Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Overview
The MikroTik RouterOS has the squid proxy server implementation.
Installation
Hardware Resource Usage
MikroTik Web Proxy Description
MikroTik Web Proxy Setup
Monitoring the Web Proxy
Access List
Managing the Cache
Transparent Mode
Troubleshooting
Installation
The MikroTik Web Proxy feature is included in the 'web-proxy' package. To install the web-proxy package,
upload it to the router and reboot. After successful install of the web-proxy package it should be listed under the
/system package print list:
mikrotik.com/…/Web-proxy.html 1/6
08/05/2010 MikroTik RouterOS WEB Proxy
7 snmp 2.5.2 apr/24/2002 11:53:10 no
[MikroTik] >
It is recommended, that at least 100MB HDD is used when running web proxy. Do not try to run web-proxy on
a 32 or 48 MB FlashDisk!
[MikroTik] ip web-proxy> ?
HTTP proxy
clear-cache Clear http cache
access Access list
cache Cache access list
print Print current configuration and status
get Get value of configuration property
set Change proxy configuration
export Export web proxy settings
[MikroTik] ip web-proxy>
Set IP address and port on which proxy will listen for requests:
mikrotik.com/…/Web-proxy.html 2/6
08/05/2010 MikroTik RouterOS WEB Proxy
/ip web-proxy set parent-proxy=0.0.0.0:0
Web proxy will automatically detect any problems with cache and will try to solve them without loosing any
cache data. But in case of a heavy damage to the file system, the web proxy can't rebuild cache data. Cache can
be deleted and new cache directories created by the command '/ip web-proxy clear-cache'.
mikrotik.com/…/Web-proxy.html 3/6
08/05/2010 MikroTik RouterOS WEB Proxy
valid hostname value)
error-logged - proxy is not running because of unknown error. This error is logged as System-
Error. Please, send us this error and some description, how it happened.
Access logs are sent to Web-Proxy-Access logging facility. These logs can be disabled, logged locally or sent to
remote address. To log locally:
Access List
Access list is implemented in the same way as MikroTik firewall rules. Rules are processed from top to bottom.
First matching rule specifies decision of what to do with this connection. Connections can be matched by its
source address, destination address, destination port or substring of requested url. If none of these parameters is
specified, every connection will match this rule.
If connection is matched by a rule, action property of this rule specifies whether connection will be allowed or
not. If connection does not match any rule, it will be allowed.
For example:
Argument description:
Access list, shown above, disables access to any mp3 files for everyone.
Local gateway 10.0.0.1 has access to everything else (excluding mp3 files).
All other local network (10.0.0.0/24) users have access to servers located at 10.9.9.128/28, but, ftp protocol is
not allowed for them.
Any other request is denied.
Access list is implemented exactly the same way as web proxy access list. Default action is to cache object (if no
matching rule is found). By default, one cache access rule is already added:
This rule defines, that all runtime generated pages (which are located within cgi-bin directories or contain '?' in
url) has not to be cached.
NOTE: Objects, which are larger than 4MB, are not cached.
Transparent Mode
To enable the transparent mode, firewall rule in destination nat has to be added, specifying which connections (to
which ports) should be transparently redirected to the proxy. For example, we have the following web-proxy
settings:
If we want all connections coming from interface ether1 and going to port 80 to handle with web proxy
transparently, and if our web proxy is listening on port 8080, then we add following destination nat rule:
Here, the router's address and port 80 (10.0.0.1/32:80) have been excluded from redirection to preserve the
winbox functionality which uses TCP port 80 on the router. More than one redirect rule can be added to redirect
mikrotik.com/…/Web-proxy.html 5/6
08/05/2010 MikroTik RouterOS WEB Proxy
more than one port.
NOTE: only HTTP traffic is supported by web proxy transparent mode. HTTPS and FTP are not
going to work this way!
Troubleshooting
My web-proxy does not start. There are error messages in the system log, and the status of the
web-proxy is 'rebuilding cache ...'
Problem with underscore '_' in the identity name has been fixed (starting with v2.5.2). It is a good idea, to
update web-proxy, if there is newer version available.
Can I use transparent proxy feature on a MikroTik router with bridged interfaces?
No. Transparent proxy requires redirection of IP packets by firewall destination NAT. Firewall is not
involved when packets are passed from one bridged interface to another. But packets have to be
translated by firewall destination NAT for transparent web-proxy to work. So, web-proxy is not going to
work in transparent mode between bridge interfaces.
When I turned on transparent proxy and redirected TCP port 80 to it, my WinBox stopped
working.
TCP port 80 is used by WinBox when connecting to the router. You should exclude the router's
address:80 from redirection by using rule
'/ip firewall src-nat add dst-address=address/32:80 protocol=tcp action=accept'
BEFORE the redirect rule. Alternatively, you can use just one rule
'/ip firewall src-nat add dst-address=!address/32:80 protocol=tcp action=redirect to-dst-port=8080'
I use firewall to block access to the router from the Internet. My proxy does not work.
Make sure you allow established TCP connections with tcp option 'non-syn-only' to the router before
blocking everything else. In v2.5, the rule is like this:
'/ip firewall rule input add protocol=tcp tcp-options=non-syn-only connection-state=established'
mikrotik.com/…/Web-proxy.html 6/6