content:en_us:kb_o_using_clearos_as_an_internet_proxy

Using ClearOS as an Internet Proxy

The proxy services in ClearOS are designed by default to allow hosts on the local trusted network only to use the proxy. For servers in Gateway mode, this is the LAN segment of the network. For servers in Standalone mode, this is the External subnet only. All other networks are prohibited from accessing the proxy.

To enable users off network the ability to access the server you will need to modify the Access Control Lists of the proxy to facilitate the answer to the request. This is useful if you run a proxy in the cloud or if you are allowing access to the proxy on a separate network like a HotLAN or DMZ.

Access Control

Access control for the proxy is handled by the API which will periodically update the squid ACL file with the information about the LAN. After we update the file, we will need to prevent the ClearOS API from overwriting our changes.

A typical layout of the squid_lans.conf file will look like this:

# Created automatically based on network configuration
acl webconfig_lan src 192.168.1.0/24  192.168.2.0/24
acl webconfig_to_lan dst 192.168.1.0/24  192.168.2.0/24

To add systems to the list that are not on the local subnet, you will need to add them to the 'webconfig_lan' line. You can add individual addresses or full subnets if they are in CIDR format (e.g. 172.31.25.128/25). Each network address should be separated by whitespace and if you have a duplicate or overlapping IP address, the squid process will tell you about it when you start it up.

In the end, your configuration may look something like this:

# Created automatically based on network configuration
acl webconfig_lan src 192.168.1.0/24  192.168.2.0/24 172.31.25.128/25 8.8.4.4 4.2.2.0/30
acl webconfig_to_lan dst 192.168.1.0/24  192.168.2.0/24
Making your subnet too broad will result in people finding and USING your proxy server for internet access. Make sure to use narrow and specific addresses.

Once you make these changes, you will need to make your file immutable and then restart the service. If you restart the service without protecting the file, ClearOS will overwrite this file so make sure that you have a good backup.

cp /etc/squid/squid_lans.conf /etc/squid/squid_lans.conf~

Locking and unlocking your Squid LAN ACL file

To lock your squid_lans.conf file run the following command after you have written your changes and before you restart the squid service:

chattr +i /etc/squid/squid_lans.conf 

This will make your squid_lans.conf file immutable to changes by the file system or the ClearOS API. If you ever need to change the file to make it editable again, run the following command:

chattr -i /etc/squid/squid_lans.conf 

Restarting squid

Once the configuration file is in place, you can restart or reload squid.

service squid restart

-or-

service squid reload

Troubleshooting

If you are using proxy settings for this server, you will need to exempt the server itself in the proxy settings or in WPAD so that it doesn't use the proxy server to try to get to any proxy server related error messages or block pages. A misconfiguration can result in a 400 error within the content filter, Dans Guardian.

content/en_us/kb_o_using_clearos_as_an_internet_proxy.txt · Last modified: 2015/08/13 18:36 (external edit)