Feature #1773
Proxy server
| Status: | CLOSED | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | nethserver-squid | |||
| Target version: | v6.4-beta2 | |||
| Resolution: | NEEDINFO: | No | 
Description
Add a proxy server in gateway/firewall configuration.
Candidate: SQUID - http://www.squid-cache.org/
Three modes:- Transparent proxy
- Authenticated with password
- Authenticated with kerberos
- Time table
- Upstream proxy
- List of non-cachable sites
- Bandwidth limits
Packages available here: http://www1.ngtech.co.il/rpm/centos/6/x86_64/
Related issues
Associated revisions
First import. Refs #1773
/etc/shorewall/: add providers template. Refs #1773
/etc/shorewall: add tcrules template. Refs #1773
Add base features. Refs #1773
web ui: add ui for proxy configuration with plugin behaviour. Refs #1773
web ui: add missing translation for Squid component. Refs #1773
createlinks: restart squid on nethserver-squid-update and nethserver-squid-save events. Refs #1773
pam authentication: add setuid perl helper. Refs #1773
History
#1
     Updated by Giacomo Sanchietti over 8 years ago
    Updated by Giacomo Sanchietti over 8 years ago
    - Target version changed from ~FUTURE to v6.4-beta2
#2
     Updated by Giacomo Sanchietti about 8 years ago
    Updated by Giacomo Sanchietti about 8 years ago
    - Description updated (diff)
#3
     Updated by Giacomo Sanchietti about 8 years ago
    Updated by Giacomo Sanchietti about 8 years ago
    - Description updated (diff)
#4
     Updated by Giacomo Sanchietti about 8 years ago
    Updated by Giacomo Sanchietti about 8 years ago
    - Status changed from NEW to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 0 to 30
#5
     Updated by Giacomo Sanchietti about 8 years ago
    Updated by Giacomo Sanchietti about 8 years ago
    - Status changed from ON_DEV to ON_QA
- % Done changed from 30 to 80
- manual: each proxy must set the proxy
- authenticated: manual configuragtion with pam authentication
- transparent: all traffic is routed through proxy, manual configuration available
- transparent_ssl: all traffic is routed trough proxy, even ssl traffic, manual configuration available #1775
- Upstream proxy
- List of non-cachable sites
#7
     Updated by Davide Principi about 8 years ago
    Updated by Davide Principi about 8 years ago
    - NEEDINFO changed from No to Yes
ON_QA state but is missing informations for QA role:
	- Test cases, from Developer
- RPM package in nethserver-testingrepository, from Packager
#8
     Updated by Giacomo Sanchietti about 8 years ago
    Updated by Giacomo Sanchietti about 8 years ago
    - Status changed from ON_QA to ON_DEV
- % Done changed from 80 to 30
#9
     Updated by Giacomo Sanchietti about 8 years ago
    Updated by Giacomo Sanchietti about 8 years ago
    - Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 70
Implemented in nethserver-squid package.
#10
     Updated by Giacomo Sanchietti about 8 years ago
    Updated by Giacomo Sanchietti about 8 years ago
    - Status changed from MODIFIED to ON_QA
- % Done changed from 70 to 80
- nethserver-squid-1.0.0-1
- squid-3.3.5-1
- Install: yum --enablerepo=nethserver-testing install nethserver-squid
- Enable manual mode using web interface
- Configure a client to use the proxy
- Make sure client is accessing web via proxy (check /var/log/squid/access.log and /var/log/squid/cache.log)
- Try all other proxy modes
#11
     Updated by Giacomo Sanchietti about 8 years ago
    Updated by Giacomo Sanchietti about 8 years ago
    - NEEDINFO changed from Yes to No
#12
     Updated by Alessio Fattorini about 8 years ago
    Updated by Alessio Fattorini about 8 years ago
    - Assignee changed from Giacomo Sanchietti to Alessio Fattorini
- NEEDINFO changed from No to Yes
I follow this wiki too: http://dev.nethserver.org/projects/nethserver/wiki/Nethserver-squid
# rpm -qa | grep squid nethserver-squid-1.0.0-1.ns6.noarch squid-3.3.5-1.el6.x86_64
Squid installed and activated in manual mode using web interface
First problem
No squid loaded
[root@muflone ~]# ps ax | grep squid 30478 pts/0 S+ 0:00 grep squid
Workaround
I try manual start:
service squid start [root@muflone ~]# ps ax | grep squid 30513 ? Ss 0:00 squid 30515 ? S 0:00 (squid-1) 30516 ? S 0:00 (logfile-daemon) /var/log/squid/access.log 30518 pts/0 S+ 0:00 grep squid
Now works.
Logs checked
Second problem
Authentication mode show login form but authentication with valid user fail
On messages i see:
Jun 29 09:29:09 localhost (basic_pam_auth): pam_ldap: ldap_search_s No such object
Should i fill some bugs?
How can i test NoCache feature?
