Proxy Servers

Building and Deploying

System Improvement and Protection

Elvin Smith & Jose Robles

IT 4444 Capstone Spring 2013

Outline

Topic: Proxy Server

1. Introduction

a. Technical definition of a proxy server

b. Reason for research paper
i. Build and configure a proxy server at low cost
ii. Improve network performance
iii. Improve network security
iv. Create web filtering for the work place
v. Traffic monitoring

2. Body

a. Background
i. Introducing squid
ii. History of squid
iii. Software and hardware requirements
iv. Installation
b. Configuration
i. Configure as a web filter
ii. Configure authentication and access
iii. Configure as a caching server
iv. Configure to monitor traffic
v. Configure transparent mode
c. Results
i. Test access to websites
ii. Monitor Traffic
3. Conclusion
a. Summary
Abstract network administrators secure those
networks but may not provide the level
Proxy servers act as intermediaries
they want. With the addition of a
between computing devices, to provide
secure Proxy Server, they can add an
security and to shield the hosts on an
additional level of security, improve
internal network. It is important that
network performance and monitor web
we understand the purposes and
activity that is being accessed over
processes of this technology, in order
their network.
to help protect our information,
systems and networks. This research As we attempt to increase our security
will provide us with the ability to of the network by adding a proxy
build, configure and deploy a Squid server, we must understand that Proxy
proxy server. This paper will describe servers are basically separated into two
Squid proxy servers, discuss types, Transparent and Anonymous
configuration and discuss results of Proxies. Transparent Proxies forward
authentication, performance and Web user requests to a destination without
access testing. hiding or concealing any information.
This type of proxy server is usually
Introduction
used on internal networks, where the
The uses of internet connectivity need to obscure the IP address in not
by Universities, Businesses and warranted because the computers on
Organization networks, have grown that network are safe from external
exponentially in the last twenty years. threats. Anonymous Proxies, on the
With that connectivity explosion, other hand, allow users to surf the web
comes the potential vulnerability while keeping their IP address
exploitation by attackers, malicious anonymous or hidden. Most
code and other threats being directed universities, large businesses and
toward those networks. The ability to organizations today use these proxies
secure the network and control access to act as a middle point between a user
from workstations has become a and the destination address. This
difficult task for network middle point or “Proxy” makes a
administrators. The use of Access request on behalf of a user on the
Controls, Intrusion Detection Systems, network and obscures their IP address
Firewalls and Scanners, all help from that destination site. These
proxies also improve the performance accessed the internet. (2) Increase
of the network by using a caching internet usage and complexity resulted
system to save network users recent in an increase in security incidents. In
request responses from the web to its 1995 2540 incidents were reported.
local hard drive. By caching this web Just five years later 3234 incidents
data, it eliminates the need for other were reported. From 2000 to 2003
users on the network to download that incidents reported climbed to 82,064
same information from the Web again, reports. (3) One of the first proxy
providing faster access to those sites, servers used was a windows service
images and files and saving network named Wingate. Wingate was used to
bandwidth. This anonymous type of share internet dial up connection
Proxy server will be used in the among multiple devices. The program
purposes of this paper, as we came with a security hole and people
concentrate our efforts toward the quickly learned how to connect to
building of a Squid Server. Wingate externally. External users
could then piggy back of Wingate and
Efforts in building a secure server at a
telnet to other devices obscuring their
low cost, configuring that server to
source information. (4) Modern Day
increase network performance while
network administrators have to be
aiding in network security from outside
extra careful when configuring proxy
threats and monitoring traffic on the
servers. New trends and increase in
network are key for a network
proxy server abuse are greater now
administrator’s success. We will use
than ever before. (4) Understanding
this research paper to enhance our
the different methods will help
knowledge and ability to accomplish
correctly configure our squid proxy
this in our future endeavors as IT
server. Two methods that will be
professionals.
explored are the transparent method
and the traditional method. The
Previous Work
traditional method will capture traffic
Over the last 15 years internet usage in by configuring the web proxy settings
the United States alone has increased. of network devices to point traffic to
In 1995 one out of ten adults accessed the proxy server. (5) The transparent
the internet. More than a decade later method will place the proxy server in
78% of adults and 98% of teenagers line with the gateway. The only
physical path to the gateway will be Netapp’s Netcache. The other path
through the proxy server. In resulted in the project creating Squid.
transparent mode, users will not see Initially the funding was provided by a
that the proxy server is being used. (5) grant. The grant was part of a project
Companies with heavy usage networks called IRCache which in turn created
turn to caching to cater the needs of the processes for the squid caching softare.
user. (7) There are many factors on Eventually funding for IRCache would
effectiveness of using a caching server. run out. Squid would be eventually
Incorrect configuring of a proxy server developed by donations and
can lead to more bandwidth usage as volunteers. To this day Squid is an
opposed to bandwidth conservation. open source software ran by donations
(6) Correctly configuring the squid and volunteers with some investments.
proxy server for security and [8]
performance will be a major focus in
Software and Hardware Requirements
this paper.

