Overclock.net › Forums › Specialty Builds › Servers › Squid Server Setup
New Posts  All Forums:Forum Nav:

Squid Server Setup

post #1 of 29
Thread Starter 
Hi everyone.

So about two months ago I started a new job with an enterprise customer. That means I am on a restricted network, even though I have more access than most. I am still limited to what ports are open to this network, which means I have trouble accessing services I have running at home. Currently, I have the following (that I'm concerned with for this post):
VM1
CentOS 6.4
Internal IP x.x.1.110
Runs SubSonic on port 543

VM2
CentOS 6.4
Internal IP x.x.1.115
Runs SABnzbd on port 4910, SickBeard on 4911, and CouchPotato on 4912

VM3
Server 2012
Internal IP x.x.1.116
Runs deluge and deluge-web on port 8888

VM4
CentOS 6.4
Internal IP x.x.1.245
Runs Guacamole on port 8080

So currently I am using PAT at my firewall (Ubiquti EdgeRouter Lite) to translate incoming port 80, to x.x.1.110:543. Since outbound port 80 is allowed here, I can access my SubSonic server from work, which is most important. Need my music, and I can keep up on my TV shows. Basically, MyDomain.com --> PATs to x.x.1.110:543 through my firewall, currently.

Since I am very limited to what ports I can run here, I don't want to readjust my network at home, all my DNAT/SNAT and firewall rules, to make things work with the network here at work. What I would like to do is stand up some appliance/server that would allow me to use virtual hosts or something like that to get to what I want, over port 80. Ideally, I would like to be able to do the following:

MyDomain.com/SubSonic
MyDomain.com/SAB
MyDomain.com/SB
MyDomain.com/CP
MyDomapin.com/Guac

and have that translate to the right servers, using PAT (regular web redirects won't work, since the host will still request over the destinations port). I know that I (since these are all web based apps) could use some sort of web server (NginX, Apache, etc) and do virtual hosts, but these are services running on different servers. Does anyone know of any appliances that would translate like I am looking for? I'm pretty sure there is nothing I could do on my firewall, or is there anything I can do with my external DNS (dynamic DNS hosted with No-IP.org, using my own domain name)?

Thanks!
post #2 of 29
Personally I would just set up a squid proxy on a VM and SSH tunnel to that on port 80. Then you should be able to forward requests anywhere inside of your network.

You could PAT 80 externally to 22 internally for SSH and then tunnel a connection from a local port to 3128 for the HTTP proxy or similar.

Am I understanding your requirement correctly?
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
post #3 of 29
Thread Starter 
Quote:
Originally Posted by beers View Post

Personally I would just set up a squid proxy on a VM and SSH tunnel to that on port 80. Then you should be able to forward requests anywhere inside of your network.

You could PAT 80 externally to 22 internally for SSH and then tunnel a connection from a local port to 3128 for the HTTP proxy or similar.

Am I understanding your requirement correctly?

I didn't even think about a proxy like that. I have never used Squid, but know of it. So with that I could basically have it like a VPN tunnel, but for my browser? Is that right? Would I be able to configure my computer here at work to only tunnel for certain websites? I don't want to mess with my regular web browsing which I would need for work.

How would SSH tunneling affect performance of media streaming? I have audio streaming at 320kbps and video ranging from 500kbps to 1000kbps.
Edited by tycoonbob - 10/21/13 at 12:17pm
post #4 of 29
Sounds like you have a grasp of it.

I usually use a different browser like Firefox since it has separate proxy settings from the shared IE/Chrome ones, and then you just have segregated access between networks depending on what browser you're using.

You should have a similar performance for streaming although all of your data would now be through an encrypted tunnel. I have streamed audio through SSHFS while traveling without too many issues. Not sure what kind of bandwidth you have available but the penalty shouldn't be large.

I made a diagram for what I generally do at work but you probably already have it figured out.

Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
post #5 of 29
Thread Starter 
Quote:
Originally Posted by beers View Post

Sounds like you have a grasp of it.

I usually use a different browser like Firefox since it has separate proxy settings from the shared IE/Chrome ones, and then you just have segregated access between networks depending on what browser you're using.

You should have a similar performance for streaming although all of your data would now be through an encrypted tunnel. I have streamed audio through SSHFS while traveling without too many issues. Not sure what kind of bandwidth you have available but the penalty shouldn't be large.

I made a diagram for what I generally do at work but you probably already have it figured out.


Thanks. For my implementation, I will be cutting out the VPS.

I assuming the ssh command you are running from your work computer is in a shell when you are sshed to your squid box, right?

