WEB Proxy

Document revision 22-Oct-2002
This document applies to the MikroTik RouterOS V2.6

Overview

The MikroTik RouterOS has the squid proxy server implementation.

Proxy server features:

Regular http proxy.
Transparent proxy. Can be transparent and regular at the same time.
Access list by source, destination, and URL.
Cache access list.

Contents of the Manual

The following topics are covered in this manual:

Installation

Software License

Hardware Resource Usage
MikroTik Web Proxy Description
MikroTik Web Proxy Setup
Monitoring the Web Proxy
Access List
Direct Access List
Managing the Cache
Transparent Mode
Setup Example
Troubleshooting

Installation

The MikroTik Web Proxy feature is included in the web-proxy package. To install the web-proxy package, upload it to the router and reboot. After successful install of the web-proxy package it should be listed under the /system package print list.

Software License

The web-proxy does not require any additional Software License. It works with the Basic License. Note that web-proxy does not work with Demo License.

Hardware Resource Usage

The proxy cache can use as much disk space as there is allocated for it. When the system allocates the space for the proxy cache, 1/7th of the total partition (disk) size is reserved for the system, but not less than 50MB. The rest is left for the proxy cache. The system RAM size is considered as well when allocating the cache size. The cache size is limited so, that there are at least 11.2MB of RAM per 1GB of cache plus 32MB of RAM is reserves for the system.

Note that it may be useful to have Web proxy running even with no cache when you want to use it as something like HTTP and FTP firewall (for example, denying access to mp3 files) or to redirect requests to external proxy transparently

MikroTik Web Proxy Description

The web proxy can be used as transparent and normal web proxy at the same time. In transparent mode it is possible to use it as standard web proxy, too. However, in this case, proxy users may have trouble to reach web pages which are accessed transparently.

When setting up Web proxy, make sure it serves only your clients, and is not misused as relay. Please read the security notice in the Access List Section!

MikroTik Web Proxy Setup

The Web Proxy management can be accessed under the /ip web-proxy submenu:

[admin@MikroTik] > ip web-proxy
HTTP proxy
  clear-cache  Clear http cache
       access  Access list
	cache  Cache access list
       direct  Direct access list
      monitor  Monitor proxy status and usage
	print  Print current configuration and status
	  get  Get value of configuration property
	  set  Change proxy configuration
       export  Export web proxy settings
[admin@MikroTik] > ip web-proxy

Web proxy will automatically detect any problems with cache and will try to solve them without loosing any cache data. But in case of a heavy damage to the file system, the web proxy can't rebuild cache data. Cache can be deleted and new cache directories created by the command /ip web-proxy clear-cache.

Monitoring the Web Proxy

Use the command /ip web-proxy print to see the current web proxy status:

[admin@MikroTik] ip web-proxy> print
		enabled: yes
		address: 0.0.0.0:3128
	       hostname: "proxy.mt.lv"
      transparent-proxy: yes
	   parent-proxy: 10.5.5.1:8080
    cache-administrator: "support@mt.lv"
	max-object-size: 10000 kB
		 status: running
     reserved-for-cache: 2633728 kB
[admin@MikroTik] ip web-proxy>

Description of the parameters:

enabled - whether web-proxy is enabled or not
address - IP address (0.0.0.0 for any) and port (mandatory) on which proxy will listen for requests
hostname - hostname (DNS or IP address) of the web proxy
transparent-proxy - use transparent mode
parent-proxy - upper-level proxy. Use 0.0.0.0:0 to disable parent-proxy
max-object-size - objects larger than this size will not be saved on disk. The value is specified in kilobytes, and the default is 4096. If you wish to get a high bytes hit ratio, you should probably increase this (one 32 MB object hit counts for 3200 10KB hits). If you wish to increase speed more than your want to save bandwidth you should leave this low
status - displays status of the proxy server. Can be one of the following:

stopped - proxy is disabled and is not running
rebuilding-cache - proxy is enabled and running, existing cache is being verified
running - proxy is enabled and running
stopping - proxy is shutting down (max 10s)
clearing-cache - proxy is stopped, cache files are being removed
creating-cache - proxy is stopped, cache directory structure is being created
dns-missing - proxy is enabled, but not running because of unknown DNS server (you should specify it under /ip dns)
invalid-address - proxy is enabled, but not running because of invalid address (you should change address or port)
invalid-cache-administrator - proxy is enabled, but not running because of invalid cache-administrator's e-mail address
invalid-hostname - proxy is enabled, but not running because of invalid hostname (you should set a valid hostname value)
error-logged - proxy is not running because of unknown error. This error is logged as System-Error. Please, send us this error and some description, how it happened.

