A web proxy server is a program that makes requests for web pages on behalf of all the other machines on your intranet. The proxy server will cache the pages it retrieves from the web so that if 3 machines request the same page only one transfer from the Internet is required. If your organization has a number of commonly used web sites this can save on Internet accesses.
Normally you must configure the web browsers used on your network to use the proxy server for Internet access. You should set the name/address of the proxy to that of the IPCop machine and the port to the one you have entered into the box, default 8080. This configuration allows browsers to bypass the proxy if they wish. It is also possible to run the proxy in “transparent” mode. In this case the browsers need no special configuration and the firewall automatically redirects all traffic on port 80, the standard HTTP port, to the proxy server.
The first line in the Settings box indicates if the proxy server is stopped or running.
You can choose if you want to proxy requests from your Green (private) network and/or your Blue (wireless) network (if fitted). Just tick the relevant boxes.
Enabled on... Tick the appropriate checkbox to enable the Proxy Server to listen for requests on the selected interface (Green or Blue). If the proxy service is disabled, all client requests will be forwarded directly to the destination address bypassing the proxy service.
Transparent on... If “transparent mode” is enabled, all requests for the destination port 80 will be forwarded to the Proxy server without the need to specially configure your clients.
Proxy Port. This is the port on which the Proxy server will listen for client requests. The default is 8080. In transparent mode, all client requests for port 80 will automatically be redirected to this port.
Visible hostname - optional. If you want to display a different hostname in Proxy server error messages to clients, or for upstream proxy servers, then specify it here. If you leave it blank, your IPCop's real hostname will be used.
Cache administrator email - optional. You can specify an email address that appears in Proxy server error messages to clients. If you leave it blank, “webmaster” will be used instead.
Error messages language. You can select the language in which any Proxy Server error messages will be shown to clients.
Error messages design. You can select the design style in which Proxy Server error messages are shown to clients. You can chose between “IPCop” and “Standard”.
The IPCop design includes a nice graphic banner, while the Standard design is the usual one shipped with Squid.
Note
If you define a Visible hostname (see above), the Standard design will always be used.
Suppress version information. Tick this checkbox to prevent the display of the version of Squid Cache in Squid's error messages to clients.
Squid Cache version. This indicates the version of Squid Cache installed.
These settings may be required for chained proxy environments.
If your ISP requires you to use their cache for web access then you should specify the hostname and port in the text box. If your ISP's proxy requires a username and password then enter them in the and boxes.
Proxy address forwarding. This enables the HTTP VIA header field. If enabled, this information will be added to the HTTP header:
1.0 ipcop.localdomain:8080 (Squid/2.7.STABLE7)
Note
If the last proxy in chain doesn't strip this field, it will be forwarded to the destination host!
This field will be suppressed by default.
Client IP address forwarding. This enables the HTTP X-FORWARDED-FOR header field. If enabled, the internal client IP address will be added to the HTTP header, e.g.:
192.168.1.30
This can useful for source based ACLs or logging on remote proxy servers.
Note
If the last proxy in chain doesn't strip this field, it will be forwarded to the destination host!
Instead of forwarding “unknown”, this field will be completely suppressed by default.
Username forwarding. If any type of authentication is activated, this enables the forwarding of the login name.
This can useful for user based ACLs or logging on remote proxy servers.
Note
This is for ACL or logging purposes only, and doesn't work if the upstream proxy requires a real login.
This forwarding is limited to the username. The password will not be forwarded.
No connection oriented authentication forwarding. This disables the forwarding of Microsoft connection oriented authentication (NTLM and Kerberos).
Log enabled. If you choose to enable the proxy, then you can also log web accesses by ticking the checkbox.
Accesses made through the proxy can be seen by visiting the Proxy Logs webpage.
Logging also has to be enabled for the Proxy Graphs to work.
Log query terms. The part of the URL containing dynamic queries will be stripped by default before logging. Enabling the option “Log query terms” will turn this off and the complete URL will be logged.
