I have seen some messages on the list about setting up a web proxy server. I am ICT Coordinator in a Leicestershire High School and we are about to take delivery of a new RM PC which I would like to set up as a proxy server. I understand I would use squid. I have never set up anything like this before - I can install and configure Linux on an internet connected workstation standing on my head, but I still view networking as something of a black art! We currently run an RM 2.3 Connect network - 1 Windows NT server and around 40 Windows 95 workstations, most are Pentium 100 with 16 MB RAM (and don't we know it!!). As I understand it, I need two network cards on the new machine, one connected directly to our ISDN router, the other to our current network. I configure the new machine to talk to the router and all other machines on the network to talk to the new machine, hence all requests pass through the proxy server rather than directly to our ISP. I assume non-web traffic would pass through transparently. Excuse me if this is a little simplistic - I will have the use of a technician from another school for a few hours, although he knows very little about Linux. He is more knowledgeable about networking generally though. I would appreciate it if anyone could let me know of any useful web sites on this topic - I am sure some members of the list set up a help page for this sort of thing. Many thanks indeed for any help list members are able to offer. -- Phillip Deackes Gartree High School, Oadby Leicester
HI, ( left lots of the original email in for clarity ) On Sun, 24 Sep 2000, Phillip Deackes wrote:
I have seen some messages on the list about setting up a web proxy server. I am ICT Coordinator in a Leicestershire High School and we are about to take delivery of a new RM PC which I would like to set up as a proxy server. I understand I would use squid. I have never set up anything like this before - I can install and configure Linux on an internet connected workstation standing on my head, but I still view networking as something of a black art!
I've been doing networking for over five years, and trust me, it *is* a Black Art, have the goat entrails handy.
We currently run an RM 2.3 Connect network - 1 Windows NT server and around 40 Windows 95 workstations, most are Pentium 100 with 16 MB RAM (and don't we know it!!). As I understand it, I need two network cards on the new machine, one connected directly to our ISDN router, the other to our current network. I configure the new machine to talk to the router and all other machines on the network to talk to the new machine, hence all requests pass through the proxy server rather than directly to our ISP.
To make this work you'll have to set up your new Linux box as a router, which means it will need two different address ranges on the end of each NIC. I *suspect* you don't have an extra range of addresses to use, and using part of your existing allocation ( a Class C? 255.255.255.0 subnet mask? ) to make up the network between the Linux box and the ISDN router would mean reconfiguring the networking on your existing 41 Windows hosts. Actually, regardless of the IP ranges used the set up you specify will mean reconfiguring the networking somewhere - I would expect this is best left alone. ( Any URLs for the networking used for RM connections appreciated ). What make is the ISDN router? Do you administer it or have any control over it? I'm thinking that you could: Leave the network routing configuration as it is. Add in the Web Proxy with a single ethernet card. Configure all hosts to use the WebProxy for http requests. Configure the ISDN router to block all Web requests for the Internet that don't come from the WebProxy, so stopping any of those imaginative students disabling the proxy server settings and getting to "unsuitable" websites. Note that "block all web requests" isn't as easy as I make it sound above, not all websites sit on port 80, so to do this properly you'd really need to implement a "everything not expressly permitted is denied" policy on the router, which depending on what traffic you send to the Internet can be a non-trivial exercise. I presume you don't have a range of "legal" Internet IP addresses for use on your network and some kind of Network Address Translation occurs either at your ISDN router or at your ISP before your traffic reaches the Internet?
I assume non-web traffic would pass through transparently.
Only if you configure the Linux box to act as a router. I *gather* this isn't that hard, but I've never done it myself. Also I'd expect the box would get hammered, so considering whether you have control over the ISDN router or not you may not want to put that much load on the new Linux box.
Excuse me if this is a little simplistic - I will have the use of a technician from another school for a few hours, although he knows very little about Linux. He is more knowledgeable about networking generally though.
Best to pick his brains first I think, and anyone else available, and then use those valuable few hours just implementing the decided network setup and troubleshooting.... and catching the goats. <snip> -- Nick Drage, helping fill up the internet since 1993. "There is no such thing as a bug in the Linux 2.1.x kernels Consider it as a request from the enlightened for you to brush up on your C programming and help improve the kernel."
Nick Drage
HI,
Hi, Nick. I always think of you as Swiss Nick!!! Thanks for the help.
What make is the ISDN router? Do you administer it or have any control over it? I'm thinking that you could:
It is an Ascend, I believe. I am not at school so cannot check at the moment. We have full control over our network - the router sits next to the server and we can do with it what we wish. We connect to the Internet using IFL (an RM company). The router is a standard 2x64K ISDN 2e affair.
I presume you don't have a range of "legal" Internet IP addresses for use on your network and some kind of Network Address Translation occurs either at your ISDN router or at your ISP before your traffic reaches the Internet?
