Pages

Saturday, 16 February 2013

Mikrotik Web Proxy

Howto to enable Mikrotik Web Proxy in Transparent Mode

Web proxy is a service that is placed between a client and the internet for HTTP web surfing. It can cache certain contents / http pages in its local cache. Mikrotik have basic PROXY package builtin called WEB PROXY. It is suitable for basic caching for small to mid size networks.
For advance caching capabilities, Use 3rd party external proxy server like SQUID.

MikroTik WEB.PROXY Recommendation

 
Always try NOT to use the same storage disk to store your your cache and your your Router OS, to ensure there is always enough space on your router OS Disk for logs, upgrade / update packages & Backups. Therefore It is highly recommended that the web-proxy cache is stored on a physically separate drive (store) other than the Router OS. Placing the cache on a separate drive ensures maximum performance and reduces problems if the disk becomes full or fails as the OS will then still be OK!
Caching Internet access will require a lot of read and writes to the disk, chose fast disk as for maximum performance / concurrent user request support.
Cache performance also largely depends on RAM size, the More RAM you have in your server, the Better performance you will get.
We will divide this article in 3 Sections.
1# Preparing Secondary Partition for Cache 
2# Configuring Web Proxy
3# Transparent Proxy
Let’s BEGIN . . .

1# Preparing Secondary Drive for CACHE

First we will Format secondary harddrive (to be used for cache ), IF YOU DON’T WANT TO USE SECONDARY HARD-DIVE, SKIP THIS STEP.
Goto SYSTEM > STORES > DISKS
Select the Secondary Hard drive and click on FORMAT DRIVE
As shown in the image below.

 


ow go to STORES tab (by navigating to  SYSTEM > STORES)
Select the WEB-Proxy package and click on COPY
It will ask you where to copy WEB-Proxy package, Select Secondary Drive in TO box.
As shown in the image below




2# Configuring Web Proxy

Now We have to Enable Mikrotik Web Proxy by navigating to 
IP > WEB PROXY

As shown in the image below.




Now Click on “Enable”
in Port, Type 8080
Max Cache Size , Select Unlimited from drop down menu, OR if you have limited Disk Space, then use your desired amount.
You have to specify space in KiloBytes for example 1024 KB = 1MB , so if you want to set 5 GB Cache, then use 5242880 , I am using5 GB in this example. The cache size is really based off of how much RAM you have in the machine
As shown in the image below . . .





Click on Apply and your Mikrotik’s Web Proxy is Ready to be used, But Every client have to set proxy address pointing to Mikrotik IP to be able to use Proxy Service.

3# Transparent Proxy

If we want that every user must be automatically redirected to Proxy transparently, then we have to create additional rule to forcefully redirect users to proxy service, which is called TRANSPARENT PROXY.
.
Goto IP > FIREWALL > NAT and create new rule
In Chain , Select dsntant,
In Protocol, Select 6 (tcp)
In Dst. Port, Type 80

As shown in the image below
 . . .







 Now goto Action Tab,
In Action, Select redirct
In To Ports, Type 8080
As shown in the image below . . .




 Now your newly created rule will look like something below image.
As shown in the image below
 . . .



OR the CLI version of above rule would be something like below.

1/ip firewall nat add action=redirect chain=dstnat disabled=no dst-port=80 protocol=tcp to-ports=8080
/ip firewall nat add action=redirect chain=dstnat disabled=no dst-port=80 protocol=tcp to-ports=8080








                Copy and Paste 1 by 1 In new Terminal ..

