Construction of traditional use Squid proxy and transparent proxy

About Squid introduction and installation of the deployment process, reference may Bowen: Squid Proxy Server installation and deployment

Traditional agents to achieve the most simple, transparent proxy also need to combine default default routing, firewall policies, etc. together to complete.

Construction of traditional agency

A conventional agent used is characterized: the client procedures (e.g., IE browser, QQ chat software) must specify the basic information of the proxy server address and port.

Case environment

案例实施步骤大致分为：
1.Squid服务器的配置；
2.客户机的代理设置；
3.验证代理服务器。

Case implementation

About build Web server can refer Bowen: CentOS 7 build Web sites using the Apache service
If you need to access the site using the domain name, you can refer Bowen: CentOS 7 build DNS service
here introduces Squid service.

1.Squid server configuration

When you configure Squid achieve the traditional agency services, you need to pay attention to add http_access allow all access policy to allow any client to use a proxy service.

(1) modify the service configuration file Squid

[root@www ~]# vim /etc/squid.conf
                …………                          //省略部分内容
http_access allow all                        //必须放在http_access deny all之前

(2) heavy-duty squid Service

[root@www ~]# squid -k reconfigure
//如果没有添加为系统服务，使用这种方式重启Squid服务

2. Client Agent Configuration

(Experimental environment, clients do not need to fill in the gateway, dns server address)
Client For Windows system (for IE browser), you need:



the client (192.168.1.10) test access (for simplicity, so I have to turn off the firewall) !


Test Access Success!

If Linux client, you need:

[root@localhost ~]# vim /etc/profile
                      ……………………                                //省略部分内容
HTTP_PROXY=http://192.168.1.1:3128                    //为使用HTTP协议指定代理
HTTPS_PROXY=http://192.168.1.1:3128                  //为使用HTTPS协议指定代理  
FTP_PROXY=http://192.168.1.1:3128                       //为使用FTP协议指定代理
NO_PROXY=192.168.2.,192.168.3.                          //对于两个局域网网段不使用代理
export HTTP_PORXY HTTPS_PORXY FTP_PROXY NO_PROXY
[root@localhost ~]# source /etc/profile

The client (192.168.1.20) Test Access:

Test Access Success!

3. Verify Proxy Service

(1) View Squid access log

[root@www ~]# tail -f /usr/local/squid/var/logs/access.log 

(2) to view the new Web access log records

[root@localhost ~]# tail -f /var/log/httpd/access_log 

Traditional agency testing is complete!

Build a transparent proxy

Transparent proxy services provided are consistent with a traditional agency, but its "transparent" according to achieve lazy default routing and firewall redirection policy, and therefore more practical to host LAN services without providing the Internet for clients service.

Case environment

案例实施步骤大致分为：
1.配置Squid支持透明代理及开启路由转发功能；
2.设置firewalld的重定向策略；
3.验证透明代理使用。

Case implementation

1. Configure Squid transparent proxy support

[root@www ~]#  vim /etc/squid.conf
                   ………………                               //省略部分内容
http_port 192.168.1.1:3128 transparent        //只在服务器其中一个IP地址上提供服务
[root@www ~]# squid -k reconfigure
//重启Squid服务
[root@www ~]# vim /etc/sysctl.conf
                ………………              //省略部分内容填写以下内容
net.ipv4.ip_forward = 1               //开启路由转发
[root@www ~]# sysctl -p            //立即生效
net.ipv4.ip_forward = 1

2. Set firewalld redirection policy

Due to the nature of the external firewalld region, so this experiment as an internal LAN to external (outer area).
Firewall to do port forwarding operations, will visit the machine to forward a request to port 80, 443, 3128.

[root@www ~]# systemctl start firewalld
[root@www ~]# firewall-cmd --zone=external --add-interface=ens33
//定义ens33网卡所在区域
[root@www ~]# firewall-cmd --zone=internal --add-interface=ens37
//定义ens37网卡所在区域
[root@www ~]# firewall-cmd --zone=external --add-service=http
[root@www ~]# firewall-cmd --zone=external --add-service=https
[root@www ~]# firewall-cmd --zone=external --add-service=dns
[root@www ~]# firewall-cmd --zone=external --add-port=3128/tcp
//添加服务及端口
[root@www ~]# firewall-cmd  --direct  --add-rule   ipv4  nat  PREROUTING  0  -i ens33  -p  tcp  --dport  80  -j  REDIRECT  --to-ports  3128
//将80端口的请求转发到3128端口
[root@www ~]# firewall-cmd  --direct  --add-rule   ipv4  nat  PREROUTING  0  -i ens33  -p  tcp  --dport  443  -j  REDIRECT  --to-ports  3128
//将443端口的请求转发到3128端口
[root@www ~]# firewall-cmd --runtime-to-permanent
//防火墙配置永久生效

Client Access test (the client needs to fill in the gateway, dns server address, the browser's default settings)
require domain names, you need to modify the DNS zone configuration corresponding to the IP address of the


Linux client should use the command clears the variable information.

[root@localhost ~]# unset HTTP_PROXY HTTPS_PROXY

3. Verify the use of transparent proxy

Transparent proxy with authentication methods as the traditional agency.

[root@localhost ~]# tail -f /var/log/httpd/access_log 

[root@www ~]# tail -f /usr/local/squid/var/logs/access.log 

Transparent Proxy testing is complete!