Can you break out the command as well? I'm guessing that the outbound traffic from work is seen as SSH traffic, over port 22, or is it coming over port 80, because of the -p 80 command?
post #6 of 29
It's mainly the command at each step. The first one would be set up from PuTTY on the work PC but you would have to put the rule in within Connection -> SSH -> Tunnels

-p specifies the port the destination SSH server is listening on, so 80 in your case.
-L provides a tunnel for a particular port, localport:destinationhostname:destinationport

I use a VPS in mine since I only allow a couple of specific WAN IPs to specific ports as source addresses into my network where every other address gets denied. tongue.gif

Hopefully that helps to some degree.
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
post #7 of 29
Thread Starter 
Quote:
Originally Posted by beers View Post

It's mainly the command at each step. The first one would be set up from PuTTY on the work PC but you would have to put the rule in within Connection -> SSH -> Tunnels

-p specifies the port the destination SSH server is listening on, so 80 in your case.
-L provides a tunnel for a particular port, localport:destinationhostname:destinationport

I use a VPS in mine since I only allow a couple of specific WAN IPs to specific ports as source addresses into my network where every other address gets denied. tongue.gif

Hopefully that helps to some degree.

Awesome, thanks for the explanation. I'm sure I will have more questions, but not at the moment. I am spinning up a new CentOS 6.4 VM (512MB RAM, 2 vCPU, and 20GB VHD) and will install Squid on. I will see if I can find some guides on setting this up, since I am mainly only interested in the SSH tunnel for Squid and not caching.

So -p specifies the port that Squid is listening on, which I will set to 80 since I can get out on that port here at work.
-L would be to create the tunnel on a specific port, but what ports should I use? Is this just any port to segregate that traffic?
I assume I will have to create the tunnel every day when I get into the office (I reboot my PC at the end of the day)?
I can download Firefox if need be, but what address am I setting the proxy to? Is there any Chrome extensions/apps that would do this instead? I have all my bookmarks in Chrome already, and would hate to add all those to Firefox. smile.gif
Yeah, that last one's being a little nitpicky I guess.

EDIT:
I found a Chrome Extension (TunnelSwitch) that I can configure a PAC file to only proxy certain URLs (such as MyDomain.com), which would work great since all my bookmarks in Chrome point to my external DNS name (so the shortcuts work no matter if I'm on my LAN, or on a WAN somewhere), so I think that plugin would be perfect once I get the tunnel actually working.

EDIT 2:
I have Squid installed on default port, and changed the SSH port. The SSH port is configured via PAT to port 80 on my WAN side, so tomorrow from work I should be able to SSH into it and configure the tunnel. I did some reading that helped explain a lot, so I think I understand what's going on and what I need to do from my work computer. I'm anxious to try TunnelSwitch also, configured with a PAC file, so I can set up rules for just my internal stuff to go over the tunnel.
Edited by tycoonbob - 10/21/13 at 5:59pm
post #8 of 29
Thread Starter 
Alright, so back at work I am able to SSH into my Squid box at home. I've established a SSH tunnel with PuTTY, but the proxy isn't working. I have a feeling it has something to do with the ACLs, but I'm drawing a blank on this. Here is where it currently stands:
Squid.conf (Click to show)
Code:
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
# acl localnet src 10.0.0.0/8# RFC1918 possible internal network
acl localnet src 172.16.0.0/12# RFC1918 possible internal network
# acl localnet src 192.168.0.0/16# RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern .020%4320

Pretty much the default, with only minor changes. My LAN is covered in 172.16.0.0/16, so what else do I need to add to the ACL for this to work?

My tunnel command in PuTTY looks like this:

L80 :3128

and I left Squid running on the default port.

What am I missing?
post #9 of 29
I wasn't able to get my tunnel working by just specifying :3128. You'd have to indicate localhost so that the tunnel would terminate on the 'localhost' of the server you SSHed into. Then 'localhost' on the browser would use the local port you defined to tie into the 'localhost' of the destination on the destination port defined.

Similar to:
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
post #10 of 29
Thread Starter 
Quote:
Originally Posted by beers View Post

I wasn't able to get my tunnel working by just specifying :3128. You'd have to indicate localhost so that the tunnel would terminate on the 'localhost' of the server you SSHed into. Then 'localhost' on the browser would use the local port you defined to tie into the 'localhost' of the destination on the destination port defined.

Similar to:

That's essentially what i am doing, except in PuTTY I am using the internal IP of the Squid box, instead of 'localhost'. I will change that and give it a try, but I think my issue is something to do with ACLs. What do I need to change in my ACLs?
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Servers
Overclock.net › Forums › Specialty Builds › Servers › Squid Server Setup