I should test transparent_mode
#13
     Updated by Giacomo Sanchietti about 8 years ago
    Updated by Giacomo Sanchietti about 8 years ago
    - Status changed from ON_QA to ON_DEV
- Assignee changed from Alessio Fattorini to Giacomo Sanchietti
- % Done changed from 80 to 30
#14
     Updated by Giacomo Sanchietti about 8 years ago
    Updated by Giacomo Sanchietti about 8 years ago
    - Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 70
- NEEDINFO changed from Yes to No
First problem
No squid loaded
[...]
Squid is now restarted (and not reloaded) in nethserver-squid-save and nethserver-squid-update events.
Second problem
Authentication mode show login form but authentication with valid user fail
The pam authenticator script must be executed as root. 
Squid now uses a setuid perl wrapper: /usr/libexec/nethserver/squid_pam_helper
How can i test NoCache feature?
Execute:
config setprop squid NoCache www.google.com signal-event nethserver-squid-save
Check no cache entry is created in /var/log/squid/access.log when visiting www.google.com using the proxy.
#15
     Updated by Giacomo Sanchietti about 8 years ago
    Updated by Giacomo Sanchietti about 8 years ago
    - Status changed from MODIFIED to ON_QA
- % Done changed from 70 to 80
- nethserver-squid-1.0.2
Also includes part of #2072 enhancement.
#16
     Updated by Davide Principi about 8 years ago
    Updated by Davide Principi about 8 years ago
    - Assignee changed from Giacomo Sanchietti to Davide Principi
I'm testing it, together with #1775..
Manual PASSED- Access a cacheable resourcecurl -L -x davidep2.vboxnet0.tld:3128 http://code.nethesis.it/gitweb.css ==> /var/log/squid/access.log <== 1374768335.169 2410 192.168.8.1 TCP_MISS/200 8736 GET http://code.nethesis.it/gitweb.css - HIER_DIRECT/95.138.186.87 text/css 1374768339.028 1 192.168.8.1 TCP_MEM_HIT/200 8742 GET http://code.nethesis.it/gitweb.css - HIER_NONE/- text/css 
- If no credentials are provided => ERR_CACHE_ACCESS_DENIED
- Passing credentialscurl -L -x user01:XXXXXX@davidep2.vboxnet0.tld:3128 http://code.nethesis.it/gitweb.css ==> /var/log/squid/cache.log <== 2013/07/25 16:25:25 kid1| Starting new basicauthenticator helpers... 2013/07/25 16:25:25 kid1| helperOpenServers: Starting 1/5 'squid_pam_helper' processes ==> /var/log/squid/access.log <== 1374769526.404 922 192.168.8.1 TCP_MISS/200 8736 GET http://code.nethesis.it/gitweb.css user01 HIER_DIRECT/95.138.186.87 text/css 
- NOTE Credentials are passed in CLEAR-TEXT (only in a base64-encoded form)
- Enabled server&gateway mode and set as network gateway
- Client hosts use the transparent web proxy
- SSL connections are not proxied
Transparent SSL
See #1775
#17
     Updated by Davide Principi about 8 years ago
    Updated by Davide Principi about 8 years ago
    - Status changed from ON_QA to VERIFIED
- Assignee deleted (Davide Principi)
- % Done changed from 70 to 90
VERIFIED
RPMs:
nethserver-smartd-1.0.0-1.ns6.noarch postfix-2.9.6-2.ns6.x86_64 nethserver-lightsquid-1.0.2-1.ns6.noarch nethserver-nethgui-1.2.2-1.ns6.noarch dovecot-antispam-0.0.49-1.ns6.x86_64 nethserver-backup-config-1.0.3-1.ns6.noarch nethserver-samba-1.3.6-1.ns6.noarch nethserver-httpd-admin-1.0.4-1.ns6.noarch nethserver-openssh-1.0.2-1.ns6.noarch nethserver-shorewall-1.0.0-1.ns6.noarch nethserver-lib-1.3.0-1.ns6.noarch nethserver-directory-1.2.2-1.ns6.noarch nethserver-antivirus-1.0.3-1.ns6.noarch nethserver-mail-common-1.2.1-1.ns6.noarch nethserver-php-1.1.0-1.ns6.noarch nethserver-ntp-1.0.4-1.ns6.noarch nethserver-httpd-2.2.1-1.ns6.noarch nethserver-firewall-base-1.0.3-1.ns6.noarch nethserver-yum-1.1.1-1.ns6.noarch nethserver-mail-server-1.4.4-1.ns6.noarch nethserver-hosts-1.0.4-1.ns6.noarch nethserver-grub-1.0.1-1.ns6.noarch nethserver-squid-1.0.2-1.ns6.noarch nethserver-base-1.4.0-1.ns6.noarch nethserver-mail-filter-1.1.1-1.ns6.noarch nethserver-dnsmasq-1.0.4-1.ns6.noarch
#18
     Updated by Davide Principi about 8 years ago
    Updated by Davide Principi about 8 years ago
    - Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
Moved to nethserver-updates repository