Proxy Server How To
Start by installing Arch Linux (or your chosen distribution) onto the hardware you selected. If you are in need of a little assistance with the installation, I recommend using this wiki guide and then set up yaourt. Once you have completed your standard Linux installation you need to ensure your network is configured properly. In the case of my transparent proxy, I plugged one network port directly into my cable router and allowed it to grab and IP address via DHCP. The second adapter is then given an IP address of your choice (I chose 10.4.20.1; other common IP addresses would be 192.168.x.x).
At this point you will want to test your network configuration. Start with trying to get out to the internet. If this works, plug your secondary network adapter into whatever switch/router you have available. Take your desktop or laptop that's plugged into the same switch and assign it an IP address in your 10.4.20.x range. (For DHCP setups, see below.) You should now be able to ping your new proxy server (10.4.20.1) from your desktop/laptop. As a quick note for the users who only have a wireless cable modem, it is okay to have both interfaces of your proxy server and desktop plugged into the same cable modem hub.
Now that we have the configuration of the network cards complete, we just need to do a quick installation and configuration of Shorewall/Squid. That may sound like a daunting task to the Linux initiate, but this is actually very simple. First go ahead and install both Squid and Shorewall. Arch has both readily available in the package repository (from a command prompt: yaourt –S shorewall squid). If you are not utilizing Arch, you can download the packages manually from www.shorewall.net and www.squid-cache.org.
Whether you installed Arch Linux or another distribution as your base OS, Shorewall has one simple command to get it set up: cp /usr/share/shorewall/Samples/two-interfaces/* /etc/shorewall. (This copies the base two-NIC example to your live Shorewall directory, which saves a lot of manual work.) Make a quick edit to /etc/shorewall/shorewall.conf and change the Startup_Enabled to yes and you now have a functioning Shorewall. The only thing you need to do for Shorewall at this point is add the following rule into the /etc/shorewall/rules file: REDIRECT loc 3128 tcp www. Start Shorewall by typing: shorewall start from the command line, and add it to your boot process by putting shorewall into the DAEMONS section of /etc/rc.conf.
Now that Shorewall is fully functional and configured, we need to configure Squid. I found a short wiki guide that will assist with the initial set up of Squid. Once you have completed the configuration in the wiki guide, you need to pay close attention to a few configuration settings located in /etc/squid/squid.conf. The cache_memline should be set to half of your installed ram on your proxy server. In my case I have 512MB of total memory so I configured cache_mem to 256. The other setting that you need to pay attention to is maximum_object_size. This setting is the maximum file size your proxy will retain. I set my maximum size to 2048MB in order to retain everything up to a CD ISO. Be cautious of using 2048 if you have anything less than a 120gb drive as your storage space could be gone in the matter of a few days. To get the caching proxy in place and running, the most important line to add is http_port 3128 transparent. The key here is the addition of "transparent", which turns squid into a caching proxy that won't require any additional configuration on your client PCs.
If you followed all of the directions correctly, you're now ready to configure all the machines on your network with a 10.4.20.x IP address with the gateway set as 10.4.20.1. Don't forget to configure your DNS as well (in /etc/resolve.conf). Now that you have everything fired up give your new proxy a spin around the internet. If you would like to do a good test, download a decent size file (i.e. larger than 1MB). Once the download is complete, you should be able to download it again a second time and get LAN speeds on the download. If you have multiple computers, use another machine on your network and attempt to download the same file and you should again see LAN download speeds.
Proxy Server with DHCP
Although I wanted to keep this short and to the point, a common question inevitably comes up: what if you still want to use DHCP? There are a few ways to tackle this issue. If you're lucky enough to have a router/cable modem that will allow you to change what IP addresses it assigns to the network, simply change it over to your new 10.4.20.x subnet and have it assign the gateway of 10.4.20.1. If this is not the case, you will need to disable DHCP on your router and install the DHCP server package (in Arch: pacman –S dhcp). The configuration can be a bit of a hassle, so here's my /etc/dhcpd.conf.
Start the DHCP service on your proxy (/etc/rc.d/dhcpd start) and test DHCP on your desktop/laptop. Assuming all goes well, add dhcpd to your DAEMONS in /etc/rc.conf. If you happen to reboot your Linux box, after a minute or so your proxy should be back up and running.
96 Comments
View All Comments
mindless1 - Tuesday, May 11, 2010 - link
What's the "ethernet wall outlet" supposed to be? If you mean plug your switch straight into a modem of some sort, you're better off having the extra layer of security afforded by the NAT feature on a router. That is especially true with Windows based PCs, nevermind that for many people use of a router also gives them wifi capability.Dravic - Tuesday, May 11, 2010 - link
As a previous poster mention you should look at Smoothwall express 3.0. My current incarnation is running on an old duron kt 266 platform with 1gb of ram and that is complete overkill for something like this. I would also look at the benefits vs the performance loss.With a few as 4 or 5 pc's you are probably getting reduced web browsing performance for the benefit of reduced broadband usage on a small amount of large files. Is it worth having a slower internet 99% of the time in order to increase download time of for 1% of the time? Remember for every image you hit you now have to query this proxy to see if the image is stored locally and possibly if an update copy of the image exist at the original source. Configuration of the proxy will be key. How much do you store , and how long do you cache items before expiration can have a massive effect on regular browsing.
