Monday, October 26, 2009

Linux Securirty Notes 14: Squid notes 8: Cache Hierarchies & Transparent Proxy

Squid cache Hierarchies:

Parent-Child Hierarchies:


    Here we will define the parent child cache peering relationship. The cache will be located in two servers i.e, there will be a main cache server called as parent server, and a local cache server named as client. All the local users will query the client server for the cache and the client will pull the cache from the parent. Here the only one squid server will be connected to externel network and for auditing purpose all the traffic from other squid servers should be routed through the single proxy server.

Configuring the cache peering
Scenario:
192.168.1.0/24 Local network will query the cache client client.cache.domain.com:3128  -> which will query the parent.cache.domain.com for the cache which is not found locally.The parent cache server is the only one that connected to internet.The client uses port 3130 a UDP protocol to find out the requested cache is present in cache-parent.
Note:-
    Squid supports multiple protocols for caching, CARP(cache array routing protocol). ICP, HTCP (Hyper text caching protocol), Cache-Digests etc. Make sure that the port 4827, 3130 & 3128 are opened in the firewall if the client cache is behind a firewall.

Configuring the cache-peer

In client.cache.domian.com
# vim squid.conf
--------------
cache_peer    parent.cache.domian.com      parent    8080    3130    default
--------------
# relaod squid

    This will make the client.cache.domain.com to query parent.cache.domain.com using the cache peer port 3130 and proxy port 8080 with default settings.
Test by setting the proxy variable to the client.cache.domain.com for subnets. The client will try to pull page from the client.cache.domain.com, if the page found in client.cache.domain.com then the squid running on client.cache.domain.com will contact the parent.cache.domain.com for the cache. Check the access.log file for the request path.

Sibling Hierarchies:

Sibling-cache Relationship
    This is sharing the cache among the multiple squid servers. i.e, if a server gets query for a particular cache and if it is not found in its history the server will query the sibling proxy servers for the same cache. So implementing this feature will save the bandwidth usage and time taken for downloading the page. In this case the cache will be shared among the sibling servers.

Configuration:
In cleint.cache.domain.com

# vim squid.conf
---------
cache_peer    parent.cache.domian.com      sibling    8080    3130    default
---------
# reload squid


In parent.cache.domain.com
# vim squid.conf
-----------
cache_peer    clinet.cache.domian.com      sibling    8080    3130    default
-----------
# reload squid

    This will make both the servers to act as siblings. And will share the cache if that present in any one of the server before it queries the internet.
    Test by setting up the proxy variables in the client and check the access.log file in both the server. We will be able to trace the query from the sibling servers here.

Limiting the squid service access:
    For limiting the cache access usage.
# vim squid.conf
---------
acl all src 0.0.0.0/0.0.0.0
acl connection_limit    maxconn    10
http_access deny connection_limit    all
---------
# reload squid

    If a user attempts to create more than 10 connection to the server the squid server will deny the new access. Test using wget.


Transparent Proxy

    Local network (No proxy settings in browser)-> proxy/firewall (http accelerator and Iptables) -> Internet
Configuring the Transparent Proxy in proxy/Firewall box
Step 1:
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A PREROUTING -i eth1 tcp --dport 80 -j REDIRECT --to-port 3128

    (what ever the packates coming to the box with the dstination port 80 should redirect to port 3128)
Step2:
    Now we have to configure the squid as transparent proxy by adding the http acceleration feature (only in 2.x series). In new version this is not needed.

# vim squid.conf
-----------
httpd_accel_host     virtual
httpd_accel_port     80
httpd_accel_with_proxy    on
httpd_accel_uses_host_header    on
-----------
# relaod squid

    Now this features makes the proxy to run in transparent mode.
Note:-
# squid -v

    Command will show the compiled options of squid server when installed. Here we will find a key directive that is used to interact with IPtables to while enabling the transparent proxy, named "--enable-linux-netfilter". This feature makes the squid to integrate with iptables while running in transparent mode.

1 comment:

tag ur valuable ideas below