Feature #1773

Proxy server

Added by Giacomo Sanchietti over 8 years ago. Updated about 8 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-squid
Target version:v6.4-beta2
Resolution: NEEDINFO:No

Description

Add a proxy server in gateway/firewall configuration.

Candidate: SQUID - http://www.squid-cache.org/

Three modes:
  • Transparent proxy
  • Authenticated with password
  • Authenticated with kerberos
Other configurable options:
  • Time table
  • Upstream proxy
  • List of non-cachable sites
  • Bandwidth limits

Packages available here: http://www1.ngtech.co.il/rpm/centos/6/x86_64/


Related issues

Related to NethServer 6 - Feature #17: Add wpad support CLOSED
Related to NethServer 6 - Feature #1775: SSL proxy CLOSED

Associated revisions

Revision 8c1fcb52
Added by Giacomo Sanchietti about 8 years ago

First import. Refs #1773

Revision 2feaa802
Added by Giacomo Sanchietti about 8 years ago

/etc/shorewall/: add providers template. Refs #1773

Revision 3d43dad1
Added by Giacomo Sanchietti about 8 years ago

/etc/shorewall: add tcrules template. Refs #1773

Revision a930f72c
Added by Giacomo Sanchietti about 8 years ago

Add base features. Refs #1773

Revision 4bf79eb9
Added by Giacomo Sanchietti about 8 years ago

web ui: add ui for proxy configuration with plugin behaviour. Refs #1773

Revision 72c2d8ab
Added by Giacomo Sanchietti about 8 years ago

web ui: add missing translation for Squid component. Refs #1773

Revision 5fccdb02
Added by Giacomo Sanchietti about 8 years ago

createlinks: restart squid on nethserver-squid-update and nethserver-squid-save events. Refs #1773

Revision c9e6f7e7
Added by Giacomo Sanchietti about 8 years ago

pam authentication: add setuid perl helper. Refs #1773

History

#1 Updated by Giacomo Sanchietti over 8 years ago

  • Target version changed from ~FUTURE to v6.4-beta2

#2 Updated by Giacomo Sanchietti about 8 years ago

  • Description updated (diff)

#3 Updated by Giacomo Sanchietti about 8 years ago

  • Description updated (diff)

#4 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from NEW to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 0 to 30

#5 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from ON_DEV to ON_QA
  • % Done changed from 30 to 80
Implemented modes:
  • manual: each proxy must set the proxy
  • authenticated: manual configuragtion with pam authentication
  • transparent: all traffic is routed through proxy, manual configuration available
  • transparent_ssl: all traffic is routed trough proxy, even ssl traffic, manual configuration available #1775
Implemented features:
  • Upstream proxy
  • List of non-cachable sites

#6 Updated by Giacomo Sanchietti about 8 years ago

Needs documentation.

#7 Updated by Davide Principi about 8 years ago

  • NEEDINFO changed from No to Yes
This issue is ON_QA state but is missing informations for QA role:
  • Test cases, from Developer
  • RPM package in nethserver-testing repository, from Packager

#8 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from ON_QA to ON_DEV
  • % Done changed from 80 to 30

#9 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 70

Implemented in nethserver-squid package.

#10 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 70 to 80
Test packages:
  • nethserver-squid-1.0.0-1
  • squid-3.3.5-1
Testing instructions:
  • Install: yum --enablerepo=nethserver-testing install nethserver-squid
  • Enable manual mode using web interface
  • Configure a client to use the proxy
  • Make sure client is accessing web via proxy (check /var/log/squid/access.log and /var/log/squid/cache.log)
  • Try all other proxy modes

#11 Updated by Giacomo Sanchietti about 8 years ago

  • NEEDINFO changed from Yes to No

#12 Updated by Alessio Fattorini about 8 years ago

  • Assignee changed from Giacomo Sanchietti to Alessio Fattorini
  • NEEDINFO changed from No to Yes

I follow this wiki too: http://dev.nethserver.org/projects/nethserver/wiki/Nethserver-squid

# rpm -qa | grep squid
nethserver-squid-1.0.0-1.ns6.noarch
squid-3.3.5-1.el6.x86_64

Squid installed and activated in manual mode using web interface

First problem
No squid loaded

[root@muflone ~]# ps ax | grep squid
30478 pts/0    S+     0:00 grep squid

Workaround
I try manual start:

service squid start

[root@muflone ~]# ps ax | grep squid
30513 ?        Ss     0:00 squid
30515 ?        S      0:00 (squid-1)
30516 ?        S      0:00 (logfile-daemon) /var/log/squid/access.log
30518 pts/0    S+     0:00 grep squid

Now works.

