► Postfix, from Sams Publishing. An excellent book that covers the Postfix MTA.

► Running Qmail, from Sams Publishing. This is similar to the Postfix book from Sams Publishing except that it covers the Qmail MTA.

There are two things in this world that you can never have enough of: time and bandwidth. Fedora comes with a proxy server — Squid — that enables you to cache web traffic on your server so that websites load faster and users consume less bandwidth.

A proxy server lies between client machines — the desktops in your company—and the Internet. As clients request websites, they do not connect directly to the web and send the HTTP request. Instead, they connect to the local proxy server. The proxy then forwards their requests on to the web, retrieves the result, and hands it back to the client. At its simplest, a proxy server really is just an extra layer between client and server, so why bother?

The three main reasons for deploying a proxy server are

► Content control — You want to stop people whiling away their work hours reading the news or downloading MP3s.

► Speed — You want to cache common sites to make the most of your bandwidth.

► Security — You want to monitor what people are doing.

Squid is capable of achieving all of these goals and more.

Squid installation is handled through the Add/Remove Applications dialog under the System Settings menu. The Squid package is confusingly located under the Web Server group; this has the downside of installing Apache alongside Squid whether you like it or not. That said, you can (and should) deselect other autoinstall packages that you do not need from the Web Server category.

After Squid is installed, switch to the console and use su to get to the root account. You should run the command chkconfig --level 345 squid on to run Squid at runlevels 3, 4, and 5, like this:

[root@susannah ~]# chkconfig --list squid

squid 0:off 1:off 2:off 3:off 4:off 5:off 6:off

[root@susannah ~]# chkconfig --level 345 squid on

[root@susannah ~]# chkconfig --list squid

squid 0:off 1:off 2:off 3:on 4:on 5:on 6:off

That runs Squid the next time the system switches to runlevel 3, 4, or 5, but it will not run it just yet.

Before you configure your new Squid server, you should set up the local web browser to use Squid for its web access. This allows you to test your rules as you are working with the configuration file.

To configure Firefox, select Preferences from the Edit menu. From the dialog that appears, click the Connection Settings button (near the bottom on the General tab) and select the option Manual Proxy Configuration. Check the box beneath it, Use the Same Proxy for All Protocols; then enter 127.0.0.1 as the IP address and 3128 as the port number. See Figure 22.1 for how this should look. If you are configuring a remote client, specify the IP address of the Squid server instead of 127.0.0.1.

FIGURE 22.1 Setting up Firefox to use 127.0.0.1 routes all its web requests through Squid.

For Konqueror, go to the Settings menu and select Configure Konqueror. From the left tab, scroll down to Proxy, select Manually Specify the Proxy Settings, and then click Setup. Enter 127.0.0.1 as the proxy IP address and 3128 as the port. As with Firefox, if you are configuring a remote client, specify the IP address of the Squid server instead of 127.0.0.1.

Internet Explorer's proxy settings are in Tools/Internet Options. From the Connections tab, click the LAN Settings button and enable the Use a Proxy Server for Your LAN option. Enter the address as the IP of your Squid machine, and then specify 3128 as the port.

The main Squid configuration file is /etc/squid/squid.conf, and the default Fedora configuration file is full of comments to help guide you. The default configuration file allows full access to the local machine but denies the rest of your network. This is a secure place to start; we recommend you try all the rules on yourself (localhost) before rolling them out to other machines.

Before you start, open two terminal windows as root. In the first, change to the directory /var/log/squid and run this command:

tail -f access.log cache.log

That command reads the last few lines from both files and (thanks to the -f flag) follows them so that any changes appear in there. This allows you to watch what Squid is doing as people access it. We will refer to this window as the log window, so keep it open. In the other window (as root, remember), bring up the file /etc/squid/squid.conf in your favorite editor. This window will be referred to as the config editor, and you should keep it open also.

To get started, search for the string acl all — this brings you to the access control section, which is where most of the work needs to be done. There is a lot you can configure else where, but unless you have unusual requirements, you can leave the defaults in place.

The acl lines make up your access control lists. The first 16 or so lines define the minimum recommended configuration for setting up which ports to listen to, and other fairly standard configuration settings that you can safely ignore. If you scroll down farther (past another short block of comments), you come to the http_access lines, which are combined with the acl lines to dictate who can do what. You can (and should) mix and match acl and http_access lines to keep your configuration file easy to read.

Just below the first block of http_access lines is a comment like # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS. This is just what we are going to do. First, though, scroll just a few lines farther and you should see these two lines:

http_access allow localhost

http_access deny all

The first says, "allow HTTP access to the local computer, but deny everyone else." This is the default rule, as mentioned earlier. Leave that in place for now, and run service squid start to start the server with the default settings. If you have not yet configured the local web browser to use your Squid server, do so now so you can test the default rules.

In your web browser (Firefox is assumed from here on, but it makes little difference), go to the URL http://fedora.redhat.com. You should see it appear as normal in the browser, but in the log window you should see a lot of messages scroll by as Squid downloads the site for you and stores it in its cache. This is all allowed because the default configuration allows access to the localhost.