<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d14658917\x26blogName\x3dWhat+Would+You+Say+It+Is+You+Do+Here?\x26publishMode\x3dPUBLISH_MODE_HOSTED\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttp://blog.vitriol.net/search\x26blogLocale\x3den_US\x26v\x3d2\x26homepageUrl\x3dhttp://blog.vitriol.net/\x26vt\x3d-1706885970164302789', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

Thursday, February 21, 2008

OpenBSD + Squid + pf Transparent www Proxy Firewall

There is a perfectly serviceable squid package in the OpenBSD ports collection. I have found that I sometimes require a newer version of squid, or that I'm running an older version of OpenBSD, and the newer squid ports are not available. Also, the port doesn't offer a straightforward method to compile squid with more than 1024 file descriptors, which you will need on a moderately busy proxy.

This is the process for setting up squid from the source tarball.


o Compile kernel with
option MAXFILES=8192

o Edit /etc/sysctl.conf
kern.maxfiles=8192

o Download squid, extract the file and run configure as root. Set ulimit -n 8192 before running
configure or it will use the default 1024.
# ulimit -n 8192
# ./configure --sysconfdir="/etc"
--prefix="/usr/local/squid"
--datadir="/usr/local/share/squid"
--enable-removal-policies="lru heap"
--enable-ssl
--enable-pf-transparent

o Add a rule to /etc/pf.conf to redirect all port 80 traffic to squid
rdr on $int_if inet proto tcp from any to any \
port www -> 127.0.0.1 port 2005

o Create the new user & group (use vipw to add the user, any editor to modify /etc/group)
vipw:
_squid:*:515:515:daemon:0:0:Squid Account:/nonexistent:/sbin/nologin
/etc/group:
_squid:*:515

o Allow the _squid group access to /dev/pf
chgrp _squid /dev/pf
chmod g+rw /dev/pf

o In squid 2.6 and above, a single line enables the transparent proxy
http_port 2005 transparent

o /var/squid partitions, in /etc/fstab
mount options:
noatime, nodev, nosuid, softdep

o rc.local
ulimit -n 8192
/usr/local/squid/sbin/squid

o rc.shutdown
/usr/local/squid/sbin/squid -k shutdown

0 Comments:

Post a Comment

<< Home