PDA

View Full Version : Proxy Server solution




Silas1066
Jul 8, 2011, 10:53 AM
I am looking to implement proxy servers at several locations in my company, and I wanted to get some advice from you guys.

A mac mini OSX server (I suppose it would be Lion at this point): it is inexpensive, doesn't require user licenses, and is easy to administer.

However, what proxy software would work with this? Squid is one possibility, but I am not sure how good it is, or how difficult it is to get to work with OSX.

Another option would be a Linux box, but I'm not sure what proxy software would work best here either.

Power and ease of administration are more important than cost.



bluetick
Jul 11, 2011, 02:45 PM
I am looking to implement proxy servers at several locations in my company, and I wanted to get some advice from you guys.

A mac mini OSX server (I suppose it would be Lion at this point): it is inexpensive, doesn't require user licenses, and is easy to administer.

However, what proxy software would work with this? Squid is one possibility, but I am not sure how good it is, or how difficult it is to get to work with OSX.

Another option would be a Linux box, but I'm not sure what proxy software would work best here either.

Power and ease of administration are more important than cost.

Squid on Linux is the same Squid, as on OS X.

edjrwinnt
Jul 11, 2011, 06:24 PM
I got the built-in proxy server in Snow Leopard Server kind of working. I can setup the HTTP part with port 80 setup on the clients but for whatever reason HTTPS with port 443 setup will not work.

If I could get past this then I would recommend the proxy server built into Snow Leopard Server.

IscariotJ
Jul 12, 2011, 02:00 PM
I got the built-in proxy server in Snow Leopard Server kind of working. I can setup the HTTP part with port 80 setup on the clients but for whatever reason HTTPS with port 443 setup will not work.

If I could get past this then I would recommend the proxy server built into Snow Leopard Server.

I haven't had much luck using the admin tools, ended up editing httpd.conf manually. I'll get around to posting the changes.

Apache vs Squid really depends on your requirements. Squid is relatively easy to configure for http/https proxying but can be configured to provide more advanced options such as throttling; it will even talk direct to certain Cisco switches so that traffic is automatically routed through Squid. However, depending on the size of user base and the functionality being provided it can be a resource hog ( some of the cached objects reside in memory ).

Apache is quite lightweight ( I've even got it configured as a proxy on my MBP for when I'm tethered.... ), but is worth considering if basic proxy/caching is all you're after.

edjrwinnt
Jul 12, 2011, 11:17 PM
I actually got my Snow Leopard Proxy to work by setting the HTTPS proxy on the clients to use port 80 instead of port 443. Now everything works fine except Microsoft Outlook will not connect to my Exchange Server at work that using SSL to connect to a static IP Address.

hwojtek
Jul 19, 2011, 11:27 AM
Squid all the way. And proper routing set up on the router in order to tunnel all port 80 requests through the Squid machine. I am running Squid (Fink (http://www.finkproject.org/)) on my Leopard server and it works beautifully. I wanted to use Apache and drop my previous linuxbox at all, but I've had problems with Apache and routing in order to tunnel the traffic. While the Apache worked with the proxy set up in Network Preferences, it didn't work transparently when I tried my usual routing:

PROXY_IP=192.168.0.12
PROXY_PORT=3128
LAN_IP=`nvram get lan_ipaddr`
LAN_NET=$LAN_IP/`nvram get lan_netmask`

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT

in DDWRT. Since my linuxbox worked no problems, I just installed the Squid on OS X, copied my previous squid.conf, adjusted the paths and pronto.

belvdr
Jul 19, 2011, 06:06 PM
I ran squid for a month or so, and didn't find it to be caching much. This is due to many URLs appearing to be dynamic to the proxy engine. Overall I cached maybe 1 GB for a family of four. It wasn't worth the effort.

smitty97
Jul 21, 2011, 10:43 AM
Squid no longer runs under 10.7 Lion. Any alternatives?

hwojtek
Jul 21, 2011, 11:38 AM
Build it from source maybe?

piccolodiavolo
Jul 21, 2011, 01:10 PM
Hi,


Why not using a Microsoft Forefront Threat Management Gateway Appliance from company SecureGuard.

http://www.secureguard.at/Products/Small.aspx

Price is 999€ per unit (fully licensed). We have 13 of this and 4 of the 1000 series running in a mixed os (windows, mac, linux, bsd) environment.

Working like a charm!!! Really worth to go for such an appliance. You can create nice weekly, monthly web proxy reports, etc….


Greeeeeetz,


Stefan

hwojtek
Jul 23, 2011, 09:52 AM
Yeah, absolutely. At 1k Euro/unit this is a goddamn bargain.

smitty97
Jul 24, 2011, 03:40 PM
Build it from source maybe?

ok, that worked. had to tinker with the conf file a bit, but it's running.

bentoms
Aug 9, 2011, 03:34 PM
ok, that worked. had to tinker with the conf file a bit, but it's running.

Please can you give steps on what you did?

gkedge
Feb 17, 2013, 08:59 PM
I got the built-in proxy server in Snow Leopard Server kind of working. I can setup the HTTP part with port 80 setup on the clients but for whatever reason HTTPS with port 443 setup will not work.

If I could get past this then I would recommend the proxy server built into Snow Leopard Server.

I got this working by adding the proxy_connect_module to the Apache's server mix. OS X Snow Leopard Server Admin: Web>Settings>Modules check Enable for proxy_connect_module.

Based on Apache's description, I don't understand why it wasn't on by default if he Web service was going to attempt forward proxy caching:
Apache Module mod_proxy_connect (http://httpd.apache.org/docs/2.2/mod/mod_proxy_connect.html)

Note: I have to make sure that any machine using the proxy bypasses my example.com local domain, otherwise remote Server Admin (and other interesting internal stuff) isn't going to work:
*.local, *.example.com