Squid Proxy Server- Installation & Configuration
Hello Linux-Fanatics. In this tutorial we will be discussing Squid Proxy Server, which is a widely used Open Source web proxy.But before we dig deep into it, lets discuss what is a Web proxy server & what are the benefits of using a web proxy.
Web Proxy
A proxy is an intermediary/middle-agent between computer/computers & other resources, mostly internet. It seeks requests from client & transfer them to internet.
Benefits of a Web Proxy
- It can be used to accelerate the internet as a proxy can build up a cache of frequently used websites, which makes it easier & faster to load up after,
- Can be used to block/allow websites as required,
- also can be used to bypass another web proxy . For example in many organizations Social networking websites like Facebook, Twitter , Youtube etc are not allowed. So a web proxy can be used to bypass those restrictions & provide access to restricted websites.
Squid proxy server
Its a caching proxy server which supports HTTP, HTTPS, FTP . It can be used as an accelerating server, thereby decreasing response time & reducing bandwidth. It can also be used for the purpose of Web filtering due to availability of extensive access controls.
And we will be exploring web filtering part in this tutorial.
Scenario Setup
Firstly, to test or create a squid proxy setup, we will need a squid server & a client machine.
Squid server Client’s Machine
OS : Centos/RHEL 6 or 7 OS: Centos/RHEL 6 or 7
Hostname : server.test.com Hostname: client1.test.com
IP Address :192.168.1.100 IP Address : 192.168.1.101
Important
Configuration file /etc/squid/squid.conf
Installation
In order to install, use following command
Configuration
We need to create an ACL rule (Access Control List), which is the list or rule with list of access control entries.Some acl rules are already written in configuration file by default in the configuration file,
acl localhost src 127.0.0.1/32
http_access allow localhost (some lines below the above line)
So, this is what an acl rule look like. Lets see what these means,
firstly,acl this is declaring that a new acl is starting
then,localhost is the name of acl created
src is used in case acl is for local Ipadress , srcdomain is used for declaring Localdomain, dst for public IP & dstdomain for publlic domain name
and lastly,127.0.01/32 declares the IP Address on which the acl is to be applied, in this case its localhost or 127.0.0.1
Next line i.e. http_access allow localhost, means
http_access will initiate an action based on next word
allow/deny will either allow or deny access
and,localhost again is the name of acl as declared above.
So, basically that how we create a ACL/rule in squid proxy server.
Now, lets restart our server (with default config file) & configure the client machine to see if proxy is working properly.
service squid restart
chkconfig squid on
Note Its always wise to have a backup of original configuration file when starting to make changes. So, create a backup a backup of before starting.
Configuration on Client Side
- Open Edit menu —> Preferences —> Advanced —-> Settings
- Check the box ‘ Manual proxy configuration’ & enter IP Address & Port Number of squid proxy server.
In our case its 192.168.1.100 & 3128.
& that’s all we need to configure on Client’s side.
Then we check out if its works. Open a website (example Facebook.com), if proxy server is working properly you will be greeted with an error ‘ Access Denied’. That’s because by default internet access is denied for all in server.
Now, lets check logs in server, to see if a request was received by proxy server or not,
tail -f /var/log/squid/access.log
and it should show you all the received requests from client to server.
Restricting access to websites
In order to restrict access to a website, open configuration file & then create a new acl
acl blacksite .facebook.com
and deny access to the acl
Note Also set “http_access deny all” to “http_access allow all “, otherwise we wont be able to access internet.
Now, restart your squid proxy server to apply changes or we can also use squid -k reconfigure to implement changes to server without restarting the server.
then, we will access client’s machine and open Facebook but you wont be able to access it at all. As for other websites you can access them just fine.
Now, we will proceed further & discuss how to block multiple website with single acl, creating a time based acl & also speeding up our browsing by enabling cache.
Blocking Multiple websites
Firstly, we will create a file named blacksites (or bad-domains or whatever )
and add the websites we need blocked & save the file
.facebook.com
.youtube.com
.twitter.com
Now, open main configuration file
acl blacksites dstdomain /etc/squid/blacksites
then, we deny access to the created acl
http_access deny blacksites
lastly, restart proxy server to apply changes.
