For those interested, I just successfully set up a combination of www
proxies
on my firewall/dialout box for my internal network machines to use. One
does this when one is still singing the "low speed internet blues".
Anyway, since it was reasonably interesting to configure, and since I
could
swear I saw someone ask about this exact pairing in the past few days,
I thought I'd spend some time documenting how I did it.
This was for a SuSE 6.3 box running SuSEfirewall 2.5.
All machines, including the dialout/firewall are in:
192.168.1.0/255.255.255.0 or if you like: 192.168.1.0/24
The dialout/firewall is 192.168.1.1
Workstations are 192.168.1.101 102 103 and so on.
Ok, enough background. First thing I did was ensure that the Squid2
proxy was installed by YAST1.
In /etc/rc.config I changed START_SQUID=no to START_SQUID=yes
Then I edited the /etc/squid.conf file and made the following changes,
right
after the main ACL (access control list) section:
= = = cut here = = =
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
acl allowed_hosts src 192.168.1.0/255.255.255.0
http_access deny manager all
http_access allow allowed_hosts
http_access deny all
icp_access allow allowed_hosts
icp_access deny all
= = = cut here = = =
Those changes, other than the local 192.168.1.0/255.255.255.0 address
definition were directly out of /usr/doc/packages/squid2/QUICKSTART
for anyone wanting to go read more documentation.
Then I executed the following commands:
/sbin/init.d/squid start
/sbin/init.d/squid stop
/sbin/init.d/squid start
(The manual has you stopping it and starting it again the first time to
allow it to properly set things up like the caching directories).
So, squid's up and running, and presumably listening on port 3128 (the
default).
So I configured a windows box's Internet Explorer to use a proxy of
192.168.1.1 port 3128.
Lo and behold, I'm up and running with Squid.
Time for Junkbuster... (This gets more fun because we have to layer a
proxy on top of a proxy).
Some might ask why I'd want to cache advertising banners only to deny
them to workstations with junkbuster. Well, to me it seemed as if
Squid2 had much a much more option-rich configuration file, so I
thought it prudent to put it closer to the internet. That way, if
I didn't like junkbuster, I could remove it and reconfigure the
browsers and still have a decent caching proxy.
Junkbuster isn't part of the SuSE distribution in 6.3 (at least not as
far
as I could find). I went out to www.junkbuster.com and downloaded their
latest .Z package.
http://www.junkbuster.com/ijb20.tar.Z
I then saved it in /root/junkbuster
uncompress ijb20.tar.Z
tar -xvf ijb20.tar
cd ijb20
vi README (what, you don't all do this?) ;-)
make
cp junkbuster /usr/sbin/junkbuster
chmod 755 /usr/sbin/junkbuster
Ok, that gets the executable good to go, now for the configuration files.
I like to put configuration files in /etc, or a subdirectory of same.
So:
mkdir /etc/junkbuster
mkdir /etc/junkbuster/samples
cp *.ini /etc/junkbuster/samples (nice to keep samples around)
cp *.ini /etc/junkbuster
cd /etc/junkbuster
(I didn't like the naming conventions of the configuration files.
.ini? Windowsish; yuck.)
mv junkbusr.ini junkbuster.conf
mv saclfile.ini aclfile.conf
mv sblock.ini block.conf
mv scookie.ini cookie.conf
mv sforward.ini forward.conf
mv strust.ini trust.conf
Ok, time to edit the main configuration file, /etc/junkbuster/junkbuster.conf:
vi /etc/junkbuster/junkbuster.conf
Change the following lines so that pathnames are explicitly mentioned.
(Those beginning with # are commented out, but I figured it was better
safe to make the changes now in case I wanted to activate those files
in future).
blockfile /etc/junkbuster/block.conf
cookiefile /etc/junkbuster/cookie.conf
logfile /var/junkbuster/log
jarfile /var/junkbuster/jarfile
forwardfile /etc/junkbuster/forward.conf
#trustfile /etc/junkbuster/trust.conf
#aclfile /etc/junkbuster/aclfile.conf
And then change the listen address so it defines the actual machine
address we're listening on for the internal network:
listen-address 192.168.1.1:8000
I also have it mess with the From: header a browser provides:
from
[email protected]
Ok, enough changes there.
Before we go any further, make a directory to hold the logfiles and
jarfiles we just configured in junkbuster.conf:
mkdir /var/junkbuster
Now to tweak the other three active configuration files (block.conf,
cookie.conf and forward.conf)
block.conf I download from: http://www.waldherr.org/blocklist
then I save/rename it as /etc/junkbuster/block.conf
And ensure it has the right permissions: chmod 644 block.conf
Next, let's edit the cookie.conf file:
vi cookie.conf
I only add one line to this so I can sign into egroups to manage a couple
of mailing lists I have there:
egroups.com
Lastly, forward.conf. This is critical to working properly with squid!
vi forward.conf
I add these lines to the end of that file:
* 192.168.1.1:3128 . .
