Copyright, 24 Oct 2000 Arron Cusimano.
Revised 21/5/2001.
These are my personal notes on setting up and maintaining a proxy server.
Commands are in dark red, 10 point courier.
File names are in dark green, 10 point courier.
I have used RedHat6.0 – RedHat7.0 Linux for this task successfully, this
document is focused on RH7, tho most stuff should be applicible to RH6+ &
Mandrake 7.2+ .
Upon install of Red Hat,
choose the “Server option”.
Choose “web server”.
Choose “customize packages installed”.
You will need to install squid.
Also install caching-nameserver & linuxconf.
As well as the daemons below you will need
:
Calamaris, which is on the redhat7 power tools CD, or http://freshmeat.net/
Make sure you remove any RPC related daemons, preferably with "rpm -e", they are a MAJOR security flaw on a gateway style machine.
| Daemons used | Why... |
| squid | Good file cache for internet browsers, save download bandwidth & cost, increase apparent download speed |
| httpd (Apache) | Easy status checking of server, also provide small private intra-net web site |
| ntp (ntpdate) | Keep servers clock correct, no need to worry about cmos clock batteries etc. keeps cron and log timing correct |
| named (bind) | Cache DNS requests, cache makes things go faster, & saves money. |
| sshd | Ability to remotely access & maintain server securely, only telnet in if absolutely necessary. telnet is a huge security risk, get rid of it with rpm -ev telnet-server . |
| crond | Auto-rotate logs, so they don’t get too big and fill disk space. Auto-generate cache reports using calamaris |
Use /etc/rc.d/init.d/squid start to start, /etc/rc.d/init.d/squid stop to stop and /etc/rc.d/init.d/squid stop ; /etc/rc.d/init.d/squid start to restart, I find /etc/rc.d/init.d/squid restart does not work with any version of redhat.
After choosing your cache_dir (see sample squid.conf below) run squid –z. make sure you set file permissions and especially chown the directory to squid e.g. chown squid:squid cache .
To speed up file system access I use the noatime option in /etc/fstab like so :
| LABEL=/
/
ext2 defaults,noatime 1 1 LABEL=/boot /boot ext2 defaults,noatime 1 2 LABEL=/home /home ext2 defaults,noatime 1 2 /dev/cdrom /mnt/cdrom iso9660 noauto,owner,ro 0 0 /dev/fd0 /mnt/floppy auto noauto,owner 0 0 LABEL=/usr /usr ext2 defaults,noatime 1 2 LABEL=/var /var ext2 defaults,noatime 1 2 /proc proc defaults 0 0 none none /dev/pts devpts gid=5,mode=620 0 0 /dev/sda9 swap swap defaults 0 0 /dev/hdc1 /mnt/hdc ext2 defaults,noatime 1 1 |
/etc/squid/squid.conf
| #
You may specify multiple socket addresses on multiple
lines. http_port 3128 http_port 8080 # ISP's cache cache_peer melbourne.cache.telstra.net parent 3128 3130 # I run this on a 128M RAM machine. In reality squid WILL use 3x this amount at minimum. (with 8Meg cache mem, 8Gig disk cache, squid has 102Meg Virtual Image Size[mem size] on my server, it gets a LOT of usage tho) cache_mem 8 MB # make sure those MPEGs get cached … maximum_object_size 16000 KB # Because of limited space on /var, I used to use a custom dir on /usr partition as well as the /home partition, but now i have a dedicated drive for the cache. # Earlier versions of squid dont have the "ufs" entry... # #cache_dir ufs /home/squid/cache 800 16 256 #cache_dir ufs /usr/local/squid/cache 800 16 256 cache_dir ufs /mnt/hdc/squid/cache 7000 32 256 #cache_access_log /var/log/squid/access.log # only log the essentials #cache_log /var/log/squid/cache.log cache_log /dev/nul #cache_store_log /var/log/squid/store.log cache_store_log none #Default: refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 # now the hard stuff, access control, for security. #Defaults: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 1025-65535 acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Arron's... I have an IPMasq'ed Class C network accessing this server. No-one else gets access! acl localnet src 192.168.0.0/255.255.255.0 #Default configuration: http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Arron's ... http_access allow lo |
I do not use ntpd because I don’t need its accuracy (or bandwidth hogging, when you pay per meg, less traffic is better) for science projects, I just want to keep my clock reasonably accurate for logging and cron jobs. So ntpdate once a day is fine for me.
Don’t use my example servers. Try http://www.eecis.udel.edu/~mills/ntp/clock2.htm (I found this on http://www.google.com/) for a good listing and use a stratum 2 server geographically near you. Don’t use stratum 1 servers unless you plan to be a stratum 2 server to others, otherwise the stratum 1 servers will get overburdened and shut down.
Set your time zone with the setup utility.
Create a file for stuff to be done daily in /etc/cron.daily/
#
ls -lh /etc/cron.hourly/arrons-stuff
-rwxr-xr-x
1 root root
176 Oct 24 12:57 /etc/cron.hourly/arrons-stuff
/etc/cron.hourly/arrons-stuff
|
#!/bin/sh cd
/root/setiathome-3.0.i686-pc-linux-gnu-gnulibc2.1 ./setiathome
-nice 19 > /dev/null 2> /dev/null ntpdate
-vs time.ntp.com ntp.mars.edu ntp.pluto.net |
This is very easy to setup, if only you need to upload files.
Listed below are just the options I needed to change and their values, it is NOT a complete config file.
/etc/httpd/conf/httpd.conf
|
MinSpareServers
20 MaxSpareServers
30 StartServers
20 #
If your host doesn't have a registered DNS name, enter its IP address
here. ServerName
1.1.1.1 # #
Control access to UserDir directories.
