Install and configure transparent squid proxy server : RHEL/CentOS 6.x
In this tutorial,we will learn about how to install and configure transparent squid proxy server on RHEL/CentOS 6.x .In this practical,we will install Squid version 3.5.0 package in CentOS 6.5 / RHEL 6.5 .Squid server are designed to run in Unix like operating system. Up to version 2.7, Windows Operating System was supportive. Till the date of writing this post, no Windows Operating System supportive port has been developed in Squid version 3.x .
What is Squid Server
Squid is a web cache and web filtering server.It is based upon Harvest Cache Daemon.
Because Squid server has ability to do cacheing, it helps in improving the performance of web access. It can deliver the web content either static,dynamic or streaming way.It helps to speed up web browsing to its end clients.
Because Squid server has ability to do cacheing, it helps in improving the performance of web access. It can deliver the web content either static,dynamic or streaming way.It helps to speed up web browsing to its end clients.
Default port number use by Squid service
By-defualt port number 3128 is used by squid service
Squid : Transparent Web Proxy Server
Squid Server widely used for Web filtering and cacheing. It is also used as Transparent Web Proxy Server. Transparent Proxy is also known as Interception Caching.
Interception Caching is a process when a HTTP request from client ends redirected to Cache Server(Squid) without doing any configuration in end user clients. By this way,end user clients do not know the traffic has been redirected to cache server(Transparent Proxy)
Transparent Squid Proxy versus Ordinary Squid proxy
In Ordinary Squid Proxy Server, the end user client traffic is redirected to Squid proxy server but for this , we have to configure the web browser settings in each client machine.(We will also show,how to do settings in this tutorial)
In Transparent Squid Proxy, we do not have to do settings in web browser of each client machine.The traffic can be easily redirected to Squid Server. IPTABLES for NAT (Network Address Translation),play very crucial role to setup the Transparent Squid Proxy.(always remember this)
Install and Configure Squid Transparent Proxy Server
Follow the given below steps to install and configure the Squid Web Proxy Server.
Step 1: Create a yum client repo file in RHEL/CentOS. This step we are doing ,to get the latest Squid version.
1
|
vi /etc/yum.repos.d/squid.repo
|
Paste given below contents in file /etc/yum.repos.d/squid.repo
1
2
3
4
5
6
7
|
[squid]
name=Squid repo for CentOS Linux 6 - $basearch
#IL mirror
baseurl=http://www1.ngtech.co.il/rpm/centos/6/$basearch
failovermethod=priority
enabled=1
gpgcheck=0
|
Step 2: Install EPEL repository in system (For getting Perl packages)
1
|
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
|
Step 3: By using yum command install Squid and perl-Crypt-OpenSSL
1
|
yum install squid perl-Crypt-OpenSSL
|
Below given is reference.It shows the packages which will be installed on using command
yum install squid perl-Crypt-OpenSSL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
Dependencies Resolved
=====================================================================================================
Package Arch Version Repository Size
=====================================================================================================
Installing:
squid x86_64 7:3.5.0.001-1.el6 squid 2.7 M
Installing for dependencies:
ksh x86_64 20120801-10.el6_5.3 updates 756 k
libtool-ltdl x86_64 2.2.6-15.5.el6 base 44 k
perl x86_64 4:5.10.1-136.el6 base 10 M
perl-Crypt-OpenSSL-X509 x86_64 1.800.2-1.el6 epel 37 k
perl-DBI x86_64 1.609-4.el6 base 705 k
perl-Module-Pluggable x86_64 1:3.90-136.el6 base 40 k
perl-Pod-Escapes x86_64 1:1.04-136.el6 base 32 k
perl-Pod-Simple x86_64 1:3.13-136.el6 base 212 k
perl-libs x86_64 4:5.10.1-136.el6 base 578 k
perl-version x86_64 3:0.77-136.el6 base 51 k
Transaction Summary
=====================================================================================================
Install 11 Package(s)
Total download size: 15 M
Installed size: 47 M
Is this ok [y/N]: y
|
Step 4: After installing squid package, all squid related configuration files will be located at /etc/squid .Explore these files
1
2
3
4
5
6
7
8
9
10
11
12
13
|
[root@localhost ~]# cd /etc/squid/
[root@localhost squid]#
[root@localhost squid]# ls -l
total 48
-rw-r--r--. 1 root squid 419 Jan 27 18:19 cachemgr.conf
-rw-r--r--. 1 root root 419 Jan 27 18:19 cachemgr.conf.default
-rw-r--r--. 1 root root 1547 Jan 27 18:18 errorpage.css
-rw-r--r--. 1 root root 1547 Jan 27 18:18 errorpage.css.default
-rw-r--r--. 1 root root 11954 Jan 27 18:19 mime.conf
-rw-r--r--. 1 root root 11954 Jan 27 18:19 mime.conf.default
-rw-r-----. 1 root squid 2315 Jan 27 18:19 squid.conf
-rw-r--r--. 1 root root 2315 Jan 27 18:19 squid.conf.default
[root@localhost squid]#
|
Step 5:Take the backup of squid.conf file.
