- Contents
- Introduction
- Installation
- Squid Config
- Pf Config
- Contact Info
- matt@haught.org
- PGP Public Key
- Wishlist
- MySpace
Transparent Squid
Introduction
Squid is a really advanced high performance web proxy cache which happens to be open source. I have been running it for a long time on my local network, but one of the things that always bothered me is having to set the proxy in Mozilla or any other browser. After a bit of research, I found that transparent proxying can be setup so that no settings would have to be set on the client. Here is a quick howto on how to get everything working on a FreeBSD 5 server with pf.
Installation
Installing using the FreeBSD ports is simple. Since they put in the knob for pf, it is even easier. To have squid work with pf, one setting is needed in /etc/make.conf for squid.
WITH_SQUID_PF="YES"
This setting will compile squid with the required settings for transparent proxing. After adding this line to /etc/make.conf, make install clean will need to be run from /usr/ports/www/squid. There are more options that I set for performance such as the store type, but thost options are beyond the scope of this doc.
Squid Config
Squid is configure through the /usr/local/etc/squid/squid.conf file. It is a very well documented configuration file with many knobs to play with. Squid should first be set up to run non-transparently just so you know it is working properly. Once it is running properly these settings will need to be changed.
http_port 127.0.0.1:8080
icp_port 0
visible_hostname proxy.yourdomain.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
With these settings changed or uncommented, squid will be listening on localhost port 8080 and ready to work transparently. Again there are many many more options for performance, logging, and acls, but they are not directly related to setting up transparent proxying, and have been omitted.
Pf Config
The firewall, pf, will now need to be set to redirect any attempts to access port 80 to the proxy server instead. This can be obtained with one line in your /etc/pf.conf.
rdr on $int_if inet proto tcp from $int_if:network
to !$int_if:network port www -> 127.0.0.1 port 8080
This line will need your inside interface set in the int_if variable. It will redirect any connection not on the local inside subnet to port 80 to the proxy server running on 127.0.0.1 at port 8080. The proxy server will then take over and pull the files from the cache or the internet.