The following is an example #
for a site where these directories are restricted to read-only. # <Directory
/home/*/public_html>
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK
UNLOCK>
Order deny,allow
Deny from all
</Limit> </Directory> HostnameLookups
Off |
/etc/cron.daily/arrons-stuff
|
#!/bin/sh squid
-k rotate cat
/var/log/squid/access.log.[0-9] | /usr/bin/calamaris -d 20 -P 60 -r -1
-s -t 20 -p new -w -l "<p>Dendy server squid
report</p>" > /var/www/html/index.html |
/etc/cron.hourly/arrons-stuff
|
#!/bin/sh cd
/root/setiathome-3.0.i686-pc-linux-gnu-gnulibc2.1 ./setiathome
-nice 19 > /dev/null 2> /dev/null ntpdate
-vs time.esec.com.au ntp.adelaide.edu.au ntp.saard.net |
Having 2 net cards, and acting as a bridge, I need some kind of firewall/router/masq type script. This script was bastardized from somewhere… (this is not meant to be secure, just enable IP Masq, although I think it’s reasonably secure with the private address range, but I’m no expert in security).
Most people will not need to alias their eth1 interface… in fact * I * don’t need to… but I find it useful and I have the IP addresses…
Call this from your /etc/rc.d/rc.local script.
/etc/rc.d/rc.firewall
|
#!/bin/sh # echo
rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and echo
2.2.x kernels using IPCHAINS # echo
Alias eth1 to 192.168.0.1/255.255.255.0
/sbin/ifconfig eth1:0 192.168.0.1 echo
Flush everything, start from scratch
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward echo
Load all required IP MASQ modules # #
NOTE: Only load the
IP MASQ modules you need. All
current IP MASQ modules #
are shown below but are commented out from loading. #
Needed to initially load modules # /sbin/depmod
-a #
Supports the proper masquerading of FTP file transfers using the PORT
method # /sbin/modprobe
ip_masq_ftp #
Supports the masquerading of RealAudio over UDP.
Without this module, #
RealAudio WILL function but in TCP mode.
This can cause a reduction #
in sound quality # /sbin/modprobe
ip_masq_raudio #
Supports the masquerading of IRC DCC file transfers # /sbin/modprobe
ip_masq_irc #
Supports the masquerading of Quake and QuakeWorld by default.
This modules is #
for for multiple users behind the Linux MASQ server.
If you are going to play #
Quake I, II, and III, use the second example. # #
NOTE: If you get
ERRORs loading the QUAKE module, you are running an old #
----- kernel that
has bugs in it. Please
upgrade to the newest kernel. # #Quake
I / QuakeWorld (ports 26000 and 27000) #/sbin/modprobe
ip_masq_quake # #Quake
I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) #/sbin/modprobe
ip_masq_quake 26000,27000,27910,27960 #
Supports the masquerading of the CuSeeme video conferencing software # /sbin/modprobe
ip_masq_cuseeme #Supports
the masquerading of the VDO-live video conferencing software # /sbin/modprobe
ip_masq_vdolive echo
CRITICAL: Enable IP
forwarding since it is disabled by default since # #
Redhat Users: you
may try changing the options in /etc/sysconfig/network from: # #
FORWARD_IPV4=false #
to #
FORWARD_IPV4=true # echo
"1" > /proc/sys/net/ipv4/ip_forward echo
CRITICAL: Enable automatic
IP defragmenting since it is disabled by default in 2.2.x kernels #
#
This used to be a compile-time option but the behavior was
changed in 2.2.12 # echo
"1" > /proc/sys/net/ipv4/ip_always_defrag echo
Dynamic IP users: # #
If you get your IP address dynamically from SLIP, PPP, or DHCP,
enable this following #
option. This enables
dynamic-ip address hacking in IP MASQ, making the life #
with Diald and similar programs much easier. # echo
"1" > /proc/sys/net/ipv4/ip_dynaddr #
Enable the LooseUDP patch which some Internet-based games require # #
If you are trying to get an Internet game to work through your IP
MASQ box, #
and you have set it up to the best of your ability without it
working, try #
enabling this option (delete the "#" character).
This option is disabled #
by default due to possible internal machine UDP port scanning #
vunerabilities. # #echo
"1" > /proc/sys/net/ipv4/ip_masq_udp_dloose echo
MASQ timeouts # #
2 hrs timeout for TCP session timeouts #
10 sec timeout for traffic after the TCP/IP "FIN"
packet is received #
160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
# /sbin/ipchains
-M -S 7200 10 160 #
DHCP: For people who
receive their external IP address from either DHCP or BOOTP #
such as ADSL or Cablemodem users, it is necessary to use the
following #
before the deny command. The
"bootp_client_net_if_name" should be replaced #
the name of the link that the DHCP/BOOTP server will put an
address on to? #
This will be something like "eth0", "eth1",
etc. # #
This example is currently commented out. # # #/sbin/ipchains
-A input -j ACCEPT -i bootp_clients_net_if_name -s 0/0 67 -d 0/0 68 -p
udp echo
Enable simple IP forwarding and Masquerading # #
NOTE: The following
is an example for an internal LAN address in the 192.168.0.x #
network with a 255.255.255.0 or a "24" bit subnet mask. # #
Please change this network number and subnet mask to match your
internal LAN setup # /sbin/ipchains
-P forward DENY /sbin/ipchains
-A forward -s 192.168.0.0/24 -j MASQ echo
Done. sleep
3 |
Install with rpm -iv caching-nameserver* from the CD If you missed it during install.
edit your /etc/resolv.conf file and include yourself (127.0.0.1), before your external nameservers.
Warning: Several security problems have been found in the bind 8.2.2 series. See : http://www.redhat.com/support/errata/RHSA-2001-007.html
/etc/resolv.conf
|
search mydomain.com.au |