The platform chosen for the

Background
installation of Squid is CentOS Linux
Introducing Squid operating system. There are many
advantages fo a company to use
Squid is a software that provides the
CentOS. To understand the
ability to implement access controls,
advantages of CentOS we will
traffic optimization, authorization, and
introduce Red Hat Linux. Red Hat
logging. Squid provides full features
Linux has built a reputation for being
for the http/1.0 proxy. [8]
dependable, supported, and resourceful
operating system in a serve
History
environgment. [15] The advantage of
The history of squid can be traced back using CentOS over Red Hat Linux is
to the early 1990’s. It is a branch off the lower cost. Red hHat Linux must
of a caching project with the name of be purchased with warranties and
Harvest project. During the technical support. CentOS can be
completion of Harvest the project obtained freely with no cost, making it
broke off into two different paths. One the cheaper alternative to Red Hat
path become a project known as Linux. CentOS is one hundred percent
compatible with Red Hat Linux. [15] mounted server with an Asus PMR15
Both Red Hat Linux and CentOS are mother board. The server has three
open source software. The consumer 1Gig Ethernet ports. Two sticks of
is free to manipulate code to suit their ddr2 ram at two Gigbytes per stick. A
needs. For the purpose of this paper 64 bit processor with a 500 Gigabyte
CentOS 6 will be used over Red Hat hard drive.
Linux to keep costs to a minimal. The
Installation
disadvantage of using CentOS 6 over
Red Hat Linux is the loss of technical
The version of Squid that will be
support and warranties. Although
installed is version 3.3.1. When
CentOS lacks tech support, solutions to
downloading squid the user will find
problems with the operating system
that there are multiple methods to
can be researched through the CentOS
choose from. The easiest method for
community. CentOS community
CentOS is to use the command “yum
provides forums for users to share their
install squid”. CentOS will
solutions and problems with the
automatically download and install the
internet community. As long as the
necessary packages for running Squid.
server is not responsible for critical
Another method can be achieved by
tasks that require minimal downtime
browsing the Squid website and
CentOS can be used as a cheap
downloading preconfigured binaries.
alternative to Red Hat. [15] The
For this paper we will use the method
CentOS operating system will be
of downloading the source code and
installed on a clean desk environment.
compiling it. Downloading the source
To install the operating system users
code and compiling it gives the user
must download CentOS from the
more control of configuration and
CentOS website
location of the directories. The source
http://www.centos.org. Instructions on
packages can be found at the Squid
installing and updating can also be
website. In this case the latest stable
found on the support section of the
version was downloaded (Version 3.3).
website. Recommended requirements
The source code will be a compressed
for hardware include 10 MB of RAM
file available in a tar.gz format. After
per GB of the total of all cache_dirs
downloading the source code the
plus an additional 20 MB. [17] The
compressed file has to be extracted into
hardware used in this research is a rack
 a directory. In this case the --enable-cache-digests
compressed file was extracted to the --with-large-files
directory named squid-3.3.1. After the
directory is created the “./configure” Fig.1

command is executed to configure the

Configuration
source code and choose the directory.
Within the configure command, Configure as a web filter
features can be enabled or disabled
depending on what features the user To be able to configure services on a

needs. Features enabled during squid server a user must locate and edit

configuration and what value they are the file named squid.con. This

set to can be found in figure 1. configuration file will contain most of

Completion of the configure command the configuration options available in

will create files that are executable. sqid. The location of the squid.conf

These file are called make files in the for the server used in this paper can be

linux world. Final step of installation found by changing to the directory in

can be made by executing the this path

command “make install”. This will “/usr/local/squid/etc/squid.conf”.