reserver-for-cache - maximal cache size, that is accessible to web-proxy

Access logs are sent to Web-Proxy-Access logging facility. These logs can be disabled, logged locally or sent to remote address. To log locally:

/system logging facility set Web-Proxy-Access logging=local

In this case logs can be viewed using /log print command.

Some more statistics details can be monitored with /ip web-proxy monitor command:

[admin@MikroTik] > ip web-proxy monitor
		   status: running
		   uptime: 4d19h8m14s
		  clients: 9
		 requests: 10242
		     hits: 3839
	       cache-size: 328672 kB
    received-from-servers: 58108 kB
	  sent-to-clients: 65454 kB
     hits-sent-to-clients: 7552 kB

[admin@MikroTik] >

Printout description:

status - the same as for /ip web-proxy print
uptime - uptime of the proxy server
clients - number of present and past proxy clients (in current uptime)
requests - total number of requests to the proxy (in current uptime)
hits - number of requests satisfied with proxy's cache (in current uptime)
cache-size - current cache size in kilobytes
received-from-servers - how many kilobytes did proxy receive from remote servers (in current uptime)
sent-to-clients - how many kilobytes did proxy send to the clients to resolve their requests (in current uptime)
hits-sent-to-clients - how many kilobytes of sent traffic were taken from the cache (in current uptime)

Access List

Access list is implemented in the same way as MikroTik firewall rules. Rules are processed from the top to the bottom. First matching rule specifies decision of what to do with this connection. Connections can be matched by its source address, destination address, destination port or substring of requested url. If none of these parameters is specified, every connection will match this rule.

If connection is matched by a rule, action property of this rule specifies whether connection will be allowed or not. If connection does not match any rule, it will be allowed.

[admin@MikroTik] ip web-proxy access> print
Flags: X - disabled
  #   SRC-ADDRESS	  DST-ADDRESS	      DST-PORT	   URL		 ACTION
  0   0.0.0.0/0 	  0.0.0.0/0	      0-65535      .mp3          deny
  1   10.0.0.1/32	  0.0.0.0/0	      0-65535                    allow
  2   0.0.0.0/0 	  0.0.0.0/0	      0-65535      ftp://        deny
  3   10.0.0.0/24	  10.9.9.128/28       0-65535                    allow
  4   0.0.0.0/0 	  0.0.0.0/0	      0-65535                    deny
[admin@MikroTik] ip web-proxy access>

Argument description:

src-address - source address of the request
dst-address - destination address of the request
dst-port - destination port of the request
url - the URL of the request. Can be regular expression
action - action to take (allow, deny)

Access list, shown above, disables access to any mp3 files for everyone.
Local gateway 10.0.0.1 has access to everything else (excluding mp3 files).
All other local network (10.0.0.0/24) users have access to servers located at 10.9.9.128/28, but, ftp protocol is not allowed for them.
Any other request is denied.

Details about regular expressions used in url field can be found here: http://www.cs.utah.edu/dept/old/texinfo/regex/regex_toc.html

Security Notice
If you have web-proxy running, someone is probably using you as a relay. You have to use access rules in the web-proxy setting denying all IP addresses except those behind the router. Also, consult examples in Firewall Manual on how to protect your router.

Direct Access List

If parent-proxy is specified, it is possible to tell proxy server whether to try to pass the request to the parent proxy or to resolve it connecting to the requested server directly. Direct Access List is managed just like Proxy Access List described in the previous chapter except the action argument.

Description of the action argument values:

allow - always resolve matching requests directly, not through parent proxy
deny - resolve matching requests through parent proxy if there is one. If there in no parent proxy, action will be the same as with allow.

Default action (if no rules specified or request did not match any) is deny.

Managing the Cache

Cache access list specifies, which requests (domains, servers, pages) have to be cached locally by web proxy, and which not. The Web Proxy cache access list is located under the /ip web-proxy cache submenu.

