Transparent proxy

Khannie

Anyone here use transparent proxying?

We're sharing a 2M line between around 30 people here, which is disastrous as you can imagine. I have a P4 3GHz with a gig of ram and an IDE hard drive available.

Would that box hold up? I was thinking of installing, say, ubuntu server, or centos server and using 3/4 of the ram as ramdisk for the transparent proxy (or else just relying on the kernel caching) but I'm concerned that the box will go to poop with so many users (hence considering the ramdisk).

zekiel

you gonna use squid or another 3rd party proxy?

I have squid running on a customers site (40 odd users) with a system roughly around the same spec now it is a server based system so a little more stable with the hardware side of things but with regard to performance it runs happily around 40% CPU usage.

bushy...

Few bits n pieces that might help or lead you astray altogether,not an expert so google it if it doesn't go.

This is presuming you want to pass all traffic through it too.Need a firewall somewhere too.

eth0=internet side
eth1=lan side

Get a separate small disk and mount the cache on it, it will be faster and if it dies it will save you a reinstall .

Install squid then edit squid.conf

SQUID.CONF

# at about line number 75  add "transparent" after 3128

http_port 3128 transparent

# about line 2580 where is reads :

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

acl our_networks src   192.168.1.0/24   #  put LAN subnet(s) here

http_access allow our_networks
http_access allow localhost

make it re-read the config with

squid -k reconfigure

Stick this stuff into rc.local so it redirects webpage stuff to squid

#( eth1 is lan , eth0 is internet side)

# redirects webstuff to squid
iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports 3128

#makes it forward across the box
echo 1 > /proc/sys/net/ipv4/ip_forward

Other useful things to install :

Ntop http://ntop.org Loads of graphs of traffic

iptraf http://iptraf.seul.org

tcpdump http://www.tcpdump.org/


bwm apt-get install bwm will get it , quick live view of amount of traffic

mrtg http://oss.oetiker.ch/mrtg/
more graphs

All the above gizmos are apt-gettable with ubuntu/debian




to see if squid is proxying go :

tail -f /var/log/squid/access.log

Try debian instead of ubuntu , i know they're much the same but I had an hours fun before with ubuntus iffy squid.

HtH

AndrewMc

Khannie wrote: »

Anyone here use transparent proxying?

We're sharing a 2M line between around 30 people here, which is disastrous as you can imagine. I have a P4 3GHz with a gig of ram and an IDE hard drive available.

Would that box hold up?

I'd be surprised if it didn't — with a 2Mb line, it'll still spend most of its time waiting for data, and will only write a fraction of it to the cache (dynamic pages in general aren't worth caching). With a GB of RAM, you should get reasonable read performance from the cache, too.

If nothing else, the logs might help identify bandwidth hogs

Red Alert

Other option is also to block port 80 outbound and force people to actively select the proxy. You can use HTTP proxy auth too if you do this.

Khannie

Nice one. Thanks for the input lads.

I was thinking squid as the proxy alright. Think I'll just give it a lash. It'll be next week. I'll report back on how I get on.

edit: I want to avoid people having to configure their browser. It throws up other issues, like wget not working without configuration on new boxes, etc. etc.

niallb

Good suggestion actually from Red Alert.
Bear in mind you can't transparently proxy https at all.
That's called "man in the middle".

I prefer not to give the internal machines a default route at all.
Prevents all sorts of things escaping.

Take the value of maximum_object_size up as high as you dare
depending on how much disk space you have available. Even one repeat
hit on a 60M media or update is a huge saving for a 2M link.

Use as much disk as you can for cache, but keep enough for logs
to see where the bandwith is going. Some people have had problems
with squid and Windows update and had to force it not to cache them.
Real updaters like apt-get love the transparent proxy :-)

With 30 users, you'll probably have one or two who think it's "their 2M".
They can be throttled - the keyword is delay_pool . Works very well.

monkey tennis

That spec is loads for 30 users on a 2M line - I've had squid serving 30 users on a P2 450 without problems.

If all you're using the box for is proxying, it might be worth looking at a dedicated proxy/firewall distro, e.g. Smoothwall or IPCop.

Red Alert

Wget can set proxies from a prefs file in home directory if i'm not mistaken. Personally I don't like transparent proxying - it can give rise to privacy concerns.

Capt'n Midnight

if worried about the reliabiltiy of the box use proxy.pac/wpad .dat so clients can fall back
http://www.novell.com/coolsolutions/feature/7949.html

but IE is really screwy when trying to use it

something like this should fail over to a worse PC and then to the direct connection

function FindProxyForURL(url,host)
{
return "PROXY P4_3GHZ:3128; PROXY doorstep:8080;DIRECT" ;
}


as an aside if you are being killed by windows updates - get the 6 month trial of windows 2003 server and stuck WSUS on it
actually don't bother 2M should be enough as long as they update at night, you could set the PC's to power on or wake on lan at 2:30 for the 3 am updates