           ( 1. copy )

/ip firewall nat
add action=redirect chain=dstnat comment="Redirecionamento do Proxy" disabled=\
    no dst-port=80 protocol=tcp src-address=172.16.0.0/24 to-ports=8080
////////////////////////////////////////////////////////////////////////////////////

          ( 2. copy )

/ip proxy
set always-from-cache=yes cache-administrator=webmaster cache-hit-dscp=4 \
    cache-on-disk=yes enabled=yes max-cache-size=unlimited \
    max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
    parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no \
    src-address=0.0.0.0
////////////////////////////////////////////////////////////////////////////////////

           ( 3. copy )

/ip firewall filter 
add chain=input action=accept dst-port=8080 protocol=tcp comment="ACEITAR \
    CONEXOES PROXY" disabled=no 
///////////////////////////////////////////////////////////////////////////////

                  ( 4. copy ) 

/ip firewall address-list
add address=69.147.95.0/24 comment="\"\"\"\"YAHOO MAIL\"\"\"\"" disabled=no \
    list=nobalance
add address=209.191.106.0/24 comment="\"\"\"\"YAHOO MAIL\"\"\"\"" disabled=no \
    list=nobalance
add address=74.6.228.0/24 comment="\"\"\"\"YAHOO MAIL\"\"\"\"" disabled=no \
    list=nobalance
add address=98.136.131.0/24 comment="\"\"\"\"YAHOO MAIL\"\"\"\"" disabled=no \
    list=nobalance
add address=200.143.37.0/24 comment="\"\"\"\"WEBMOTORS\"\"\"\"" disabled=no \
    list=nobalance
add address=65.54.0.0/16 comment=MSN1 disabled=no list=nobalance
add address=207.46.0.0/16 comment=MSN2 disabled=no list=nobalance
add address=64.4.0.0/16 comment=MSN3 disabled=no list=nobalance
add address=200.143.0.0/16 comment=Pagdigital disabled=no list=nobalance
add address=201.88.0.0/16 comment=f2b disabled=no list=nobalance
add address=200.201.0.0/16 comment="caixa economica" disabled=no list=\
    nobalance
add address=170.66.0.0/16 comment="bb do brasil" disabled=no list=nobalance
add address=200.155.0.0/16 comment=bradesco disabled=no list=nobalance
add address=200.196.0.0/16 comment=itau disabled=no list=nobalance
add address=200.208.0.0/16 comment=sudameris disabled=no list=nobalance
add address=200.220.0.0/16 comment=santander disabled=no list=nobalance
add address=201.63.0.0/16 comment="wwws bradesco" disabled=no list=nobalance
add address=65.55.0.0/16 comment=MSN4 disabled=no list=nobalance
add address=74.52.0.0/16 comment="caixa economica" disabled=no list=nobalance
add address=74.125.0.0/16 comment="caixa economica" disabled=no list=nobalance
add address=174.133.0.0/16 comment="caixa economica" disabled=no list=\
    nobalance
add address=200.219.137.0/24 comment="" disabled=no list=nobalance
add address=200.252.8.0/24 comment="" disabled=no list=nobalance
add address=201.2.207.0/24 comment="" disabled=no list=nobalance
add address=200.196.226.0/24 comment="" disabled=no list=nobalance
add address=201.24.72.0/24 comment="" disabled=no list=nobalance
add address=78.46.46.139 comment="" disabled=no list=nobalance
/////////////////////////////////////////////////////////////////////////////////

                     ( 5.copy )

/ip firewall nat
add action=accept chain=dstnat comment=\
    "\"\"\"\"\"\"SERVI\C7OS NOBRES FORA DO PROXY\"\"\"\"\"\"" disabled=no \
    dst-address-list=nobalance dst-port=80 protocol=tcp
///////////////////////////////////////////////////////////////////////////////////

           ( 6. copy )

