Technical

Squid forward HTTP web proxy

Squid can be used as central internet proxy the give controlled internet access to servers and services

Server installation:

docker run -it --name squid-forward-proxy --hostname proxy.provlima.com --restart=always --entrypoint /root/startupScript.sh --network=host squid-forward-proxy-img

#attach to container
docker exec -ti squid-forward-proxy /bin/bash

Main configuration files :

vim /etc/squid/squid.conf
 #
 Recommended minimum configuration:
 #
 Example rule allowing access from your local networks.
 Adapt to list your (internal) IP networks from where browsing
 should be allowed
 acl localnet src 192.168.2.0/24  
 acl localnet src 172.16.1.0/24  
 acl SSL_ports port 443
 acl Safe_ports port 80          # http
 acl Safe_ports port 21         # ftp
 acl Safe_ports port 443         # https
 acl Safe_ports port 70         # gopher
 acl Safe_ports port 210                # wais
 acl Safe_ports port 1025-65535 # unregistered ports
 acl Safe_ports port 280                # http-mgmt
 acl Safe_ports port 488                # gss-http
 acl Safe_ports port 591                # filemaker
 acl Safe_ports port 777                # multiling http
 acl CONNECT method CONNECT
 #
 Recommended minimum Access Permission configuration:
 #
 Deny requests to certain unsafe ports
 http_access deny !Safe_ports
 Deny CONNECT to other than secure SSL ports
 http_access deny CONNECT !SSL_ports
 Only allow cachemgr access from localhost
 http_access allow localhost manager
 http_access deny manager
 We strongly recommend the following be uncommented to protect innocent
 web applications running on the proxy server who think the only
 one who can access services on "localhost" is a local user
 http_access deny to_localhost
 #
 INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 #
 Example rule allowing access from your local networks.
 Adapt localnet in the ACL section to list your (internal) IP networks
 from where browsing should be allowed
 http_access allow localnet
 http_access allow localhost
 And finally deny all other access to this proxy
 http_access deny all
 Squid normally listens to port 3128
 http_port 10.10.10.10:9400
 Uncomment and adjust the following to add a disk cache directory.
 cache_dir ufs /var/spool/squid 100 16 256
 Leave coredumps in the first cache dir
 coredump_dir /var/spool/squid
 #
 Add any of your own refresh_pattern entries above these.
 #
 refresh_pattern ^ftp:           1440    20%     10080
 refresh_pattern ^gopher:        1440    0%      1440
 refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
 refresh_pattern .               0       20%     4320

*To enable access on any host or program, use http://<proxy server ip>:9400 as http proxy

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA