«

»

Sep 05 2016

How to Configure SQUID proxy on Linux

In this post we will see how to configure SQUID Proxy server on CentOS.

Operating system – CentOS 6.7

Do the minimal installation of CentOS.

Install squid package

#yum install squid

if internet is not working on this system, you can install squid rpm from installation dvd/iso.

once squid installation gets completed, edit the squid.conf file.

LAN Subnet – 192.168.1.0/23

LAN Ethernet – eth0

WAN Ethernet – eth1

Edit squid.conf file add below lines.

You can define ACL and allow/deny access to LAN computers to websites as per your requirements.

Below is my working squid.conf file, you adjust configuration as per your requirements.

#####################

#

# Recommended minimum configuration:

#

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 192.168.1.0/24 # RFC1918 possible internal network

#Configure ACL in SQUID

#My Access List

#ACL for FTP Protocol
acl FTP proto FTP

#ACL for my LOCAL Subnet
acl localnet src 192.168.1.0/24

#ACL for manager’s who need full access. This ACL usages MAC address.
acl master1 arp “/etc/squid/acl/master-arp.lst”

#ACL for specific Computers.
acl searchpc arp “/etc/squid/acl/search-arp.lst”

#ACL for Support Team’s PC
acl supportpc src “/etc/squid/acl/support-ip.lst”

#ACL for specific IP
acl masterip src 192.168.1.9

#ACL to allow internet access based on time.

acl evening time 16:00-18:00

#ACL to bloack websites.
acl badsites dstdomain “/etc/squid/acl/badsites.lst”

#ACL to allow specific sites for Support Users.

acl supportsites dstdomain “/etc/squid/acl/supportsites.lst”

#ACL to allow specific sites to ALL LAN users.

acl opentoall dstdomain “/etc/squid/acl/open-to-all.lst”

acl all1 src all

no_cache deny all1

icp_port 0

htcp_port 0

icp_access deny all1

htcp_access deny all1

acl SSL_ports port 443

acl Safe_ports port 80  # http

acl Safe_ports port 21  # ftp

acl Safe_ports port 20  # ftp

acl Safe_ports port 443  # https

acl Safe_ports port 70  # gopher

acl Safe_ports port 210  # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280  # http-mgmt

acl Safe_ports port 488  # gss-http

acl Safe_ports port 591  # filemaker

acl Safe_ports port 777  # multiling http

acl CONNECT method CONNECT

#

# Recommended minimum Access Permission configuration:

#

# Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on “localhost” is a local user

#http_access deny to_localhost

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localhost

always_direct allow FTP

# And finally deny all other access to this proxy

#Allow or deny configured ACL in squid

#Allow/deny Access List

#

#Allow FULL Access PC/Systems added master1 ACL

http_access allow master1

#Blocked ‘badsites’ to all
http_access deny badsites

#Allow Full internet access to ‘searchPC’ during evening 4 PM to 6 PM.
http_access allow evening searchpc

#Allow Specific SupportSites to Support PC.
http_access allow supportsites supportpc

#Allow Specific sites to all LAN, all the time.

http_access allow opentoall localnet

#Deny everything to LAN systems

http_access deny localnet
http_access deny all

# Change default squid port to 8080
http_port 8080

cache_mem 512 MB
maximum_object_size_in_memory 56 MB
logfile_rotate 20
cache_mgr
SystemAdmin@vprh.org

visible_hostname proxyrouter.vprh.blogspot.com

#Add your DNS servers here.
dns_nameservers 8.8.8.8 8.8.4.4 192.168.1.100

#Download restriction based on ACL

#Allow download up to 10GB to masterip

reply_body_max_size 10240 MB masterip

#Limit download to 20 MB to all other LAN PC

reply_body_max_size 20 MB

#cahce size

cache_dir aufs /var/spool/squid 4000 16 256

coredump_dir /var/spool/squid

cache_swap_low 90

cache_swap_high 95

#Limit file upload

request_body_max_size 10240 MB masterip

request_body_max_size 20 MB localnet

# And finally deny all other access to this proxy

http_access deny all

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir

coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:  1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern .  0 20% 4320

#####################

Save the squid configuration file by adding/updating ACL as per your network requirements.

Create squid configuration files as defined in ACL

#mkdir /etc/squid/acl

#cd /etc/squid/acl

In this file add Ethernet MAC of systems which need full Internet Access ( physical address of LAN Card)

#vi master-arp.lst

ee:xx:rr:44:55:cc    #mac of manager PC

Add MAC of searchPC which need full access during evening 4 – 6 PM

#vi search-arp.lst

ee:xx:rr:44:55:cd     #mac of search user pc

Add list of support sites, which are accessed by SupportTeam.

#vi supportsites.lst

.teamviewer.com

.ShowMyPC.com

Add IP address of support users system

#vi support-ip.lst

192.168.1.100

Add websites which are allowed to everyone and all the time.

#vi open-to-all.lst

.google.com

.example.com

#vi badsites.lst

#add sites which you want to block all the time.

.youtube.com

.video.com

.xyz.com

Start squid service

#service squid start

Later on if you make any changes in squid configuration or any other squid acl files, then you have to restart squid service to take affect new configuration.

#service squid restart

If the squid service do not end with OK status, then review the error message or undo your last changes and restart squid service.

IPTABLES configuration for squid.

#Accept Connections on squid port 8080

iptables -I INPUT -s 192.168.1.0/24 -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 8080 -j ACCEPT

#Enable IP forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

Read my post on IPTABLES to configure iptables firewall rules for squid and systems which are in befind proxy/Linux firewall.

 

Leave a Reply

Your email address will not be published. Required fields are marked *