SQUID Proxy On RHEL5/CentOS - Everything That You Should Know About [Part 1]

The main feature or duty of a proxy server could be a gateway that receives HTTP requests from clients and forwards the request to the destination and relays the answer back to the requestor.

Squid is most popular open-source software that brings this to us. It also has some excellent features for doing something else such as web access controlling, bandwidth controlling, restriction policies, and content caching and filtering. Actually people install SQUID to pursuit 2 goals: first reduce the bandwidth charges by content caching and second for restricting access to particular contents.

The following guide explains advantages of using Squid and will show you how to install, configure, control, and maintain the Squid Proxy Server on RHEL5 and CentOS Linux.

*** Notice : This guide or tutorial or whatever you like to call it is based on my personal exprience and I guarantee to you 100% that it's working like a charm for me. So if you install this software and for any reason you have technical difficulties just post the comment and I'll be with you to solve that. ***

Just something that you should know:
'#' hash sign before rule line in config file will disable the rule.
If you need to use your proxy server you need to modify the browser settings on your client computer, for example: IE > Internet Option > Lan Setting > enable proxy server checkbox > set IP Address of your Squid proxy server and port (default is 3128).

Before anything: If you are not sure Squid was installed, type the following command:

# rpm -q squid

squid-2.6.STABLE6-5.el5_1.3     //this means you have squid installed on your box and do not need to install, so prepare your self for the configuration.

To install on RHEL5/CentOS type this command:

# yum install squid

And if you cannot use yum then try this way:

First download the latest version of squid from http://www.squid-cache.org/ (official Squid website) and move it to /tmp:

# cd /tmp
# rpm -ivh squid-2.6.STABLE.rpm

This will install squid configurations and binaries in their directories. After that use this command to run the program automatically when the system boots:

# chkconfig --level 35 squid on     // runlevel 3 is for running squid on text based and 5 is for running on x environments

Ok, now it's time to start the service so:

# service squid start

For the configuration you need to open the config file depending on your version of Linux, for RHEL5/CentOS do like this:

# vi /etc/squid/squid.conf
That's it, you can define most parameters in here, remember on start or restart of the service or viewing the log files you may see this error:

WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'.

It means the hostname isn't correctly defined and you need to change the visible_hostname in the config file. It needs to change for identity of the cache server or troubleshooting or viewing the logs. So change it before anything else like this:

visible_hostname HowtoForge

As you can see http_port 3128, it means Squid listens for requests from HTTP clients on this port.

 

Access Control Lists (ACL)

ACLs are used to restrict usage, limit web access of host(s); each ACL line defines a particular type of activity, such as an access time or source network, after that we need to link the ACL to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL.

When you install Squid for the first time, you need to add some acls to allow your network to use the internet because squid by default denies web access.

The syntax of an ACL is like this:

acl aclname acltype value
aclname = rulename (it could be some desire name like mynetwork)
acltype = type of acl like : src, dst (src:source ip | dst:destination ip)
value = it could be ip address, networks, URLs ,...
This example will allow localhost to access the internet:

acl localhost src 127.0.0.1/32
http_access allow localhost

We are allowing the computer that matches the ip address range contained in the localhost ACL to access the internet. There are other ACLs and ACL-operators available for Squid, but this is good for practice.

So with this syntax, you can now tell squid how to work. Suppose you want to allow your 192.168.1 network range to access the internet, you can do this but first open the config file and find these lines:

http_access allow localhost 
http_access deny all 

Replace them with:

acl mynetwork src 192.168.1.0/24 
http_access allow localhost 
http_access allow mynetwork 
http_access deny all 

Note: Specify the rules before the line http_access deny all. After that change save your file and restart the squid service.

(If you use vi editor use this to save and quit > 1-press ESC key 2-type ':x' without quotation and hit enter.)

# service squid restart

Remember you may see an error after restarting the squid service for using "/24" in your config, if so don't panic you can easily change /24 to /255.255.255.0 and again restart the squid service, after restarting your entire network which uses the IP addresses 192.168.1.1 to 192.168.1.254 have access to the internet.

You may ask yourself about allowing internet to everyone except particular ip addresses, actually it's a good start and brings some fun :) . Ok, to do this open the config file and do like this:

acl bad_employee src 192.168.1.18
http_access deny bad_employee
acl mynetwork src 192.168.1.0/24
http access allow mynetwork

In the above example the entire network will be allowed to use the internet except the blocked person (bad_employee). Remember Squid interprets the rules from top to bottom, so you need to be careful.

You can create a restricting rule by times for your company and assign that to your created mynetwork acl like this:

acl mynetwork src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
acl bad_employee src 192.168.1.18
http_access deny bad_employee
http_access allow mynetwork business_hours

Day-abbrevs: S - Sunday M - Monday T – Tuesday W - Wednesday H - Thursday F - Friday A - Saturday

You can also block a particular URL like this:

acl block_site dst www.yahoo.com
http_access deny block_site

www.yahoo.com will be filtered BUT mail.yahoo.com is open because we block yahoo.com, so if you want to block a single url and its subdomains we do it like this:

acl block_domain dstdomain .yahoo.com
http_access deny block_domain

And you can do more than blocking one URL, if you want to block more than a single domain we need to create a file to hold the particular URLs and give this file read permissions like this:

# touch /etc/squid/block_list.txt
# chmod 444 /etc/squid/block_list.txt 
# vi /etc/squid/block_list.txt

Enter some URLs to block like this:

www.sxx.com
www.yahoo.com
www.hotmail.com

And then save and quit, it's time to create rules. Open the config file and put these parameters in it:

acl block_list url_regex "/etc/squid/block_list.txt"
http_access deny block_list

You can block the URLs that contain unexpected words like this:

acl blockword url_regex sxx
http_access deny blockword

(You can block case insensitive words like this : -i sxx)

You can block downloads of .exe files like this:

acl block_exe url_regex .*\.exe$
http_access deny block_exe

If you want block more extensions to download you can specify all in a file as described before (exact like some URL to block section).

You can block TLDs (.br .eu) like this:

acl block_tld dstdom_regex \.br$
http_access deny block_tld

You can configure squid to prompt for username and password from users with ncsa_auth that reads an NCSA-compliant encrypted password file, so:

# htpasswd -c /etc/squid/squid_passwd your_username

  enter pass : your_password
# chmod o+r /etc/squid/squid_passwd

Open the config file and put these lines in it and change to your own configuration:

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
acl ncsa_user proxy_auth REQUIRED
http_access allow ncsa_user

If you don't want to modify the browser for using a proxy there is a method that is called "Transparent Proxy"; to use this you need to do like this:

Prior to Squid Version 2.6:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Squid Version 2.6 to 3.0:

http_port 3128 transparent

Squid Version 3.1+ :

http_port 3128 intercept

Thanks for taking the time to read this guide, I hope it's helpful.

This guide was part 1, and in part 2 we will know about "Content Caching" , "Load Balancing", "Bandwidth Management", "Squid Logs", "Nmap" and "Monitoring [Visited URLs by Useres]" and more ...

Have fun! :)

Share this page:

16 Comment(s)