Logs checked

Second problem
Authentication mode show login form but authentication with valid user fail

On messages i see:

Jun 29 09:29:09 localhost (basic_pam_auth): pam_ldap: ldap_search_s No such object

Should i fill some bugs?
How can i test NoCache feature?

I should test transparent_mode

#13 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from ON_QA to ON_DEV
  • Assignee changed from Alessio Fattorini to Giacomo Sanchietti
  • % Done changed from 80 to 30

#14 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 70
  • NEEDINFO changed from Yes to No

First problem
No squid loaded
[...]

Squid is now restarted (and not reloaded) in nethserver-squid-save and nethserver-squid-update events.

Second problem
Authentication mode show login form but authentication with valid user fail

The pam authenticator script must be executed as root.
Squid now uses a setuid perl wrapper: /usr/libexec/nethserver/squid_pam_helper

How can i test NoCache feature?

Execute:

config setprop squid NoCache www.google.com
signal-event nethserver-squid-save

Check no cache entry is created in /var/log/squid/access.log when visiting www.google.com using the proxy.

#15 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 70 to 80
New package in nethserver-testing:
  • nethserver-squid-1.0.2

Also includes part of #2072 enhancement.

#16 Updated by Davide Principi about 8 years ago

  • Assignee changed from Giacomo Sanchietti to Davide Principi

I'm testing it, together with #1775..

Manual PASSED
  • Access a cacheable resource
    curl -L -x davidep2.vboxnet0.tld:3128 http://code.nethesis.it/gitweb.css
    
    ==> /var/log/squid/access.log <==
    1374768335.169   2410 192.168.8.1 TCP_MISS/200 8736 GET http://code.nethesis.it/gitweb.css - HIER_DIRECT/95.138.186.87 text/css
    1374768339.028      1 192.168.8.1 TCP_MEM_HIT/200 8742 GET http://code.nethesis.it/gitweb.css - HIER_NONE/- text/css
    
Authenticated PASSED
  • If no credentials are provided => ERR_CACHE_ACCESS_DENIED
  • Passing credentials
    curl -L -x user01:XXXXXX@davidep2.vboxnet0.tld:3128 http://code.nethesis.it/gitweb.css
    
    ==> /var/log/squid/cache.log <==
    2013/07/25 16:25:25 kid1| Starting new basicauthenticator helpers...
    2013/07/25 16:25:25 kid1| helperOpenServers: Starting 1/5 'squid_pam_helper' processes
    
    ==> /var/log/squid/access.log <==
    1374769526.404    922 192.168.8.1 TCP_MISS/200 8736 GET http://code.nethesis.it/gitweb.css user01 HIER_DIRECT/95.138.186.87 text/css
    
  • NOTE Credentials are passed in CLEAR-TEXT (only in a base64-encoded form)
Transparent PASSED
  • Enabled server&gateway mode and set as network gateway
  • Client hosts use the transparent web proxy
  • SSL connections are not proxied

Transparent SSL

See #1775

#17 Updated by Davide Principi about 8 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

VERIFIED

RPMs:

nethserver-smartd-1.0.0-1.ns6.noarch
postfix-2.9.6-2.ns6.x86_64
nethserver-lightsquid-1.0.2-1.ns6.noarch
nethserver-nethgui-1.2.2-1.ns6.noarch
dovecot-antispam-0.0.49-1.ns6.x86_64
nethserver-backup-config-1.0.3-1.ns6.noarch
nethserver-samba-1.3.6-1.ns6.noarch
nethserver-httpd-admin-1.0.4-1.ns6.noarch
nethserver-openssh-1.0.2-1.ns6.noarch
nethserver-shorewall-1.0.0-1.ns6.noarch
nethserver-lib-1.3.0-1.ns6.noarch
nethserver-directory-1.2.2-1.ns6.noarch
nethserver-antivirus-1.0.3-1.ns6.noarch
nethserver-mail-common-1.2.1-1.ns6.noarch
nethserver-php-1.1.0-1.ns6.noarch
nethserver-ntp-1.0.4-1.ns6.noarch
nethserver-httpd-2.2.1-1.ns6.noarch
nethserver-firewall-base-1.0.3-1.ns6.noarch
nethserver-yum-1.1.1-1.ns6.noarch
nethserver-mail-server-1.4.4-1.ns6.noarch
nethserver-hosts-1.0.4-1.ns6.noarch
nethserver-grub-1.0.1-1.ns6.noarch
nethserver-squid-1.0.2-1.ns6.noarch
nethserver-base-1.4.0-1.ns6.noarch
nethserver-mail-filter-1.1.1-1.ns6.noarch
nethserver-dnsmasq-1.0.4-1.ns6.noarch

#18 Updated by Davide Principi about 8 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

Moved to nethserver-updates repository

Also available in: Atom PDF