Proxy Server How To

Start by installing Arch Linux (or your chosen distribution) onto the hardware you selected. If you are in need of a little assistance with the installation, I recommend using this wiki guide and then set up yaourt. Once you have completed your standard Linux installation you need to ensure your network is configured properly. In the case of my transparent proxy, I plugged one network port directly into my cable router and allowed it to grab and IP address via DHCP. The second adapter is then given an IP address of your choice (I chose 10.4.20.1; other common IP addresses would be 192.168.x.x).

At this point you will want to test your network configuration. Start with trying to get out to the internet. If this works, plug your secondary network adapter into whatever switch/router you have available. Take your desktop or laptop that's plugged into the same switch and assign it an IP address in your 10.4.20.x range. (For DHCP setups, see below.) You should now be able to ping your new proxy server (10.4.20.1) from your desktop/laptop. As a quick note for the users who only have a wireless cable modem, it is okay to have both interfaces of your proxy server and desktop plugged into the same cable modem hub.

Now that we have the configuration of the network cards complete, we just need to do a quick installation and configuration of Shorewall/Squid. That may sound like a daunting task to the Linux initiate, but this is actually very simple. First go ahead and install both Squid and Shorewall. Arch has both readily available in the package repository (from a command prompt: yaourt –S shorewall squid). If you are not utilizing Arch, you can download the packages manually from www.shorewall.net and www.squid-cache.org.

 

Whether you installed Arch Linux or another distribution as your base OS, Shorewall has one simple command to get it set up: cp /usr/share/shorewall/Samples/two-interfaces/* /etc/shorewall. (This copies the base two-NIC example to your live Shorewall directory, which saves a lot of manual work.) Make a quick edit to /etc/shorewall/shorewall.conf and change the Startup_Enabled to yes and you now have a functioning Shorewall. The only thing you need to do for Shorewall at this point is add the following rule into the /etc/shorewall/rules file: REDIRECT loc 3128 tcp www. Start Shorewall by typing: shorewall start from the command line, and add it to your boot process by putting shorewall into the DAEMONS section of /etc/rc.conf.

Now that Shorewall is fully functional and configured, we need to configure Squid. I found a short wiki guide that will assist with the initial set up of Squid. Once you have completed the configuration in the wiki guide, you need to pay close attention to a few configuration settings located in /etc/squid/squid.conf. The cache_memline should be set to half of your installed ram on your proxy server. In my case I have 512MB of total memory so I configured cache_mem to 256. The other setting that you need to pay attention to is maximum_object_size. This setting is the maximum file size your proxy will retain. I set my maximum size to 2048MB in order to retain everything up to a CD ISO. Be cautious of using 2048 if you have anything less than a 120gb drive as your storage space could be gone in the matter of a few days. To get the caching proxy in place and running, the most important line to add is http_port 3128 transparent. The key here is the addition of "transparent", which turns squid into a caching proxy that won't require any additional configuration on your client PCs.

If you followed all of the directions correctly, you're now ready to configure all the machines on your network with a 10.4.20.x IP address with the gateway set as 10.4.20.1. Don't forget to configure your DNS as well (in /etc/resolve.conf). Now that you have everything fired up give your new proxy a spin around the internet. If you would like to do a good test, download a decent size file (i.e. larger than 1MB). Once the download is complete, you should be able to download it again a second time and get LAN speeds on the download. If you have multiple computers, use another machine on your network and attempt to download the same file and you should again see LAN download speeds.

Proxy Server with DHCP

Although I wanted to keep this short and to the point, a common question inevitably comes up: what if you still want to use DHCP? There are a few ways to tackle this issue. If you're lucky enough to have a router/cable modem that will allow you to change what IP addresses it assigns to the network, simply change it over to your new 10.4.20.x subnet and have it assign the gateway of 10.4.20.1. If this is not the case, you will need to disable DHCP on your router and install the DHCP server package (in Arch: pacman –S dhcp). The configuration can be a bit of a hassle, so here's my /etc/dhcpd.conf.

Start the DHCP service on your proxy (/etc/rc.d/dhcpd start) and test DHCP on your desktop/laptop. Assuming all goes well, add dhcpd to your DAEMONS in /etc/rc.conf. If you happen to reboot your Linux box, after a minute or so your proxy should be back up and running.

Introduction to Proxy Servers Linux Neophyte Troubleshooting
Comments Locked

96 Comments

View All Comments

  • dilidolo - Tuesday, May 11, 2010 - link

    I use pfSense as my firewall and wireless AP. Just use an old PC with pci wireless card and you are set, not even a wireless router
  • JarredWalton - Tuesday, May 11, 2010 - link

    You can of course go that route. You could make the Linux box your router and DHCP source. But most people already have a wireless router so connecting to that makes sense to me. I'd have to purchase a wireless PCI card to put in a Linux box, and traditionally wireless cards have far more limited range than routers (due to the single small antenna and sub-optimal location of being behind a large computer).

