Configuring Proxy, help! (a.k.a: Am I doing this right?)

thermant · May 16, 2008, 10:50pm

Hi all,

I’m trying to configure a transparent web proxy, and am not sure if I’m doing everything correctly, so if some of you can take a gander and tell me if I’m doing this right or wrong, that would be great. I’m not a network tech, so please reply in layman terms. ^^

OK, here goes:

//ip firewall filter
chain=input action=drop src-address=0.0.0.0/0 in-interface=LOCAL dst-port=8080 protocol=tcp

QUESTION: I was supposed to secure the proxy so it won’t be used as a relay, right? And to my understanding, this is where I do it. Am I doing it right? I’m kinda confused as to whether I should put ‘LOCAL’ or ‘PUBLIC’ in the in-interface…

//ip firewall nat
chain=dstnat action=redirect to-ports=8080 in-interface=LOCAL dst-port=80 protocol=tcp

QUESTION: Does those two lines (filter and NAT) have to be the first ones in the filter and NAT section? I mean, they are doing those rules from the top one first, no?

//ip proxy access> pr
Flags: X - disabled

DST-PORT DST-HOST PATH METHOD ACTION HITS

0 ;;; block telnet & spam e-mail relaying
23-25 deny 0
1 X ;;; Test blocking website
http://www.yahoo.com > deny 0

QUESTION: The mikrotik proxy help page said that “It is strongly recommended to deny all IP addresses except those behind the router as the proxy still may be used to access your internal-use-only (intranet) web servers.” So should I put something like “src-address=0.0.0.0 action=deny” line in there?

//ip proxy> pr
enabled: yes
src-address: 0.0.0.0
port: 8080
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-drive: system
cache-administrator: “myadmin”
max-cache-size: 100000KiB
cache-on-disk: yes
max-client-connections: 600
max-server-connections: 600
max-fresh-time: 2w
serialize-connections: no
always-from-cache: no
cache-hit-dscp: 4

OK, that’s what ‘print’ gave me. So lesse, filter, check. NAT, check. Access list, check. Anything else I’m missing?

Any inputs, anything at all, on this issue will be greatly and deeply appreaciated.

thermant · May 18, 2008, 4:29pm

Anyone? Help, please?

EgyCom · May 19, 2008, 9:00pm

//ip firewall filter
chain=input action=drop src-address=0.0.0.0/0 in-interface=LOCAL dst-port=8080 protocol=tcp

change LOCAL to PUBLIC

and give it try

thermant · May 20, 2008, 8:04am

So the way I’m doing it now (using LOCAL) does actually opens up the proxy for public? ack…

Will try it. Thanks.

thermant · May 23, 2008, 4:45pm

Uh, changed LOCAL to PUBLIC, didn’t see anything different… I’m keeping it at PUBLIC at the moment, hope I’m doing it right. Do correct me if I’m wrong…

Anyway, I have some more questions, hope you guys can lend me a hand one more time…

Well, I see a ton of 0kb files in the cache, mainly avatar images from forums, buttons from websites, stuff like that… I have no problem using my bandwidth for these items, but they are just taking up cache space… Is there any way to set the MINIMUM size limit for files to be cached? Say, anything less than 1kb should not be cached. I thought I saw something like that in 2.9, but it’s gone in 3.9… Any ideas?
If I printed “/ip proxy cache-content”, I get a list of EVERYTHING in the cache. What command should I type to display only things that are, oh, say, more than 10kb, or more than 3 days old?
What does “serialize connection” means?
And if I set “Always from cache” to “yes”, does that mean that the router will always read from the cache and never load new sites? That would be odd, now wouldn’t it? Oh well…

Thanks a bunch you guys.

thermant · June 2, 2008, 4:03pm

uhh… Anyone can help? Please?

hilton · June 3, 2008, 12:05pm

You’re missing the point of caching. It’s all these little, seldom changing files that you WANT to cache.

try this;
/ip proxy cache-contents print value-list where file-size
and/or
/ip proxy cache-contents print value-list where last-accessed

from the manual;

serialize-connections (yes | no; default: no) - Do not make multiple connections to server for multiple client connections, if possible (i.e. server supports persistent HTTP connections). Clients will be served on FIFO principle; next client is processed when response transfer to the previous one is completed. If a client is idle for too long (max 5 seconds by default), it will give up waiting and open another connection to the server.

again, from the manual;

always-from-cache (yes | no; default: no) - ignore client refresh requests if the content is
considered fresh

hulk-bd · June 5, 2008, 7:44pm

thermant your //ip firewall filter in-interface always will be public, cause if you want to secure your proxy from out side access you must have to put your in-interface=public because you don’t want anyone access to your proxy from out side(WEB).

Dear Hilton can you please explain what is Max fresh time does? Cause I can’t have cache objects older than 7 days, like if I download any file which is 15 MB then first time I have my simple queue bandwidth limite after that if I download it again then I get my full lan speed from cache, it’s all ok by the time being but after 7 or 8 days if I download the same file again then I get my simple queue bandwidth again but not from my cache as lan bandwidth. Please explain what is wrong here!

Thanks a lot

hilton · June 6, 2008, 11:57am

I don’t think anything is wrong. The time limit for any file is set by the originating server so it will time out eventually and you don’t have any control over that. What you can do is force it to time out quicker but that’s not what you want to do.

Perhaps you should look at hosting a simple sharepoint server to serve up large files that don’t change that often?