Access list is implemented exactly the same way as web proxy access list. Default action is to cache object (if no matching rule is found). By default, one cache access rule is already added:

[admin@MikroTik] ip web-proxy cache> print
Flags: X - disabled
  #   SRC-ADDRESS	  DST-ADDRESS	      DST-PORT	   URL		 ACTION
  0   0.0.0.0/0 	  0.0.0.0/0	      0-65535	   cgi-bin \?	 deny
[admin@MikroTik] ip web-proxy cache>

This rule defines, that all runtime generated pages (which are located within cgi-bin directories or contain '?' in url) has not to be cached.

Note: Objects, which are larger than max-object-size, are not cached.

Transparent Mode

To enable the transparent mode, firewall rule in destination nat has to be added, specifying which connections (to which ports) should be transparently redirected to the proxy. For example, we have the following web-proxy settings:

[admin@MikroTik] ip web-proxy> print
		enabled: yes
		address: 0.0.0.0:3128
	       hostname: "proxy.mt.lv"
      transparent-proxy: yes
	   parent-proxy: 10.5.5.1:8080
    cache-administrator: "support@mt.lv"
	max-object-size: 10000 kB
		 status: running
     reserved-for-cache: 2633728 kB
[admin@MikroTik] ip web-proxy>

If we want all connections coming from interface ether1 and going to port 80 to handle with web proxy transparently, and if our web proxy is listening on port 8080, then we add following destination nat rule:

[admin@MikroTik] ip firewall dst-nat> add in-interface=ether1 protocol=tcp \
dst-address=!10.0.0.1/32:80 action=redirect to-dst-port=8080
[admin@MikroTik] ip firewall dst-nat> print
Flags: X - disabled, I - invalid
  0   src-address=0.0.0.0/0:0-65535 in-interface=ether1
      dst-address=!10.0.0.1/32:80 protocol=tcp icmp-options=any:any flow=""
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0
      limit-time=0s action=redirect to-dst-address=0.0.0.0 to-dst-port=8080

[admin@MikroTik] ip firewall dst-nat>

Here, the router's address and port 80 (10.0.0.1/32:80) have been excluded from redirection to preserve the winbox functionality which uses TCP port 80 on the router. More than one redirect rule can be added to redirect more than one port.

Note: only HTTP traffic is supported by web proxy transparent mode. HTTPS and FTP are not going to work this way!

Setup Example

For web proxy setup, do the following:

Specify at least one dns server for the router:
```
/ip dns set primary-dns=159.148.60.2
```
Set IP address and port on which proxy will listen for requests:
```
/ip web-proxy set address=0.0.0.0:8080
```

If this proxy has to use another proxy, specify it:

/ip web-proxy set parent-proxy=192.168.1.1:8080

otherwise disable it:

/ip web-proxy set parent-proxy=0.0.0.0:0

Specify cache administrator's e-mail address:

/ip web-proxy set cache-administrator=support@mt.lv

Specify hostname (DNS or IP address) of the web proxy:
```
/ip web-proxy set hostname=proxy.mt.lv
```
Enable the proxy service:
```
/ip web-proxy set enabled=yes
```

Now it is possible to use this proxy, by setting it as proxy for IE, Netscape, Opera, etc.

Troubleshooting

Can I use transparent proxy feature on a MikroTik router with bridged interfaces?
No. Transparent proxy requires redirection of IP packets by firewall destination NAT. NAT is not involved when packets are passed from one bridged interface to another. But packets have to be translated by firewall destination NAT for transparent web-proxy to work. So, web-proxy is not going to work in transparent mode between bridge interfaces.
When I turned on transparent proxy and redirected TCP port 80 to it, my WinBox stopped working.
TCP port 80 is used by WinBox when connecting to the router. You should exclude the router's address:80 from redirection by using rule
/ip firewall src-nat add dst-address=address/32:80 protocol=tcp action=accept
BEFORE the redirect rule. Alternatively, you can use just one rule
/ip firewall src-nat add dst-address=!address/32:80 protocol=tcp action=redirect to-dst-port=8080
I use firewall to block access to the router from the Internet. My proxy does not work.
Make sure you allow established TCP connections with tcp option non-syn-only to the router before blocking everything else. The rule is like this:
/ip firewall rule input add protocol=tcp tcp-options=non-syn-only connection-state=established