Developers Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


Web Proxy

The web proxy in ClearOS is a high-performance proxy caching server for web clients, supporting HTTP, FTP and some lesser known protocols. The software not only saves bandwidth and speeds up access time, but also gives administrators the ability to track web usage via web-based reports.

If you are new to ClearOS and/or setting up a proxy server, you may want to refer to the Guide to Setting up Web Proxy, Content Filter and Access Control Guide.

Please note that the Proxy/Content Filter and Gateway Management apps are mutually exclusive. If you have the Proxy/Content Filter running, you should not use Gateway Management and vice-versa

Installation

If your system does not have this app available, you can install it via the Marketplace.

You can find this feature in the menu system at the following location:

Gateway|Content Filter and Proxy|Web Proxy

Configuration

Settings

User Authentication

If you would like to require a username/password for web access, you can enable user authentication.

User authentication cannot be used in conjunction with transparent mode. If you require user authentication, then non-transparent mode is required. This is not a limitation of the software, but a limitation of the way the web protocol was designed!

Transparent Mode

In transparent mode, all web requests from the local network automatically pass through the proxy. The advantage: no configuration changes are required on the workstations. The disadvantage: secure web sites (HTTPS) can not flow through the proxy.

Since network traffic needs to be intercepted before going out the Internet, this his mode is only available when ClearOS is configured as a gateway.

These days, in Transparent Mode, the proxy is becoming less and less effective as the internet increasingly using https. Google now prefers to return https links rather than http links. The transparent proxy con only intercept http traffic and not https traffic. It is now only recommended to use one of the Non-Transparent modes only.

Performance Level

The Performance Level indicates the size of network that your system can support. The Community Edition is designed for home/small networks and is already optimized for 10 users or less. The Professional Edition does automatic optimization based on available system resources.

Cache Settings

Maximum Cache Size

The maximum size on your hard disk to use for the proxy server cache.

Maximum Object Size

Any file (image, web page, PDF, etc) above the maximum object size will still go through the proxy but will not be cached. Large files (for instance, a movie file) can take up a lot of space in your proxy cache. If you have a cache size of 2 Gb and two people happen to download 1 Gb files at the same time, then these two files would replace everything else in your cache. You can limit the maximum object size to prevent this kind of scenario.

Maximum Download File Size

If you want to limit downloads of large files (for instance, movies) you can set a maximum size. Any file above this size limit will get blocked.

If your internet connection is fast you will need a very fast disk to keep up or you will need to run the Proxy cacheless. See the Optimizing Performance for Proxy and Content filter guide.

Web Site Bypass

In some circumstances, you may need to by-pass the proxy server. Typically, this is required for web sites that are not proxy-friendly. Some notable examples:

  • Older Microsoft IIS web servers send invalid web server responses
  • Microsoft IIS web servers can be configured with non-standard authentication
  • Tivo personal video recorders (PVRs) are unable to connect via a proxy server. Adding Tivo's network 204.176.0.0/14 to the proxy by-pass list solves the issue.

You can use the following format for the bypass:

  • Web site name (destination)
  • IP address (destination or source>
  • Network Notation (recommended)

Bypassing the proxy for a particular Website name may not be a good idea. As an example, google.com resolves to lots of different IP addresses. If you bypass “google.com”, it will look up the IP it maps to and bypass that single IP. Next time, if google resolves to a different IP it will not be bypassed. For google.com you would need to bypass a whole list of subnets.

If you are running the proxy in non-transparent mode, then you also have to adjust your web browser's proxy server settings. The web site or IP address that you add to the ClearOS web proxy bypass list should also be added to your browser's proxy exception list. See the Non-Transparent Proxy and Content Filter Bypass guide.

Authentication Exception Sites

Some sites, especially those with logins, do not play well with the proxy and need to be exempted. You may be able to spot these by using the guide here to look for DENIED messages. Then try whitelisting the resulting FQDN.

Never whitelist a domain and subdomain of the same domain at the same time or the proxy will refuse to start e.g do not have subdomain.example.com and sub-subdomain.example.com in the whitelist at the same time. Having subdomain1.example.com and subdomain2.example.com at the same time is OK.

Web Browser Configuration

In non-transparent mode, you must change the settings on all the web browsers running on your local network. The following describes the steps for configuring Internet Explorer, but other browsers have similar procedures. In Internet Explorer

  • Click on in the menu bar
  • Select Internet Options
  • Click on the tab
  • Click on the button

In the Proxy Server settings box, specify your ClearOS IP address and the proxy port (see next section). You may not be able to access websites on your system or local network unless you select bypass proxy server for local addresses.

Which Port Should I Use?

So which port should be configured in your web browser's proxy settings?

  • Are you using transparent mode? If yes, then no web browser changes are required! If not, continue.
  • Are you using the content filter? If yes, use port 8080. If no, use port 3128.

FTP Proxy

From the Squid Web Proxy FAQ:

Question: Can I make my regular FTP clients use a Squid cache?

Answer: It's not possible. Squid only accepts HTTP requests.

Troubleshooting

Requested web page or file is too large

If you see the message Requested web page or file is too large in your web browser, change the Maximum Download File Size parameter described above.

content/en_us/7_ug_web_proxy.txt · Last modified: 2019/01/14 02:30 by NickH

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3A7_ug_web_proxy&1710846481