Note you can also use squid -k reconfigure to apply changes to server without actually restarting the server.
Time based acl
Sometimes, we might require access to a blocked website for a certain period of time or we might need to block certain websites for certain time. This can be achieved using a time based acl
Firstly, open configuration file
then create a new acl and allow access to the acl
acl timebased time MTW 10:30-11:30
http_access allow blacksites
lastly, restart your server to implement changes. & we now have access of blocked sites on Monday, Tuesday & Wednesday between 10:30AM to 11:30AM .
Enabling cache to speed up browsing
So, by enabling cache in our server we can speed up our browsing speed for frequently visited pages.
By adding just one line in our configuration file, we can enable cache.
To enable cache , open configuration file
and add following line to bottom of the file
cache_dir ufs /var/cache/squid 2000 16 256
where ufs is squid storage format,
/var/cache/squid is path for cache storage,
2000 is size in MB can be used for cache,
and, 16 is number of 1st level sub-directories & 256 is 2nd level sub directories in cache folder.
Some pretty useful SQUID tips & tricks
Setting up squid with a customized port
Default port number for Squid proxy server is 3128 but we can change it any other port as per our requirement. For example, if we want to change the default port from 3128 to 8080, we can do so by making any entry for same in squid configuration file i.e. ‘/etc/squid/squid.conf‘
$ sudo vim /etc/squid/squid.conf
& search for ‘http_port 3128’ & change it to
Save file & exit. Than restart the squid service to implement the changes.
$ sudo systemctl restart squid
$ sudo squid -k reconfigure
to implement changes, without restarting the squid service.
Limit download size of the files
We can also impose a download limit based on file size for squid proxy users. We need to provide ‘reply_max_body_size’ directive in squid.conf file to impose a file size limit.
$ sudo vim /etc/squid/squid.conf
& make the following entry in the bottom of the file
reply_body_max_size 5120 KB all
This will impose a limit of max 5Mb download for a single file for all the squid users. We can also impose limit based on user,
reply_body_max_size 5120 KB user1 user2
reply_body_max_size 5120 KB user1 group2
After making changes to file save it & restart or reconfigure squid to implement the changes.
Limit upload size of the files
To impose limit of size of file that can be uploaded, we use “request_body_max_size”. Make the following entry in squid.conf to impose limit on file uploads,
$ sudo vim /etc/squid/squid.conf
request_body_max_size 100kb
Save file & restart/reconfigure the squid server to implement changes. We can also impose upload limits based on users & groups, same as we imposed limits on file download.
Allow Squid proxy to cache all requests
To cache all the requests that are made in squid server, add the following directive in squid.conf file,
$ vim /etc/squid/squid.conf
Save file & reconfigure the squid server to implement the changes.
Disable caching of some websites
To disable cache only on some website, we will first create an ACL with websites & than disable the caching for that ACL. Make the following entries on squid.conf file,
$ vim /etc/squid/squid.conf
acl NOcache_websites dstdomain www.linuxtechlab.com www.msn.com
no_cache deny Nocache_websites
Save file & restart/reconfigure the squid server to implement changes.
Deny cache requests for some file extensions
To disable caching of files with certain extension, add the following lines in squid.conf file.
$ sudo vim /etc/squid/squid.conf
hierarchy_stoplsit .mp3 ?
hierarchy_stoplist .xls ?
acl ext1 urlpath_regex \.mp3 \?
acl ext2 urlpath_regex \.xls \?
Here, we have blocked caching for MP3 & XLS files. Save file & restart/reconfigure the squid server to implement changes.
Note:- To remove existing cached file, execute following command from terminal,
$ sudo rm -rf /var/spool/squid/*
Deny all cache requests
To deny all cache requests made to squid server, add the following directive in squid.conf file
$ vim /etc/squid/squid.conf
Save file & reconfigure the squid server to implement the changes.