1
|
cp -p /etc/squid/squid.conf /etc/squid/squid.conf.orig
|
Step 5: Disable the SELINUX . Edit the file /etc/sysconfig/selinux and change the value of SELINUX=disabled
1
2
3
|
vi /etc/sysconfig/selinux
SELINUX=disabled
|
Now restart the system so that SELINUX can take effect permanently.
IMPORTANT NOTE : In case , you want to use SELINUX in ENFORCING mode, read this post .(You may have to use the same steps more than one times because of avc denial in SELINUX policy for Squid)
1
|
init 6
|
Step 6: Below given is default squid.conf file configuration settings.(You can use same settings for Ordinary Squid Proxy Server)
NOTE :
egrep -v '^#|^$' will hide the lines starting with # and all blank lines.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
[root@localhost ~]# egrep -v '^#|^$' /etc/squid/squid.conf
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
[root@localhost ~]#
|
Step 7: To make Squid Proxy Server as Transparent Proxy Server. Add “accel vhost allow-direct” with line“http_port 3128″ in /etc/squid/squid.conf file .
1
|
http_port 3128 accel vhost allow-direct
|
As per our network, we are using 172.16.0.0/255.255.0.0 inside LAN .Hence we will edit squid.conf file at
acl localnet src
Now I will add the new local network acl line in squid.conf file and comment acl lines related to other local network(10.0.0.0/8 ,172.16.0.0/12, 192.168.0.0/16)
1
2
3
4
|
vi /etc/squid/squid.conf
## added this new line as per my network
acl localnet src 172.16.0.0/16
|
Below given is complete configuration for Squid Transparent Proxy Server
1
|
vi /etc/squid/squid.conf
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
acl localnet src 172.16.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny blocksites
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 accel vhost allow-direct
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
|
Step 8 : Restart the Squid service
1
|
/etc/init.d/squid restart
|
Step 9 : Create a IPTABLES script . You can modify the script as per your requirement. (Test the script in staging machine before applying it to live server)
Create bash script file
1
|
vi /root/firewall.sh
|
Paste below given contents in file /root/firewall.sh. Save and close the file after this
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
#!/bin/bash
#
#
#
# Ethernet device name connected to LAN
ETHERNET_LAN="eth2"
# Ethernet device name connected to Internet
ETHERNET_INTERNET="eth0"
# Squid Server IP Address
SQUID_SERVER_IP="172.16.15.1"
# Squid port number
SQUID_PORT="3128"
### Multiple Port Number - TCP based
MULTI_PORT="22,20,21"
#### Flush iptables
iptables -F
##### Delete a user-defined chain
iptables -X
### -t defines table ###
#### Flush NAT Rules/user-defined NAT chain
iptables -t nat -F
iptables -t nat -X
#### Flush Mangle Rules/user-defined NAT chain (mangle — Used for specific types of packet alteration. ) #####
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack
modprobe ip_conntrack
modprobe ip_conntrack_ftp
##### Enable IP forwarding for IPV4 ####
echo 1 > /proc/sys/net/ipv4/ip_forward
##
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
## INPUT/OUTPUT rules for loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i $ETHERNET_INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface $ETHERNET_INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $ETHERNET_LAN -j ACCEPT
iptables -A INPUT -i $ETHERNET_LAN -j ACCEPT
iptables -A OUTPUT -o $ETHERNET_LAN -j ACCEPT
iptables -t nat -A PREROUTING -i $ETHERNET_LAN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER_IP:$SQUID_PORT
iptables -t nat -A PREROUTING -i $ETHERNET_INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
###### IPTABLE Allow rule for tcp based multiple port
#### To disable - Use # in front of below given line
iptables -A INPUT -p tcp -m multiport --dports $MULTI_PORT -j ACCEPT
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
|
Step 10 : Give execute permission to /root/firewall.sh and only to owner that is root
1
|
chmod 700 /root/firewall.sh
|
Step 11 : Execute the firewall.sh script
1
|
sh /root/firewall.sh
|
Client Side Configuration
Step 12: At client side,you do not have to configure Web browser.
The only requirement is, the IP Subnet of client should be allowed in Squid Proxy Server
The only requirement is, the IP Subnet of client should be allowed in Squid Proxy Server
No comments:
Post a Comment