SQUID Proxy On RHEL5/CentOS - Everything That You Should Know About [Part 1]
The main feature or duty of a proxy server could be a gateway that receives HTTP requests from clients and forwards the request to the destination and relays the answer back to the requestor.
Squid is most popular open-source software that brings this to us. It also has some excellent features for doing something else such as web access controlling, bandwidth controlling, restriction policies, and content caching and filtering. Actually people install SQUID to pursuit 2 goals: first reduce the bandwidth charges by content caching and second for restricting access to particular contents.
The following guide explains advantages of using Squid and will show you how to install, configure, control, and maintain the Squid Proxy Server on RHEL5 and CentOS Linux.
*** Notice : This guide or tutorial or whatever you like to call it is based on my personal exprience and I guarantee to you 100% that it's working like a charm for me. So if you install this software and for any reason you have technical difficulties just post the comment and I'll be with you to solve that. ***
Just something that you should know:
'#' hash sign before rule line in config file will disable the rule.
If you need to use your proxy server you need to modify the browser settings on your client computer, for example: IE > Internet Option > Lan Setting > enable proxy server checkbox > set IP Address of your Squid proxy server and port (default is 3128).
Before anything: If you are not sure Squid was installed, type the following command:
# rpm -q squid
squid-2.6.STABLE6-5.el5_1.3 //this means you have squid installed on your box and do not need to install, so prepare your self for the configuration.
To install on RHEL5/CentOS type this command:
# yum install squid
And if you cannot use yum then try this way:
First download the latest version of squid from http://www.squid-cache.org/ (official Squid website) and move it to /tmp:
# cd /tmp
# rpm -ivh squid-2.6.STABLE.rpm
This will install squid configurations and binaries in their directories. After that use this command to run the program automatically when the system boots:
# chkconfig --level 35 squid on // runlevel 3 is for running squid on text based and 5 is for running on x environments
Ok, now it's time to start the service so:
# service squid start
For the configuration you need to open the config file depending on your version of Linux, for RHEL5/CentOS do like this:
# vi /etc/squid/squid.confThat's it, you can define most parameters in here, remember on start or restart of the service or viewing the log files you may see this error:
WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'.It means the hostname isn't correctly defined and you need to change the visible_hostname in the config file. It needs to change for identity of the cache server or troubleshooting or viewing the logs. So change it before anything else like this:
As you can see http_port 3128, it means Squid listens for requests from HTTP clients on this port.
Access Control Lists (ACL)
ACLs are used to restrict usage, limit web access of host(s); each ACL line defines a particular type of activity, such as an access time or source network, after that we need to link the ACL to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL.
When you install Squid for the first time, you need to add some acls to allow your network to use the internet because squid by default denies web access.
The syntax of an ACL is like this:
acl aclname acltype valueThis example will allow localhost to access the internet:
aclname = rulename (it could be some desire name like mynetwork)
acltype = type of acl like : src, dst (src:source ip | dst:destination ip)
value = it could be ip address, networks, URLs ,...
acl localhost src 127.0.0.1/32
http_access allow localhost
We are allowing the computer that matches the ip address range contained in the localhost ACL to access the internet. There are other ACLs and ACL-operators available for Squid, but this is good for practice.
So with this syntax, you can now tell squid how to work. Suppose you want to allow your 192.168.1 network range to access the internet, you can do this but first open the config file and find these lines:
http_access allow localhost http_access deny all
Replace them with:
acl mynetwork src 192.168.1.0/24 http_access allow localhost http_access allow mynetwork http_access deny all
Note: Specify the rules before the line http_access deny all. After that change save your file and restart the squid service.
(If you use vi editor use this to save and quit > 1-press ESC key 2-type ':x' without quotation and hit enter.)
# service squid restart
Remember you may see an error after restarting the squid service for using "/24" in your config, if so don't panic you can easily change /24 to /255.255.255.0 and again restart the squid service, after restarting your entire network which uses the IP addresses 192.168.1.1 to 192.168.1.254 have access to the internet.
You may ask yourself about allowing internet to everyone except particular ip addresses, actually it's a good start and brings some fun :) . Ok, to do this open the config file and do like this:
acl bad_employee src 192.168.1.18 http_access deny bad_employee acl mynetwork src 192.168.1.0/24 http access allow mynetwork
In the above example the entire network will be allowed to use the internet except the blocked person (bad_employee). Remember Squid interprets the rules from top to bottom, so you need to be careful.
You can create a restricting rule by times for your company and assign that to your created mynetwork acl like this:
acl mynetwork src 192.168.1.0/24 acl business_hours time M T W H F 9:00-17:00 acl bad_employee src 192.168.1.18 http_access deny bad_employee http_access allow mynetwork business_hours
Day-abbrevs: S - Sunday M - Monday T – Tuesday W - Wednesday H - Thursday F - Friday A - Saturday
You can also block a particular URL like this:
acl block_site dst www.yahoo.com http_access deny block_site
www.yahoo.com will be filtered BUT mail.yahoo.com is open because we block yahoo.com, so if you want to block a single url and its subdomains we do it like this:
acl block_domain dstdomain .yahoo.com http_access deny block_domain
And you can do more than blocking one URL, if you want to block more than a single domain we need to create a file to hold the particular URLs and give this file read permissions like this:
# touch /etc/squid/block_list.txt
# chmod 444 /etc/squid/block_list.txt
# vi /etc/squid/block_list.txt
Enter some URLs to block like this:
www.sxx.com www.yahoo.com www.hotmail.com
And then save and quit, it's time to create rules. Open the config file and put these parameters in it:
acl block_list url_regex "/etc/squid/block_list.txt" http_access deny block_list
You can block the URLs that contain unexpected words like this:
acl blockword url_regex sxx http_access deny blockword
(You can block case insensitive words like this : -i sxx)
You can block downloads of .exe files like this:
acl block_exe url_regex .*\.exe$ http_access deny block_exe
If you want block more extensions to download you can specify all in a file as described before (exact like some URL to block section).
You can block TLDs (.br .eu) like this:
acl block_tld dstdom_regex \.br$ http_access deny block_tld
You can configure squid to prompt for username and password from users with ncsa_auth that reads an NCSA-compliant encrypted password file, so:
# htpasswd -c /etc/squid/squid_passwd your_username
enter pass : your_password
# chmod o+r /etc/squid/squid_passwd
Open the config file and put these lines in it and change to your own configuration:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd acl ncsa_user proxy_auth REQUIRED http_access allow ncsa_user
If you don't want to modify the browser for using a proxy there is a method that is called "Transparent Proxy"; to use this you need to do like this:
Prior to Squid Version 2.6:
httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on
Squid Version 2.6 to 3.0:
http_port 3128 transparent
Squid Version 3.1+ :
http_port 3128 intercept
Thanks for taking the time to read this guide, I hope it's helpful.
This guide was part 1, and in part 2 we will know about "Content Caching" , "Load Balancing", "Bandwidth Management", "Squid Logs", "Nmap" and "Monitoring [Visited URLs by Useres]" and more ...
Have fun! :)