MikroTik RouterOS WEB Proxy

Document revision 19-Jun-2002
This document applies to the MikroTik RouterOS V2.5

Overview

The MikroTik RouterOS has the squid proxy server implementation.

Proxy server features:

Contents of the Manual

The following topics are covered in this manual:

Installation

The MikroTik Web Proxy feature is included in the 'web-proxy' package. To install the web-proxy package, upload it to the router and reboot. After successful install of the web-proxy package it should be listed under the/system package printlist:

[MikroTik] > system package print Flags: I - invalid # NAME VERSION BUILD-TIME UNINSTALL 0 system 2.5.2 apr/24/2002 11:52:28 no 1 routing 2.5.2 apr/24/2002 12:04:34 no 2 web-proxy 2.5.2 apr/24/2002 12:02:52 no 3 ppp 2.5.2 apr/24/2002 11:57:03 no 4 pptp 2.5.2 apr/24/2002 11:57:43 no 5 pppoe 2.5.2 apr/24/2002 11:58:46 no 6 ssh 2.5.2 apr/24/2002 11:54:52 no 7 snmp 2.5.2 apr/24/2002 11:53:10 no [MikroTik] >

Hardware Resource Usage

The proxy cache can use as much disk space as there is allocated for it. When the system allocates the space for the proxy cache, 1/7th of the total partition (disk) size is reserved for the system, but not less than 30MB. The rest is left for the proxy cache. The system RAM size is considered as well when allocating the cache size. The cache size is limited so, that there are at least 11.1MB of RAM per 1GB of cache.

It is recommended, that at least 100MB HDD is used when running web proxy. Do not try to run web-proxy on a 32 or 48 MB FlashDisk!

MikroTik Web Proxy Description

The web proxy can be used as transparent and normal web proxy at the same time. In transparent mode it is possible to use it as standard web proxy, too. However, in this case, proxy users may have trouble to reach web pages which are accessed transparently.

MikroTik Web Proxy Setup

The Web Proxy management can be accessed under the/ip web-proxysubmenu:

[MikroTik] ip web-proxy> ? HTTP proxy clear-cache Clear http cache access Access list cache Cache access list print Print current configuration and status get Get value of configuration property set Change proxy configuration export Export web proxy settings [MikroTik] ip web-proxy>

For web proxy setup, do the following:

Now it is possible to use this proxy, by setting it as proxy for IE or Netscape.

Web proxy will automatically detect any problems with cache and will try to solve them without loosing any cache data. But in case of a heavy damage to the file system, the web proxy can't rebuild cache data. Cache can be deleted and new cache directories created by the command '/ip web-proxy clear-cache'.

Monitoring the Web Proxy

Use the command /ip web-proxy print to see the current web proxy status:

[MikroTik] ip web-proxy> print enabled: yes address: 0.0.0.0:8080 transparent-mode: no parent-proxy: 0.0.0.0:0 cache-administrator: support@mt.lv hostname: proxy.mt.lv status: running reserved-for-cache: 6782 MB [MikroTik] ip web-proxy>

Description of the status parameter value:

stopped- proxy is disabled and is not running
rebuilding-cache代理启用并运行,现有的缓存being verified
running- proxy is enabled and running
stopping- proxy is shutting down (max 10s)
clearing-cache- proxy is stopped, cache files are being removed
creating-cache- proxy is stopped, cache directory structure is being created
dns-missing- proxy is enabled, but not running because of unknown DNS server (please, specify it under /ip dns)
invalid-address- proxy is enabled, but not running because of invalid address (please, change address or port)
invalid-cache-administrator- proxy is enabled, but not running because of invalid cache-administrator's e-mail address
invalid-hostname- proxy is enabled, but not running because of invalid hostname (please, set valid hostname value)
error-logged- proxy is not running because of unknown error. This error is logged as System-Error. Please, send us this error and some description, how it happened.

Access logs are sent to Web-Proxy-Access logging facility. These logs can be disabled, logged locally or sent to remote address. To log locally:

/system logging facility set Web-Proxy-Access logging=local
Logs can be viewed using/log printcommand.

