How To Install And Config Squid On Rhel/ Centos

Shubham NimkarShubham Nimkar
6 min read

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows and is licensed under the GNU GPL.

Requirements:

Three Virtual Machines
VMs of Centos 7.9: Two
VMs of Windows Server 2016: One

Configuration:

One master and two client nodes

Let's see the network settings for our master and clients.

Master: You should have two network adapters NAT and HOST-ONLY
You can view in network settings in created, here you can see two adapters

ENS 37

ENS 33

Client machines will be in HOST-ONLY mode.

CLIENT1: CENTOS 7.9 VM

CLIENT2: WINDOWS SERVER 2016:

PROXY SETTINGS (TO BE DONE ON ALL CLIENT'S BROWSERS)

ON CENTOS MACHINE

ON WINDOWS MACHINE

Commands to be followed on master:

To install Squid :

yum install squid

Now changes are to be made in the "squid.conf" file

we can find squid.conf in the path below:

cd /etc/lib/squid/squid.conf

Make sufficient changes in the file:

1. Find the line given below and uncomment it. Mostly it can be found on line number 62

cache_dir ufs /var/spool/squid 128 16 256

Legends:

128 = Cache Size

16 = means 16 sub-directories will be created in /spool/squid

256 = means 256 sub-directories will be created in the upper 16 subdirectories

2. To customize the name of the machine to be seen on the error page insert a line below the cache_dir line

visible_hostname proxy. panda.demo

3. Now to create swap directories

squid -z

The squid.conf file will look something like this;

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
acl hpcsalab src 10.10.10.0/24
acl microsoft dstdomain .microsoft.com
http_access deny microsoft hpcsalab
http_access allow hpcsalab
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 2048 16 256
visible_hostname proxy.panda.demo
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

Let's see a few ways, how we can use SQUID

To Block On Entire Network:

  1. Create a file in the squid folder or any folder just mention the proper folder address and write the domains you want to block over the network

     vim /etc/squid/blocked_sites.txt

 And wrote these websites which I wanted to block

 .microsoft.com
 .esakal.com
 .redhat.com

  2. Edit squid.conf (Add acls and http_access)

    1. ACL = Access control list

      Syntax = acl <"name you want to give"> src <(source)> Network_IP

       vim squid.conf

 Add acls and http_access under this line which you want to include
      - Enter your network ip here in place of "10.10.10.0/24"

 #
 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 #
 acl hpcsalab src 10.10.10.0/24
 acl blocked_sites dstdomain "/etc/squid/blocked-sites.txt"
 http_access deny blocked_sites hpcsalab
 http_access allow hpcsalab

    2. Restart squid service

       systemctl restart squid

BLOCKED FOR A PARTICULAR CLIENT

  1. Create a file in the squid folder or any folder just mention the proper folder address
    and write the domains you want to block over the network here I've created centos7-blocked.txt
    vim /etc/squid/centos7-blocked.txt

    .microsoft.com
    .redhat.com
    .facebook.com

  1. Edit squid.conf (Add acls and http_access)

     #
 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 #
 acl hpcsalab src 10.10.10.0/24
 acl blocked_sites dstdomain "/etc/squid/blocked-sites.txt"
 http_access deny blocked_sites hpcsalab
 http_access allow hpcsalab

 #http_access allow localnet
 http_access allow localhost

  1. Restart squid service

     systemctl restart squid

FOR A TIME PERIOD OR DAY

  1. We can block or can allow any websites for any time slot or day. Time will be in 24 HR format

    Days have specific alphabets assigned:

    Monday: M

    Tuesday: T

    Wednesday: W

    Thursday: H

    Friday: F

    Saturday: A

    Sunday: S

    so acl format will be: acl dstdomain this can be done to a bunch of websites too as we have done above

    Here I've taken bookmyshow.com for example to block on Saturday between evening 6 PM - 8 PM

  2. Edit squid.conf (Add acls and http_access)

      #
 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 #
 acl my-time time A 18:00-20:00
 acl cdac dstdomain .bookmyshow.com
 http_access deny my-time

 #http_access allow localnet
 http_access allow localhost

  3. Restart squid service

     systemctl restart squid

FOR ANY WORDS WE WANT TO BLOCK:

  1. Make a file with all words you want to ban one by one in the lines below in one file

     vim /etc/squid/badwords.txt

 torrent
 cricket
 ipl
 football
 movies
 bookmyshow

  2. Edit squid.conf (Add acls and http_access)

     #
 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 #
 acl hpcsalab src 10.10.10.0/24
 acl badwords url_regex -i "/etc/squid/badwords.txt"
 http_access deny badwords hpcsalab
 http_access allow hpcsalab

 #http_access allow localnet
 http_access allow localhost

  3. Restart squid service

     systemctl restart squid

Squid Authentication

  1. Add this in squid.conf file

     auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid-users

 auth_param basic children 5
     Children means number of users you want to create

 auth_param basic realm Squid Basic Authentication

 auth_param basic credentialsttl 2 hours
     Credentialssttl : facilitates admin to set password time for users

  2. Edit squid.conf (Add acls and http_access)

    Define ACL :

    Syntax of ACL: acl (name of the user) proxy_auth (name of the user)

     #
 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 #

 auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid-users
 auth_param basic children 5
 auth_param basic realm Squid Basic Authentication
 auth_param basic credentialsttl 2 hours
 acl acts_users proxy_auth REQUIRED

 acl user1 proxy_auth user1
 acl user1-access dstdomain "/etc/squid/user1.txt"
 acl all_web dstdomain .

 acl panda proxy_auth panda
 acl panda-access dstdomain "/etc/squid/panda.txt"

 http_access allow !user1-access user1
 http_access allow !panda-access panda

 http_access allow all_web acts_users
 http_access allow localhost

 # And finally deny all other access to this proxy
 http_access deny all

  3. Restart squid service

     systemctl restart squid

Learn, apply and execute....

Hope it helps you in your endevours ..

1
Subscribe to my newsletter

Read articles from Shubham Nimkar directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Linuxsecurity systemsquidproxy

Written by

Shubham Nimkar
Shubham Nimkar

A passionate DevOps & High Performance Computing enthusiast from India