Proxies are really meant for networks with significant number of users hitting the same content repeatedly. Caching the web objects of the most frequently viewed website of 100 people provides real savings in bandwidth and increased browsing speed. For a small group of people the bandwidth saving are usually mild, but now you have increased browsing times across the board.
I think you would better served using a qos solution (also in smoothwall 3.0) over a a squid proxy. On my fios 20/5 mb line qos overhead eats ~ 1mb of total capacity.
In my home network (6 pc's and a few Internet appliances) neither qos or a proxy were beneficial with fios(i know not everyone has 20/5 internet, but this held true even when fios was 10/2). When i was on dial-up-upl the proxy was great for hitting multimedia heavy sights like ESPN.
Either way i do recommend anyone with the know how build there own firewall appliance if they can stand the energy cost. The consumer grade firewall/gateways really are poor and while getting better really don't offer the range of services something like smoothwall (m0n0wall, ipcop, pfense .. etc) does.
Other then my philosophical difference on the benefits, good article. A followup with the most widely used pre built solutions with some kind of browsing benchmarking would be a nice follow up.
dezza - Tuesday, May 11, 2010 - link
I totally agree.Actually the thing that brought me to this site was because a friend once told me that I would not benefit anything from having a "family"-proxy .. And I would think that these comments support that conclusion.
I would say if you're about to do this to it 100% and QoS and DHCP, etc. there is no point in having a server consuming 300-400W running JUST for a proxy that maybe even slows down browsing in the end and brings more maintenance to your home network.
ChrisRice - Tuesday, May 11, 2010 - link
For the two above posts I need to get some data/graphs together to add to the article. Much of what is being said above is simply not true. I'll try to work on this over the next day or two.bob4432 - Tuesday, May 11, 2010 - link
i am not running what this article is about software wise, but my home server is a skt939 3000, 1GB ram, 60GB main drive, 500GB image holding hdd and a 120GB misc hdd running an old pci gpu and i think 3-4 80mm fans on a antec earthwatts 380W psu. my simple network setup is a asus wl520g (i think that is the model number) w/ tomato 1.27 in addition to a 8port GbE switch. the reason for explaining all this, is that combined it all pulls 60W from my ups which was verified by a kill-o-watt.imaheadcase - Tuesday, May 11, 2010 - link
I remember using WinProxy way back in the day (early 90s) for dialup. It worked EXCELLENT. But why "save" bandwidth with something like this when you have broadband?Its not going to save much at all.
ChrisRice - Tuesday, May 11, 2010 - link
As the article refers to "Family Proxy" you could easily run out of bandwidth with broadband. For example if you have a few bandwidth hog room mates or have a wife and kids the savings are very much there. This is also the most simple setup of a proxy which could be expanded on to work with ftp and other ports. I wanted to keep it pretty simple but maybe there is interest in a more advanced setup?micksh - Tuesday, May 11, 2010 - link
How does proxy affect browsing experience? I assume there will be additional latency. Did you compare web page loading times with and without proxy?And how much (in seconds or minutes) does it help when you download large file second time? Does it make things faster if other PCs are doing something else on web?
I actually tried similar setup hoping to make web browsing faster. I had Safesquid on Ubuntu on relatively fast Core 2 Duo PC using 6 Mbs AT&T DSL. It didn't help. Most web servers give content using "post" method so pages could not be cached. I enabled pre-fetching but I guess I could not configure priorities correctly. Pre-fetching made current page to load slower. Without prefetching things still seemed a bit slower because of the latency that additional box gives.
Since I moved to 18 Mbs U-Verse and things are good without proxy.
spazmedia - Tuesday, May 11, 2010 - link
Its nice to see an article on anandtech about Linux. Once you get the hang of it, most Linux distro are FAR simpler to configure then Windows as the config does not change much from distro to distro and from version to version. Also as others have pointed out smoothwall is quite easy to configure. Another useful tool for configuring all aspects of a linux box remotely through https is webmin (http://www.webmin.com/) I've tried it with Fedora and Debian/Ubuntu and it probably is a bit more functionnal with Debian. For ease of use nothing beats Suse though (from Novel)spazmedia - Tuesday, May 11, 2010 - link
BTW for those looking for power savings, its a bit more expensive but a gread idea for this application to use an Atom or low power celeron processor...Or the best is an old laptop (probably need to buy an extra PCMCIA NIC though). Plus you get battery backup if its not too old and battery not worn out. Having said that setting up Linux on most laptops is not trivial given custom hardware most manufacturers implement.