/ip proxy cache
add action=deny comment="" disabled=no dst-host=":cgi-bin \\\?"
add action=deny comment="" disabled=no dst-host=https: path=/
add action=allow comment="" disabled=no dst-host=http: path=\
    /www.rjnet.com.br/2velocimetro.php
add action=allow comment="" disabled=no dst-host=http: path=/www.terra.com.br
add action=deny comment="" disabled=no dst-host=":cgi-bin \\\\\\\?"
add action=deny comment="" disabled=no dst-host=https: path=/
add action=allow comment="" disabled=no dst-host=http: path=\
    /www.rapidus.com.br/velocidade/
add action=allow comment="" disabled=no dst-host=http: path=/www.bol.com.br
add action=allow comment="" disabled=no dst-host=http: path=/www.orkut.com
add action=allow comment="" disabled=no dst-host=http: path=\
    /www.autonoma.com.br/medidor/meter.php
add action=allow comment="" disabled=no dst-host=http: path=\
    /medidor.brisanet.com.br/
add action=deny comment="" disabled=no dst-host=https: path=\
    /portal.directv.com.br
add action=deny comment="" disabled=no dst-host=http: path=\
    /chat03.terra.com.br/
add action=allow comment="" disabled=no dst-host=http*youtube*get_video*
add action=allow comment="" disabled=no dst-host=http*youtube*video*
add action=allow comment="" disabled=no dst-host=\
    "http*youtube*yva_get_video_inf o*"
add action=allow comment="" disabled=no dst-host="\":\\\\\\\\.flv\$\""
add action=allow comment="" disabled=no dst-host=http*globo*get_video*
add action=allow comment="" disabled=no dst-host=http*globo*video*
add action=allow comment="" disabled=no dst-host=http*googlevideo*get_video*
add action=allow comment="" disabled=no dst-host=http*googlevideo*video*
add action=allow comment="" disabled=no dst-host=http*video.google*get_video*
add action=allow comment="" disabled=no dst-host=http*video.google*video*
add action=allow comment="" disabled=no dst-host=http*videoplay*
add action=allow comment="" disabled=no dst-host=http*74.125.15.83*get_video*
add action=allow comment="" disabled=no dst-host=: path=:.swf*
add action=deny comment="" disabled=no dst-host=":cgi-bin \\\?"
add action=deny comment="" disabled=no dst-host=https: path=/
add action=deny comment="" disabled=no dst-host=":cgi-bin \\\?"
add action=deny comment="" disabled=no dst-host=start.com.br
add action=deny comment="" disabled=no dst-host=http: path=/speed
add action=deny comment="" disabled=no dst-host=https: path=/
add action=allow comment="" disabled=no dst-host=":\\.exe\$"
add action=allow comment="" disabled=no dst-host=":\\.zip\$"
add action=allow comment="" disabled=no dst-host=":\\.mpeg\$"
add action=allow comment="" disabled=no dst-host=":\\.avi\$"
add action=allow comment="" disabled=no dst-host=":\\.pdf\$"
add action=allow comment="" disabled=no dst-host=":\\.css\$"
add action=allow comment="" disabled=no dst-host=":\\.rar\$"
add action=allow comment="" disabled=no dst-host=":\\.mov\$"
add action=allow comment="" disabled=no dst-host=":\\.mpg\$"
add action=allow comment="" disabled=no dst-host=":\\.iso\$"
add action=allow comment="" disabled=no dst-host=":\\.bin\$"
add action=allow comment="" disabled=no dst-host=":\\.dat\$"
add action=allow comment="" disabled=no dst-host=www.terra.com.br
add action=deny comment="" disabled=no dst-host=":cgi-bin \\\\\\\?"
add action=deny comment="" disabled=no dst-host=https:/
add action=allow comment="" disabled=no dst-host=http: path=\
    /www.rapidus.com.br/velocidade/
add action=allow comment="" disabled=no dst-host=http: path=/www.bol.com.br
add action=allow comment="" disabled=no dst-host=http: path=/www.orkut.com
add action=allow comment="" disabled=no dst-host=http: path=\
    /www.autonoma.com.br/medidor/meter.php
add action=allow comment="" disabled=no dst-host=http: path=\
    /medidor.brisanet.com.br/
add action=deny comment="" disabled=no dst-host=https: path=\
    /portal.directv.com.br
add action=deny comment="" disabled=no dst-host=http://chat03.terra.com.br/
add action=allow comment="" disabled=no dst-host=http*youtube*get_video*
add action=allow comment="" disabled=no dst-host=http*youtube*video*
add action=allow comment="" disabled=no dst-host=\
    "http*youtube*yva_get_video_inf o*"
add action=allow comment="" disabled=no dst-host="\":\\\\\\\\.flv\$\""
add action=allow comment="" disabled=no dst-host=http*globo*get_video*
add action=allow comment="" disabled=no dst-host=http*globo*video*
add action=allow comment="" disabled=no dst-host=http*googlevideo*get_video*
add action=allow comment="" disabled=no dst-host=http*googlevideo*video*
add action=allow comment="" disabled=no dst-host=http*video.google*get_video*
add action=allow comment="" disabled=no dst-host=http*video.google*video*
add action=allow comment="" disabled=no dst-host=http*videoplay*
add action=allow comment="" disabled=no dst-host=http*74.125.15.83*get_video*
add action=allow comment="" disabled=no dst-host=::.swf* path=""
add action=deny comment="" disabled=no dst-host=":cgi-bin \\\?"
add action=deny comment="" disabled=no dst-host=":cgi-bin \\\?"
add action=deny comment="" disabled=no dst-host=start.com.br
add action=deny comment="" disabled=no dst-host=http://speed path=""
add action=allow comment="" disabled=no dst-host=":\\.exe\$"
add action=allow comment="" disabled=no dst-host=":\\.zip\$"
add action=allow comment="" disabled=no dst-host=":\\.mpeg\$"
add action=allow comment="" disabled=no dst-host=":\\.avi\$"
add action=allow comment="" disabled=no dst-host=":\\.pdf\$"
add action=allow comment="" disabled=no dst-host=":\\.css\$"
add action=allow comment="" disabled=no dst-host=":\\.rar\$"
add action=allow comment="" disabled=no dst-host=":\\.mov\$"
add action=allow comment="" disabled=no dst-host=":\\.mpg\$"
add action=allow comment="" disabled=no dst-host=":\\.iso\$"
add action=allow comment="" disabled=no dst-host=":\\.bin\$"
add action=allow comment="" disabled=no dst-host=":\\.dat\$"
///////////////////////////////////////////////////////////////////////////////////