Actually we do, if I read you correctly. We have range of IP addresses we can use. Each machine on the network has its own IP address and can be pinged from outside. We run our own mail server too, using NT Mail (although mail is collected globally from the ISP using POP3) so we have quite a nice little system. Does this make things easier? Cheers. -- Phillip Deackes Using Storm Linux
Phillip, If all the stations on your network have public IP addresses and you have one free for the new proxy server then you only need to set up one NIC. Use the router IP address as the default gateway. Since you get the IFL filtered service you will need to configure Squid to use the IFL cache farm as a parent. Here's the config fragment: cache_peer icpcache-1.rmplc.co.uk parent 8080 3130 no-digest cache_peer icpcache-2.rmplc.co.uk parent 8080 3130 no-digest cache_peer icpcache-3.rmplc.co.uk parent 8080 3130 no-digest cache_peer icpcache-4.rmplc.co.uk parent 8080 3130 no-digest # define the local network acl local-network dst 212.132.119.128/255.255.255.192 acl all src 0.0.0.0/0.0.0.0 # force all requests for local resources to go direct always_direct allow local-network # force all requests for non-local resources to go via a parent never_direct allow all You will need to reconfigure the browsers on all your stations to use your new proxy. By default Squid will listen on port 3128 wheras the IFL proxies listen on port 8080. If you want to keep your local proxy consistent then add this to the Squid config: http_port 8080 You might also want to increase the cache hit ratio by tweaking the refresh pattern: refresh_pattern ^ftp: 1440 80% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 1440 80% 4320 reload-into-ims Also, Squid by default denies all clients so you need to add this line at the end of the http_access section: http_access allow all Regards, Simon.
Hi, Nick. I always think of you as Swiss Nick!!!
Thanks for the help.
What make is the ISDN router? Do you administer it or have any control over it? I'm thinking that you could:
It is an Ascend, I believe. I am not at school so cannot check at the moment. We have full control over our network - the router sits next to the server and we can do with it what we wish. We connect to the Internet using IFL (an RM company). The router is a standard 2x64K ISDN 2e affair.
I presume you don't have a range of "legal" Internet IP addresses for use on your network and some kind of Network Address Translation occurs either at your ISDN router or at your ISP before your traffic reaches the Internet?
Actually we do, if I read you correctly. We have range of IP addresses we can use. Each machine on the network has its own IP address and can be pinged from outside. We run our own mail server too, using NT Mail (although mail is collected globally from the ISP using POP3) so we have quite a nice little system.
Does this make things easier?
Hi, On Sun, 24 Sep 2000, Phillip Deackes wrote:
Nick Drage
wrote: Hi, Nick. I always think of you as Swiss Nick!!! <grin>
What make is the ISDN router? Do you administer it or have any control over it? I'm thinking that you could:
It is an Ascend, I believe. I am not at school so cannot check at the moment. We have full control over our network - the router sits next to the server and we can do with it what we wish. We connect to the Internet using IFL (an RM company). The router is a standard 2x64K ISDN 2e affair.
I've only ever used the Ascend Pipeline, and if I remember correctly that can do Packet Filtering. Depending on the firewalling or not from IFL you may want to have a crack at learning this or get IFL to put some filters in place. Presumably they've some filters in place anyway to force students to use their Proxy Servers? So you could request that these are modified so that only the IP address of your Proxy Server can access their proxy servers. As before, any URLs detailing the standard RM set ups appreciated.
I presume you don't have a range of "legal" Internet IP addresses for <snip>
Actually we do, if I read you correctly. We have range of IP addresses we can use. Each machine on the network has its own IP address and can be pinged from outside. We run our own mail server too, using NT Mail (although mail is collected globally from the ISP using POP3) so we have quite a nice little system.
I'm a little worried about being able to ping your desktops from the Internet, especially as they're Windows. ( No OS religious arguments intended, IMHO Windows doesn't deal well with the kind of zany packets script kiddies are fond of throwing around the Net ).
Does this make things easier?
Sort of, depends on the solution you decide on. -- Nick Drage, helping fill up the internet since 1993. "Napoleon couldn't take Moscow, Ronald McDonald just danced in." - - Ben Elton
On Sun, 24 Sep 2000, Phillip Deackes wrote: snip .
What make is the ISDN router? Do you administer it or have any control over it? I'm thinking that you could:
It is an Ascend, I believe. I am not at school so cannot check at the moment. We have full control over our network - the router sits next to the server and we can do with it what we wish. We connect to the Internet using IFL (an RM company). The router is a standard 2x64K ISDN 2e affair.
I presume you don't have a range of "legal" Internet IP addresses for use on your network and some kind of Network Address Translation occurs either at your ISDN router or at your ISP before your traffic reaches the Internet?
Actually we do, if I read you correctly. We have range of IP addresses we can use. Each machine on the network has its own IP address and can be pinged from outside. We run our own mail server too, using NT Mail (although mail is collected globally from the ISP using POP3) so we have quite a nice little system.
I have read the other messages on this topic but I thought I would add my thoughts - they might help. I have set up the scenario you are discussing in several schools in Carmarthenshire. If you setup matches what RM use everywhere here, then you will be using a range of private IP addresses (usually 192.168.0.0/22) with NAT in the router. If yours is like this then the simpest setup is to use a single ethernet in the proxy connected straight on to the LAN - as Matt Johnson suggested. Some of our schools do use a two ethernet setup as they have a second LAN for the admin staff and so they can use the proxy for both - they leave routing disabled to keep the networks independent. Which distro are you intending to use? The all do the same job but vary in the tools used to set them up and the packages included. We used SuSE 6.3 for most of ours and squid comes as a package ready to install - all it needs is the access control lists editing. You haven't said whether you want your proxy to be used for access control or is it just to speed up the Internet? Our schools don't connect to IFL (that is what we are here to provide) but I believe that they do implement some form of content filtering. If you do need the access control function then you can use the facilities of RM Connect to disble access to the proxy settings in IE to stop anyone bypassing the proxy. If you need proxy settings for IFL then you will need to point squid at their filter as a parent cache. Hope this is useful ____________________________________ Giles Nunn - Network Manager Carms Schools ICT Development Centre Tel: +44 01239 710662 Fax: 710985 ____________________________________
participants (4)
-
Giles Nunn
-
Nick Drage
-
Phillip Deackes
-
Simon Rainey