complete the installation of Squid. Locations of files and directories will

After installation, the “squid” be different depending on initial

command is executed to start the configurations during installation. A

services provided by squid. snippet of the configuration file can be

found in fig.3. Filtering can be
--prefix /local/usr/squid accomplished by configuring access
--with-logdir /var/log/squid control lists. The configuration of
--with-pidfile /var/run/squid/pid access control lists are configured be
--enable-store Ufs,aufs editing the squid.conf file. The syntax
--enable-removal- Lru,heap of the access control list start with the
policies name of the access control list or (acl).
--enable-icmp Followed by a directive that will
--enable-useragent-log control the action of the will happen
--enable-referer-log once a match is made with the (acl).
For an example, to block yahoo you
will create an acl named block_yahoo.
This acl can be anything the user access. Squid can also deny access to
wishes to name it. The following line a specific mac address. This can be
will be entered into the squid.conf file: done by adding the line “acl bad_mac
“acl bad_yahoo destdomain arp “(mac address goes here)”. More
.yahoo.com”. This acl will match up options using acl can be found in
any request that has yahoo.com in the chapter 2 of Squid Proxy Server 3.1.
domain. After naming the acl we have [12]
to define what we want to do with the
# Recommended minimum
request. The directive http_access
configuration:
deny will deny http accesss to the acl.
We can deny a user connected to the
#
proxy by adding the line http_access
deny bad_yahoo. Squid will now
match requests containing yahoo.com
and deny access to this request. It is # Example rule allowing access from

important to add http_deny all to the your local networks.

bottom of the directives in the file.

# Adapt to list your (internal) IP
Squid will work from top to bottom
networks from where browsing
matching acl’s and deny access to
anyone else. For this example we add # should be allowed
the lines to allow access to squid from
clients on the 192.168.0.0/24 network. acl localnet src 10.0.0.0/8 #

The following lines were added to the RFC1918 possible internal network

squid.conf file: “acl safe_network src

cl localnet src 172.16.0.0/12 #
192.168.0.0/24” “http_access allow
RFC1918 possible internal network
safe_network.” This will allow any
machine with the source ip address in acl localnet src 192.168.0.0/16
the 192.168.0.0/24 network http
access. Multiple websites can be acl localnet src fc00::/7 # RFC

denied In one acl by using the 4193 local private network range

following syntax: “ acl all_bad_sites

acl localnet src fe80::/10 # RFC
dstdomain .youtube.com .google.com
4291 link-local (directly plugged)
.ytimg.com .yahoo.com .woopra.com”.
Then add the line bad_sites http_deny
machines [12] Basic authentication on squid is
the easiest to configure and used the
acl notworkreg dstdomain
most simple encryption. It is also the
www.youtube.com .googlevideo.com
most insecure of the squid
.ytimg.com .yahoo.com .cnn.com
authentication methods. Basic
.theblaze.com .facebook.com
configuration transmits in a Base64-
.nbcnews.com .abcnews.go.com
code string format. This format is
.twitter.com .foxnews.com
easily decoded by an observer using a
.newsok.com .kswo.com .abc.go.com
sniffer on the network. For the private
.aol.com .tds.net .woopra.com
environment in this test lab, basic
authentication can be used without
acl my_machine src 192.168.0.254
concern of intrusion. Authentication
acl SSL_ports port 443 can be implemented by using the
auth_param directive in the squid
acl Safe_ports port 80 # http configuration file. The auth_param
directive comes with many options,
acl Safe_ports port 21 # ftp
one option is the “auth_param basic
acl Safe_ports port 443 # https program” option. This option will
specify what directory to send
acl Safe_ports port 70 # gopher authentication requests to check
credentials. The directory in this Squid
acl Saf
configuration can be found in
Fig. 3 “/usr/local/squid/libexec/”. An acl also
has to be created to configure
Configure authentication and access authentication. Figure 4 will give an
example of basic authentication code
Basic authentication
in the squid configuration file.

