A Proxy server servers web pages to your users, connecting to the Internet on their behalf. Users therefore don’t connect to the Internet directly. Many companies would like to monitor and or control users access to the Internet. Linux uses Squid as a proxy server.


Install squid from your installation CD or download from the internet.

Initial setup

For a very basic configuration configure as follows:
1. Vi the file /etc/squid/squid.conf
2. If this file is empty install squid first
3. Remove the # in front of the following lines
a. Port http_port 3128
b. Cache_8mb
c. Cache_swap_low 90
d. Casche_swap_high 95
e. Cache_dir ufs
f. Cache_access_log
g. Cache_log
4. Go down to “access control” and change (default is “deny all”)
5. If you want squid to always start at boot, type the command “chkconfig squid on”
6. Start the squid server with the command “service squid start” or if you use SuSE “rcsquid start”


The next thing you need to do is create an “access rule”. The squid .conf file has two basic section, the ACL section, where you define your rule; and the ACCESS section where you define how the rule is applied.

Access only from LAN

For a simple rule that allows access to the Internet from your LAN continue as follows:
1. find the “ACL” section of the “squid.conf” file. Scroll down to “recommended minimum configuration” and add the line (or whatever you LAN address should be):
acl lan_local src 192.168.1.0/24
2. Now scroll down to the “http_access” setion of the ‘quid.confï” file and find “http_access allow manager localhost”. Put a space between it and the one bellow and insert the following:
http_access allow lan_local
Notice that the part “lan_local” is the rule you set up in point 1

Allowing access certain times of the day:

The following is an example how to restrict access to lunch time:
Add this to the bottom of the ACL section of squid.conf
acl luchtime time 12:00-13:00
Add this at the top of the http_access section of squid.conf

http_access allow lunchtime

Access controlled by password:

The following is an example how to restrict access by password using NCSA Password Authentication:
Squid comes with a program called ncsa_auth that reads any NCSA-compliant encrypted password file. You can use the htpasswd2 program that comes installed with Apache2 to create your passwords.
Create the password file. The name of the password file could be /etc/squid/squid_passwd, and you need to make sure that it’s universally readable. To do this type the following at the command prompt:
touch /etc/squid/squid_passwd
chmod o+r /etc/squid/squid_passwd
Use the”htpasswd2″ program to add users to the password file. You can add users at anytime without having to restart Squid. In this example, I create a user called “fred”. To do this, type the following at the command prompt
htpasswd2 /etc/squid/squid_passwd fred
You will then be asked to confirm the password
Next you need to find the location of your “ncsa_auth” file using the rpm command. Type the following at the command prompt:
rpm -ql squid | grep ncsa
Take note of the path to that file.
Now edit “squid.conf” to define the authentication program in squid.conf, “ncsa_auth”.
Next, create an “ACL” named “ncsa_users” with the “REQUIRED” keyword that forces Squid to use the “NCSA auth_param”. Finally, create an “http_access” entry that allows traffic that matches the “ncsa_users ACL” entry.
Here is how to do it:
Add the following to the”auth_param” section of the “squid.conf” file.
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
Use the path you took note of earlier to find the ncsa_auth file.
Now add the following to the bottom of the “ACL” section of the “squid.conf” file.
acl ncsa_users proxy_auth REQUIRED
Then add the following to the top of the “http_access” section of the “squid.conf” file.
http_access allow ncsa_users
Squid will now ask users for a password.

Require a user password during work hours but not during lunch:
Combine the time control with password control as follows:
Under “http_access”, put the “hours” access above the “password” access.
http_access allow lunchtime
http_access allow ncsa_users

You can host more that one website on a server by using virtual hosts. These web sites all share the same IP address.


Suppose you wanted a website called peter.co.za and a website called dna.co.za to run off the same web server on the same port (80)

1. Create two folders under the directory “/srv/www/” one called “peter” and the other called “dna” copy an index.html page to each folder.

2. make sure the file and folder permissions are correct on each, for example:

chown wwwrun /srv/www/dna

chown wwwrun /srv/www/dna/index.html

3. now browse to the folder “/etc/apache2/vhosts.d/” folder and copy the template found there and paste it as peter.conf and dna.conf. s shown below

cp  vhost.template  peter.conf


4. vi each file and change the following:

<VirtualHost peter.co.za:80>

ServerName peter.co.za

DocumentRoot /srv/www/peter

ErrorLog /var/log/apache2/peter.co.za-error_log

CustomLog /var/log/apache2/peter.co.za-access_log combined

UseCanonicalName On

ScriptAlias /cgi-bin/ “/srv/www/cgi-bin”

<Directory “/srv/www/cgi-bin”>

AllowOverride None

Options +ExecCGI –Includes

Order allow,deny

Allow from all

</Directory>

<Directory “/srv/www/peter/”>

AllowOverride None

Options Indexes FollowSymLinks

Order allow,deny

Allow from all

</Directory>

5. Now do the same for the other Virtual hosts

6. Next browse to the folder “/etc/apache2/” and edit the file “listen.conf” and add the following line for each of your virtual hosts. In this example I have added the line for the two sites peter.co.za and dna.co.za

7. You can now test your config by typing the following at the command prompt

apache2ctl configtest

8. Reload Apache by typing “apache2 restart” at the command prompt

9. Test by browsing to http://peter.co.za and http://dna.co.za

TIP

For testing Virtual hosts you will need to create host name to ip address mapping in your host file. The host file is found in the “/etc” folder

Getting Apache started


Apache is the Linux web server. Make sure you install apache2 from the installation CD. You can also download it from the Internet.

Getting Apache running

Start the apache at the command prompt by typing the command

rcapache2 start.

To make sure that it starts at boot type the command

chkconfig apache2 on

If you have installed the demo web pages you will get a web page to confirm that it works.

Configuring Apache

With SuSE web pages are stored in the /srv/www/htdocs/ folder. Other distros could store default web pages in other locations (In older versions, web pages were stored in the following directory /usr/local/httpd/htdocs/)
Copy your own web site to this location (by default the home page is index.html) If you want to use another name you need to do the following:

vi the file etc/apache2/httpd.conf and Find the line “DirectoryIndex index.html” Add to the same line after “index.html” any other page name you want to use. (Apache searches in the order of the page names you specify and servers the first one it comes across)