    But as with all things Linux, there are many ways to set things up. This was a short article to introduce a useful concept that many users likely haven't thought about.
  • leexgx - Tuesday, May 11, 2010 - link

    i was going to question the same thing but then i thought last time i setup IPcop i would of done the same thing disable the DHCP server and use it as an HUB/AP

    main thing i loved with IPcop was the bandwidth throttle i could cap it 5KB under my upload limit i could set utorrent or emule to full upload speeds and i could still play games online lag free (but removed due to lack of supporting uPnP i needed it for MSN remote support and games that Required Upnp {bit lame} at all hope this review used an linux distro with an upnp server on the lan side and i had an look and it did not)
  • ninjaproxy - Monday, May 20, 2013 - link

    With a proxy site you can browse your favorite web sites anonymously and even from behind a firewall with blocked ports. Whether you are on the job, at school, a college university, a public terminal or anywhere else with a web browser.

    http://www.ninjaproxy.eu
    http://www.ninjaproxy.org.uk
    http://www.vtunnel.ca
    http://www.fbproxy.us
    http://www.ninjacloak.us
    http://www.proxyninja.us
  • Zok - Tuesday, May 11, 2010 - link

    I've always wanted to tackle something like this, but the power draw has always been the biggest turn off. If average power consumpton hovers around 100W, that's about $105/year for the American average.

    I'd love to ditch my router/AP, but, sadly, I just don't see the benefit of replacing it with something that's significantly more power hungry, unable to act as a dual-band 802.11n AP (last I checked, the drivers weren't out yet for AP mode, if ever), would cost nearly as much as a good dedicated device to outfit with 3-4 additional LAN ports, and is typically physically large and hideous - not to mention the PITA of hours of initial setup and troubleshooting, when you're not a Linux expert.

    In my dreams, I wish there would simply be a beefier all-in-one WRT54G-like device running an Atom, supported dual-band 802.11n radio(s), and SATA, allowing for full-blown Linux in a compact package that would be so win.
  • JarredWalton - Tuesday, May 11, 2010 - link

    Depends on where you live, obviously, though the national average appears to be just over $0.10 per kWh:
    http://www.eia.doe.gov/electricity/epm/table5_6_a....

    That's why I mention the attractiveness of a Mini-ITX setup, particularly with Atom or similar. Most nettops use a maximum of around 25W, so that would be 1/4 the cost of a typical system, and a nettop is about the same size as a standard router. Too bad they don't have two NICs.
  • Zok - Tuesday, May 11, 2010 - link

    I've explored such a scenario. Unfortunately, at this point, the best it seems I can do is the Mini-ITX router going to the 802.11n AP. Adding another device into the network (upfront cost + power), without removing any others seems like a poor value proposition to me, at least with FiOS speeds.

    Don't get me wrong, I like the idea. I'm just waiting for someone to come along and actually produce a fully-integrated device (x86 CPU, memory, mobo, 4-5 Ethernet ports, Linux-AP supported 802.11n radios, case - without using large expansion cards/slots) that is under $250 and isn't awkwardly large and ugly. Having the 4-5 port switch and (potentially) the radios integrated into the motherboard itself is what I am looking for, although I'd be OK with Mini-PCIe for the radios.
  • taltamir - Tuesday, May 11, 2010 - link

    Don't get me wrong, I like the idea. I'm just waiting for someone to come along and actually produce a fully-integrated device (x86 CPU, memory, mobo, 4-5 Ethernet ports, Linux-AP supported 802.11n radios, case - without using large expansion cards/slots) that is under $250 and isn't awkwardly large and ugly. Having the 4-5 port switch and (potentially) the radios integrated into the motherboard itself is what I am looking for, although I'd be OK with Mini-PCIe for the radios.

    I am pretty much in the same boat.
    at my power rate a 24/7/365 device costs me about 1$ per watt per year.
    so putting a 75 watt old computer there is another 75$ a year...

    I can't wait to ditch my router for a linux based router, but it doesn't seem to be happening.
    Actually, it doesn't even need to be an x86 CPU, any CPU will do. ARM and PowerPC are both supported by linux
  • ChrisRice - Tuesday, May 11, 2010 - link

    There are various power saving techniques you can use to keep the power down as well. If your processor supports speed stepping you can utilizing that as well as powering down actual hardware until use is needed. I wanted to keep the article short so I didn't get into those areas.
  • clarkn0va - Friday, May 14, 2010 - link

    http://www.newegg.ca/Product/Product.aspx?Item=N82...

    A little over your stated budget, but good value nonetheless. Throw a supported wireless card (try ubnt.com) into the spare slot, add your favourite distro and life is good.

Log in

Don't have an account? Sign up now