          ( 7. copy )

/ip proxy access
add action=allow comment="Portas Para MSN" disabled=no dst-port=1025-65535
add action=deny comment="" disabled=no path=*ADSAdClient31.dll* redirect-to=\
    www.flinformatica.com/0800/edu/msn.htm
add action=deny comment=\
    "allow CONNECT only to SSL ports 443 [https] and 563 [snews]" disabled=no \
    dst-port=!443,563 method=CONNECT
add action=deny comment="" disabled=no path=*ork.user* redirect-to=\
    www.flinformatica.com/0800/edu/orkut.htm
add action=deny comment="block telnet & spam e-mail relaying" disabled=no \
    dst-port=23-25
////////////////////////////////////////////////////////////////////////////////////

            ( 8. copy )

/ip firewall mangle
add action=mark-connection chain=output comment="2-PROXY FULL" disabled=no \
    dscp=4 new-connection-mark=proxyfull passthrough=yes protocol=tcp src-port=\
    8080
add action=mark-packet chain=output comment="" connection-mark=proxyfull \
    disabled=no new-packet-mark=proxyfull passthrough=yes
add action=return chain=output comment="" connection-mark=proxyfull disabled=no
/////////////////////////////////////////////////////////////////////////////////////

            ( 9. copy )

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=5M \
    max-limit=5M name="2 - CACHE-FULL" packet-mark=proxyfull parent=\
    global-out priority=1 queue=default
//////////////////////////////////////////////////////////////////////////////////

Powered By : $@ADVANCED Wi-Fi@

1 comment:

  1. Do you need to increase your credit score?
    Do you intend to upgrade your school grade?
    Do you want to hack your cheating spouse Email, whatsapp, Facebook, instagram or any social network?
    Do you need any information concerning any database.
    Do you need to retrieve deleted files?
    Do you need to clear your criminal records or DMV?
    Do you want to remove any site or link from any blog?
    you should contact this hacker, he is reliable and good at the hack jobs..
    contact : cybergoldenhacker at gmail dot com

    ReplyDelete

 

Sample text

Sample Text