There are many options for configuring

auth_param basic program
authentication and access for the squid
/usr/local/squid/libexec/basic_pam_aut
server. For this paper basic
h
configuration will be discussed. For
the complete list of options refer to acl authenticated proxy_auth
chapter 7 in Squid Proxy Server 3.1.
 REQUIRED The error log file logs errors in the squid
server. To monitor traffic check both of
http_access allow authenticated
these files for information. The access log
is in a format that is hard to read by
http_access deny all
humans. A Pearl script can be used to
Fig. 4 decipher the logs. Adding the “tail –f”
command to the beginning of the script
Configure as a caching server will let a user see the access attempts in
real time without having to refresh.
Creating cache directories

Cache manager
When configuring squid for a caching
server the cache directives can be used. Squid also has a gui interface that can be
To create a directory for caching web accessed by a web server. In this example
documents, the rule in “cache_dir aufs Apache is installed on the centos machine.
/squid_cache/ 51200 32 512” is placed in A pearl script is added to the Apache
the squid.conf file. This directive creates a configuration file that will point clients to
directory named squid_cache with 50 GB the cgi file in the Squid directory. The cgi
of free space. Squid organizes files into file in squid is named cachemgr.cgi and is
hierarchical levels. The previous rule an executable file. The location of the file
created the first level with 32 directories, in the directory is “/usr/local/
and the second level with 512 directories. squid/libexec/”. Accessing the cache
This is the minimal configuration for the manager allows you to monitor a wealth of
server to start caching objects. There are useful information. Some examples of
many more options for the cache directive information on the cache manager are
that can be found in chapter 2 of Squid 3.1. general runtime information, IP cache stats
[12] and contents, http header statistics, traffic
resource counters, and request forwarding
Monitoring traffic
statistics. These are just a few statistics
Access and error log that can be monitored by the network. A
complete list of options with the Squid
Squid has two very useful log files. One cache manager can be found on chapter 6
log is the access log, this log file will log of Squid Proxy Server 3.1. [12]
all connections to the squid proxy server.
Transparent mode
Intercept For the first test my PC will be pointed to
the Squid server by configuring my
To configure Squid in transparent mode
browser to use proxy setting with IP
we have to use a router to forward the
address 192.168.0.181. To test the access
traffic to the server. In the router
control list I pointed the address to
forwarding rules, all traffic using port 80
www.google.com:897 to verify the squid
needs to be directed to the IP address of
access denied page. I also accessed the url
the Squid server. The router also has to
www.yahoo.com, and confirmed the same
redirect traffic to the port Squid server is
result. The additional four pcs were
listening to. In this case traffic is
pointed to the squid server and access
redirected to 192.168.0.181 and port 3128.
denied pages were verified for the domains
On the Squid server machine IP tables is
that were inserted in the squid.conf file.
used to handle incoming traffic to the
Squid server. In the squid.conf file we Testing monitoring
need to add the directive “http_port 3128
To test the monitoring the following
intercept”. Configure these three steps and
command was executed: “tail –f
clients will not be able to see evidence of a
/var/log/squid/access.log | ccze –CA”.
proxy server being used.
This will convert the time stamps to a
Results readable format and also log the access
attempts in real time. Monitoring the log
Test Lab
allowed me to observe repeated connection
from www.woopra.com. A google search
The test environment includes a lan on the
showed this website to be a tracking
192.168.0./24 network. The Squid server
software recording what website clients
shares the network with five PC’s with
were visiting on the network. The site was
windows 7 installed. There will be five
blocked using Squid’s access control lists.
machines including my PC that will be
connecting to the squid proxy server.
Refer to figure 5 for the diagram of the
network topology.

Testing web Filtering

 parent server is placed in line with the
network gateway. Child servers can be set
behind this parent server. Child servers
can also be parents of other child servers.
Specific content can be handled by a child
server to optimize performance on the
network.

Reverse Proxy Mode

Squid also provides a function to cache

Fig 5. static data for websites. The Squid
configuration is called accelerator mode or
Future Works
reverse proxy mode. It will do the busy

Authentication work of providing static data to clients

reducing the client requests to the server.
Squid Proxy Server has a lot of When dealing with large amounts of
functionality. Some of the function clients on the internet, this reduction can
provided by Squid Proxy Server is out of increase the performance of the web
the scope of this paper. For example when servers.
implementing authentication there are
several methods for encrypting user name Conclusion

and passwords sent by the client. There

Summary
are different methods for storing the user
name and passwords. Squid can use data Squid Proxy Server provides protection on
base software such as MySql for storing two fronts. It protects the client from
usernames and passwords. Radius servers accessing harmful data, and protects the
can also be implemented to handle network from incoming intrusion using
authentication requests. access control lists. Performance is
increased by using cache directories and
Peer Caching
fronting data to the clients. Performance
and security can be monitored by access
Squid has the ability to coordinate between
other proxy servers. Multiple server can logs and Squids graphical interface cache
manager.
be set up in a hierarchical pattern. The
Bibliography
[1] Lambert, P. (December, 2012 05). The basics of using a proxy server for privacy and security.
Retrieved from http://www.techrepublic.com/blog/security/the-basics-of-using-a-proxy-server-for-
privacy-and-security/8762