Log
useragents. Enabling “Log useragents”
writes the useragent string to the log file /var/log/squid/user_agent.log This log file
option should only be enabled for debugging purposes and the
results are not shown with the GUI based log viewer.
You can choose how much disk space should be used for caching web pages in the Cache Management section. You can also set the size of the smallest object to be cached, normally 0, and the largest, 4096KB.
For privacy reasons, the proxy will not cache pages received via https, or other pages where a username and password are submitted via the URL.
Warning
Caching can take up a lot of space on your hard drive. If you use a large cache, then the minimum size hard drive listed in the IPCop documentation will not be large enough.
The larger the cache you choose, the more memory is required by the proxy server to manage the cache. If you are running IPCop on a machine with low memory do not choose a large cache.
Allowed standard ports (one per line). Content to be written...
Allowed SSL ports (one per line). Content to be written...
Allowed subnets (one per line). Content to be written...
Disable internal proxy access. Check this box to disable internal proxy access.
Disable internal proxy access to Green from other subnets. Check this box to disable internal proxy access to Green from other subnets.
Disable internal proxy access from Blue to other subnets. Check this box to disable internal proxy access from Blue to other subnets.
Unrestricted IP addresses (one per line) (optional). Content to be written...
Unrestricted MAC addresses (one per line) (optional). Content to be written...
Banned IP addresses (one per line) (optional). Content to be written...
Banned MAC addresses (one per line) (optional). Content to be written...
This section defines when the web proxy is active. The default position is to allow access 24 hours a day, 7 days a week.
The Access option “allow” permits web access, and the “deny” option blocks web access within the selected timeframe. The choice of “allow” or “deny” will depend on the time rules you want to apply.
Time Restrictions will not affect these clients:
-
Unrestricted IP addresses
-
Unrestricted MAC addresses
This section allows you to enter limits for the size of each download and/or upload request. The values are given in Kilobytes (KB). You can use this to prevent your Users downloading large files and slowing Internet access for everyone else.
Set the Max download size and Max upload size fields to 0, the default, to remove all restrictions.
Download limits will not affect these clients:
-
Unrestricted IP addresses
-
Unrestricted MAC addresses
The download bandwith can be unlimited, or limited per interface, and/or per host, or based on the type of content.
Throttling will not affect these clients:
-
Unrestricted IP addresses
-
Unrestricted MAC addresses
Bandwidth limits can be defined per interface as an overall limit, and per host. The used bandwith for all hosts will be limited by the overall limit.
By default, throttling affects all kinds of traffic, but throttling can be limited to certain types of content. However, this disables throttling for other types of content.
Content based throttling can be applied to:
-
Binary files:
bz2, bin, dmg, exe, sea, tar, tgz, zipetc. -
CD images:
ccd, cdi, img, iso, raw, tibetc. -
Multimedia files:
aiff, avi, divx, mov, mp3, mp4, mpeg, qtetc.
The MIME type filter can be configured to block content depending on its MIME type.
Enabled. If enabled, the filter checks all incoming headers for their MIME type.
Block these MIME types (optional). If the requested MIME type is listed to be blocked, access to it will be denied. This way you can block content, no matter what type of file name extension is used.
For example, add this MIME type on one line if you want to block the download of Word files:
application/msword
Or, add these MIME types, each type on a separate line, if you want to block the download of MPEG and QuickTime video files:
video/mpeg
video/quicktime
Do not filter these destinations (optional). Use this list to avoid MIME type filtering particular destinations. This should be a list, each one on a separate line, of Domains or Subdomains, Hostnames, IP Addresses, or URLs.
Some examples might be:
*.stuckfast.net
www.stuckfast.net
123.45.67.89
www.stuckfast.net/downloads
Enable browser check. Check this box if you want to enable browser checking.
Allowed clients for web access. Check the appropriate box(es) for permitted clients.
Fake useragent submitted to external sites (optional). Content to be written...
Fake referer submitted to external sites (optional). Content to be written...
None (default). Content to be written...
Local. Content to be written...
identd. Content to be written...
LDAP. Content to be written...
Windows. Content to be written...
RADIUS. Content to be written...
