
    freebsdclone
    maildirpop3d-awfulhak
    mandy
    md
    mrtg
    net-snmp
    oracle9i
    oracle9i-bsd5
    oracle9i-client
    oracle9i-nat
    php-cgi
    php-commandline
    php-image
    php-kics
    php-mini_httpd
    pinouts
    plesk-symlink-php
    pxe
    qmail-linux
    qmail-qfilter
    racoon-sonicwall
    redundant-vpn
    rewriterule
    smalldog
    spamassassin
  >squid-tproxy<
    supfile
    suse73
    svc-nmbd
    svc-smbd
    svc-smtpd
    toyotastereo
    vm
    vn-file
    wmp-invalid
    xcode-remote-install
    xen-eth0-renamed
    xen3-ubuntu-dapper
Hire Tom
Mostly Mozart
Patches
School
Scrapbook
Software
Telephones




colocation
comments
davidireland
edsgranola
faq
funsites
goodlooking
goodmovies
houserules
liberating
nodefaultroute
resume
resume2
scratch
shopping
snacks
todo
university
warisbogus

To set up squid as a transparent proxy using FreeBSD...

Install FreeBSD. Set up NAT or whatever, and install this machine as your gateway.

Log in as root.

Install squid from ports.

cd /usr/ports/www/squid && make install

Move cache directory to /tmp.

mkdir /tmp/squid
mv /usr/local/squid/cache /tmp/squid/cache
ln -s /tmp/squid/cache /usr/local/squid/

Set up a "squid" user account.

pw useradd squid -d /nonexistent -s /usr/bin/true
chown -R squid:squid /tmp/squid/cache /usr/local/squid/logs

Edit /usr/local/etc/squid/squid.conf

# diff squid.conf.default squid.conf
474a475
> cache_mem 48 MB
524a526
> maximum_object_size_in_memory 128 KB
670a673
> cache_dir ufs /usr/local/squid/cache 200 64 128
982a986
> #redirect_program /usr/local/libexec/adzap
1311a1316
> request_body_max_size 4 MB
1753c1758,1759
< #http_access allow our_networks
---
> acl our_networks src 10.129.0.0/16 199.60.150.0/24
> http_access allow our_networks
1937a1944
> cache_mgr YOUR@EMAIL.ADDRESS.HERE
1953a1961,1962
> cache_effective_user squid
> cache_effective_group squid
1963a1973
> visible_hostname YOUR.HOST.NAME.HERE
2051a2062,2063
> httpd_accel_host virtual
> httpd_accel_port 0
2080a2093
> httpd_accel_with_proxy on
2100a2114
> httpd_accel_uses_host_header on
2540a2555,2556
> header_access Via deny all
> header_access X-Forwarded-For deny all

Create the cache directories.

squid -z

Start squid.

/usr/local/etc/rc.d/squid.sh start

Enable firewall and transparent proxy support in kernel. Example using FreeBSD 4:

cd /usr/src/sys/i386/conf
cp -i GENERIC MYKERNEL
cat <<EOF >>MYKERNEL
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT # if you intend to use NAT
EOF
config MYKERNEL
cd ../../compile/MYKERNEL
make depend && make && make install && reboot

Make sure squid is listening on port 3128.

ps axw | grep squid
netstat -a -n | grep -w 3128

Redirect all HTTP traffic passing through the machine to squid.

echo firewall_type=/etc/firewall.local >>/etc/rc.conf
cat <<EOF >>/etc/firewall.local
fwd YOUR.IP.ADDR.HERE,3128 tcp from not me to any 80
EOF

Watch the log file as you load web pages.

tail -f /usr/local/squid/logs/access.log