[2] Smith, A., & Zichuhr, K. (2012, April 13). Internet adoption over time. Retrieved from
http://pewinternet.org/Reports/2012/Digital-differences/Main-Report/Internet-adoption-over-
time.aspx

[3] Dixit, S., & Kumar Jha, P. (2008, April 01). Network security: It is a process, not a product.
Retrieved from http://www.scribd.com/doc/20364810/Network-Security-Research-Paper

[4] Exposing the underground: Adventures of an open proxy server. (n.d.). Retrieved from
http://www.secureworks.com/resources/articles/other_articles/proxies/

[5] DOI: Guide to Web Filtering Deployments Why Pass-By Filtering is Passé

[6] Felmann, A., Caceres, R., Douglis, F., Glass, G., & Rabinovich, M. (1999). Performance of web
proxy caching in heterogeneous bandwidth environments. Retrieved from
http://www.kiskeya.net/ramon/work/pubs/infocom99.proxy.pdf

[7] Mao, Z., & Herley, C. (2011). A robust link-translating proxy server mirroring the whole web. ACM SIGAPP
Applied Computing Review, 11(2), 30-42.

[8] Squid. (10, 12 20). Retrieved from http://www.squid-cache.org/Intro/

[9] Grance, T., Stevens, M., & Myers, M. (2003, October). Special Publication 800-36: Guide to
Selecting Information Technology Security Products. Retrieved from National Institute of
Standards and Technology: Publications: http://csrc.nist.gov/publications/PubsFL.html

[10] Radack, S. (2009, October). PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED
GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES. Retrieved from National Institute
of Standards and Technology: Publications, ITL Security Buletins:
http://csrc.nist.gov/publications/index.html.

[11]Roberts, H., Zuckerman, E., Faris, R., & Palfrey, J. (2010, October 14). 2010 Circumvention Tool
Usage Report. Retrieved from Berkman Center for Internet & Society at Harvard University:
http://cyber.law.harvard.edu/publications

[12] Saini, K. (2011). Squid Proxy Server 3.1: Beginner's Guide. Birmingham - Mumbai: PACKT
Publishing.

[13] Scarfone, K., & Hoffman, P. (2009, September). Special Publication 800-41 r1: Guidelines on
Firewalls and Firewall Policy. Retrieved from National Institute of Standards and Technology:
Publications: http://csrc.nist.gov/publications/PubsFL.html

[14] Scarfone, K., & Mell, P. (2012, July). Special Publication 800-94 r1(Draft): Guide to Intrusion
Detection and Prevention Systems(IDPS)(Draft). Retrieved from National Institute of
Standards and Technology: Publications: http://csrc.nist.gov/publications/index.html
[15] Smyth, N. (2012). CentOS 6 Essentials. Retrieved from Techotopia: http://www.techotopia.com

[16] Tracy, M., Jansen, W., Scarfone, K., & Winograd, T. (2007, September). Special Publication 800-
44 ver2: Guidelines on Securing Public Web Servers. Retrieved from National Institute of
Standards and Technology: Publications: http://csrc.nist.gov/publications/index.html

[17] (n.d.). Retrieved from http://wiki.squid-cache.org/SquidFaq/SquidMemory

Plan of Work

Dates Week Work Done

Jan 09 -11 1 Integration of teams.
Jan 12-24 2 Write abstract, bibliography, and outline.
Jan 25 3 Present abstract, bibliography, and outline.
Jan 26-feb 1 4 Write introduction, submit outline, bibliography, abstract, and plan of
work.
Feb 02-08 5 Present introduction and Plan of Work.
Feb 09-15 6 Submit introduction.
Feb 16-22 7 Work on research installing linux CentOS and Squid.
Feb 23-march 1 8 Work on research to configure squid as a caching server.
March 2-08 9 Work on research to configure squid to filter web content.
March 25-29 10 Work on research to configure squid to monitor traffic.
March 30-april 11 Run tests on network performance, filtering, and monitoring.
5
Apr6-12 12 Finish conclusion, finalize research paper and present research.