Building a Squid Proxy on OpenVZ
|
|
The advantage of using OpenVZ to virtualize a squid proxy is that it provides better use of your hardware as you can set up other servers on the box. It also provides a very easy way to backup and create redundancy.
|
|
There are four points of control in this solution.
1. Browser on Workstation
On the web browser of each client set the client to connect to the Squid Proxy at 216.15.226.130 on port 3128. The gateway setting on the client(A) will send the packets to the gateway(B) at 192.168.0.1 where they will be NATed and changed to the IP Address 12.32.34.32(C).
2. Gateway Doing NAT
The gateway must have iptables settings to drop all network connections from the internal network except on port 3128. Otherwise users could adjust their browser to avoid the proxy server. Be sure to create the order represented below as you must accept on port 3128 and then drop everything else.
3. OpenVZ Server
The OpenVZ server does not accept any connections on the INPUT chain from the gateway, it will only FORWARD(D) traffic to the Squid Proxy(E). However, this still allows you to completely control all traffic from the Gateway(C) by managing the FORWARD chain. Note that the rules should be written on one line without the return.
4. Squid Server
At the Squid Server(E) you will also have a firewall that controls connections from the IP Addresses you will accept and the ports you will accept connections on.
Full Story |
This topic does not have any threads posted yet!
You cannot post until you login.