Access List

Access list is implemented in the same way as MikroTik firewall rules. Rules are processed from top to bottom. First matching rule specifies decision of what to do with this connection. Connections can be matched by its source address, destination address, destination port or substring of requested url. If none of these parameters is specified, every connection will match this rule.

If connection is matched by a rule, action property of this rule specifies whether connection will be allowed or not. If connection does not match any rule, it will be allowed.

For example:

[雷竞技网站MikroTik] ip web代理访问>打印标志:X - disabled # SRC-ADDRESS DST-ADDRESS DST-PORT URL ACTION 0 0.0.0.0/0 0.0.0.0/0 0-65535 .mp3 deny 1 10.0.0.1/32 0.0.0.0/0 0-65535 allow 2 0.0.0.0/0 0.0.0.0/0 0-65535 ftp:// deny 3 10.0.0.0/24 10.9.9.128/28 0-65535 allow 4 0.0.0.0/0 0.0.0.0/0 0-65535 deny [MikroTik] ip web-proxy access>

Argument description:

src-address- source address of the request
dst-address- destination address of the request
dst-port- destination port of the request
url- the URL of the request. Can be regular expression.
action- (allow / deny) action to take.

Access list, shown above, disables access to any mp3 files for everyone.
Local gateway 10.0.0.1 has access to everything else (excluding mp3 files).
All other local network (10.0.0.0/24) users have access to servers located at 10.9.9.128/28, but, ftp protocol is not allowed for them.
Any other request is denied.

Managing the Cache

Cache access list specifies, which requests (domains, servers, pages) have to be cached locally by web proxy, and which not. The Web Proxy cache access list is located under the/ip web-proxy cachesubmenu.

Access list is implemented exactly the same way as web proxy access list. Default action is to cache object (if no matching rule is found). By default, one cache access rule is already added:

[MikroTik] ip web-proxy cache> print Flags: X - disabled # SRC-ADDRESS DST-ADDRESS DST-PORT URL ACTION 0 0.0.0.0/0 0.0.0.0/0 0-65535 cgi-bin \? deny [MikroTik] ip web-proxy cache>
This rule defines, that all runtime generated pages (which are located within cgi-bin directories or contain '?' in url) has not to be cached.

NOTE:Objects, which are larger than 4MB, are not cached.

Transparent Mode

To enable the transparent mode, firewall rule in destination nat has to be added, specifying which connections (to which ports) should be transparently redirected to the proxy. For example, we have the following web-proxy settings:

[MikroTik] ip web-proxy> print enabled: yes address: 0.0.0.0:8080 transparent-mode: yes parent-proxy: 0.0.0.0:0 cache-administrator: support@mt.lv hostname: proxy.mt.lv status: running reserved-for-cache: 3398 MB [MikroTik] ip web-proxy>

If we want all connections coming from interface ether1 and going to port 80 to handle with web proxy transparently, and if our web proxy is listening on port 8080, then we add following destination nat rule:

[MikroTik] ip firewall dst-nat> add in-interface=ether1 protocol=tcp \ dst-address=!10.0.0.1/32:80 action=redirect to-dst-port=8080 [MikroTik] ip firewall dst-nat> print Flags: X - disabled, I - invalid 0 ;;; Transparent proxy src-address=0.0.0.0/0:0-65535 in-interface=ether1 dst-address=!10.0.0.1/32:80 protocol=tcp icmp-options=any:any flow="" src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 limit-time=0s action=redirect to-dst-address=0.0.0.0 to-dst-port=8080 bytes=118949 packets=2260 [MikroTik] ip firewall dst-nat>

Here, the router's address and port 80 (10.0.0.1/32:80) have been excluded from redirection to preserve the winbox functionality which uses TCP port 80 on the router. More than one redirect rule can be added to redirect more than one port.

NOTE:only HTTP traffic is supported by web proxy transparent mode. HTTPS and FTP are not going to work this way!

Troubleshooting

� Copyright 1999-2002, MikroTik