192.168.1.10 . . .
What that means is that anything requested will be routed through
192.168.1.1:3128, which is the squid proxy.
The second line says that I don't want to cache anything off my file
server machine at 192.168.1.10 if I contact it's web server. It's
a 100 Mb/s internal network with 5 machines, why would I want to
clog the firewall's cache with that?
Well, with that done, it's time to go make an /sbin/init.d/junkbuster
init script. (Are we having fun yet?)
Here's mine:
= = = begin /sbin/init.d/junkbuster = = =
#! /bin/sh
# Copyright (c) 1996-99 SuSE Gmbh Nuernberg, Germany. All rights reserved.
#
# Author: Florian La Roche
#
# /sbin/init.d/junkbuster
#
. /etc/rc.config
# Determine the base and follow a runlevel link name.
base=${0##*/}
link=${base#*[SK][0-9][0-9]}
# Force execution if not called by a runlevel directory.
test $link = $base && START_JUNKBUSTER=yes
test "$START_JUNKBUSTER" = yes || exit 0
# The echo return value for success (defined in /etc/rc.config).
return=$rc_done
case "$1" in
start)
echo -n "Starting WWW-proxy
junkbuster:"
startproc /usr/sbin/junkbuster
/etc/junkbuster/junkbuster.conf ||
return=$rc_failed
echo -e "$return"
;;
stop)
echo -n "Shutting down WWW-proxy
junkbuster:"
killproc -TERM /usr/sbin/junkbuster
|| return=$rc_failed
echo -e "$return"
;;
status)
echo -n "Checking for WWW-proxy
junkbuster: "
checkproc /usr/sbin/junkbuster
&& echo OK || echo No process
;;
restart)
$0 stop && $0
start || return=$rc_failed
;;
reload)
echo -n "Reloading WWW-proxy
junkbuster:"
$0 stop && $0
start || return=$rc_failed
;;
*)
echo "Usage: $0 {start|stop|status|restart|reload}"
exit 1
esac
# Inform the caller not only verbosely and set an exit status.
test "$return" = "$rc_done" || exit 1
exit 0
= = = end /sbin/init.d/junkbuster = = =
I'd suggest copying /sbin/init.d/squid to /sbin/init.d/junkbuster and
making changes as I've shown above. That'll help you avoid the whole
line-wrap problem you might get by using it straight out of my email.
There are things in squid's init script that don't belong in junkbuster's
as well.
Ensure the proper permissions:
chmod 744 /sbin/init.d/junkbuster
Make the automatic start and stop links for runlevels 2 & 3:
ln -s /sbin/init.d/junkbuster /sbin/init.d/rc2.d/S20junkbuster
ln -s /sbin/init.d/junkbuster /sbin/init.d/rc2.d/K20junkbuster
ln -s /sbin/init.d/junkbuster /sbin/init.d/rc3.d/S20junkbuster
ln -s /sbin/init.d/junkbuster /sbin/init.d/rc3.d/K20junkbuster
Now we need to add the following to /etc/rc.config so the automatic scripts
will know to start junkbuster up on boot:
START_JUNKBUSTER="yes"
If you're running SuSEfirewall (I run version 2.5), you might want
to edit /etc/rc.firewall and edit the FW_REDIRECT_TCP and UDP options.
I *was* trying to get all requests to port 80 from any of my desktop
machines to automatically redirect to 192.168.1.1:8000 so all requests
would automatically start at the junkbuster proxy, which would call
the squid proxy, which would cough up the information you wanted.
I haven't been very successful with this, and I still have to configure
the browsers at the workstations to manually use 192.168.1.1:8000 as their
proxy server.
Anyway, here's the lines. Maybe someone else will have more luck at
making the proxy-pair truly transparent:
FW_REDIRECT_TCP="192.168.1.0/24,0/0,80,8000"
FW_REDIRECT_UDP=""
If you made changes to /etc/rc.firewall, do a:
/sbin/init.d/firewall restart
Start junkbuster up:
/sbin/init.d/junkbuster start
Pray for:
Starting WWW-proxy junkbuster: done
Ok, go to a browser on a workstation, and configure it to use
a proxy address of 192.168.1.1 port 8000. Keep your fingers crossed.
That should cover it. There's the possibility I made a few errors in
this
email, I was documenting after the fact, and removed any trial & error
mistakes I made during the discovery process.
Hopefully someone will find it useful though.
Argentium