How to Setup Squid Proxy in Ubuntu Server 14.04

How to Setup Squid Proxy in UbuntuSquid is a proxy server that provide cache services to the clients. It redirects client requests from web browsers to the proxy server and delivers the client’s requests and keeps a copy of them in the proxy hard disk cache. This will speeding up internet access especially for frequently-used files and reduces internet bandwidth. Squid program does not requires intensive CPU usage. To increase efficiency, i would recommend to buy faster disks or add more memory into the squid proxy server. This post describes basic steps on how to Setup Squid Proxy in Ubuntu Server 14.04.

How to Setup Squid Proxy in Ubuntu

 

 

How to Setup Squid Proxy in Ubuntu

1. Install Squid 3 :

ehowstuff@ubuntu14:~$ sudo apt-get install squid3 -y

2. Configure common setting :

ehowstuff@ubuntu14:~$ sudo vi /etc/squid3/squid.conf

Around line 919, define allowed LAN segment :

..
acl lan_ehowstuff src 192.168.0.0/24
..

Around line 1058, allow defined LAN :

..
http_access allow lan_ehowstuff
..

Listen on port 3128 :

# Squid normally listens to port 3128
http_port 3128

Save the configuration

3. Configure Squid Proxy Authentication using digest authentication scheme :

a. Install the program ‘htdigest’ :

ehowstuff@ubuntu14:~$ sudo apt-get install apache2-utils -y

b. Setting up user :

sudo htdigest -c /etc/squid3/passwords realm_name user_name

Example :

ehowstuff@ubuntu14:~$ sudo htdigest -c /etc/squid3/passwords proxy proxyuser1
Adding password for proxyuser1 in realm proxy.
New password:
Re-type new password:

c. At line 335-337, add digest squid authentication configuration. Please note that the file digest_pw_auth has been renamed to digest_file_auth in ubuntu 14.04. By default, the digest authentication scheme is not used unless the program is specified.

auth_param digest program /usr/lib/squid3/digest_file_auth -c /etc/squid3/passwords
auth_param digest realm proxy
acl authenticated_ehowstuff proxy_auth REQUIRED
http_access allow authenticated_ehowstuff

4. Restart the Squid to take affect the new configuration :

ehowstuff@ubuntu14:~$ sudo initctl restart squid3
squid3 start/running, process 2185

or

ehowstuff@ubuntu14:~$ sudo service squid3 restart

5. Verify port 3128 are listening :

ehowstuff@ubuntu14:~$ sudo netstat -plunt | grep 3128
tcp6       0      0 :::3128                 :::*                    LISTEN      2185/squid3

6. Configure at client browser :
How to Setup Squid Proxy in Ubuntu

7. Everytime you open the browser, proxy authentication box will be prompted :
How to Setup Squid Proxy in Ubuntu

8. Monitor the access log from proxy server. You can see proxyuser1 as authenticated user :

ehowstuff@ubuntu14:~$ sudo tail -f /var/log/squid3/access.log
RECT/173.194.126.55 text/html
1409354804.372   1073 192.168.0.1 TCP_MISS/200 776 GET http://xml.alexa.com/data? proxyuser1 HIER_DIRECT/23.21.109.107 text/xml
1409354842.754    963 192.168.0.1 TCP_MISS/200 2285 POST http://sd.symcd.com/ proxyuser1 HIER_DIRECT/23.51.43.27 application/ocsp-response
1409354843.234   1489 192.168.0.1 TCP_MISS/200 915 POST http://ocsp.digicert.com/ proxyuser1 HIER_DIRECT/117.18.237.29 application/ocsp-response
1409354843.454   1549 192.168.0.1 TCP_MISS/200 2285 POST http://sd.symcd.com/ proxyuser1 HIER_DIRECT/23.51.43.27 application/ocsp-response
1409354848.074   3249 192.168.0.1 TCP_MISS_ABORTED/000 0 POST http://ocsp.thawte.com/ proxyuser1 HIER_NONE/- -
1409354848.877   3248 192.168.0.1 TCP_MISS_ABORTED/000 0 POST http://ocsp.thawte.com/ proxyuser1 HIER_DIRECT/199.7.71.72 -
1409354853.997   1120 192.168.0.1 TCP_MISS/200 794 GET http://hsrd.yahoo.com/_ylt=A86.IsJVDAFUTGsAVsJUqcB_;_ylu=X3oDMTQ0aHJqM2NuBGNjb2RlA2hvbWVydW4yBGNwb3MDMARnAzAyMTMtMGExNGQ5Zjc1NWZkZGUyYTY5M2E0ZmViNzE0MDUwOTctMDAxNARpbnRsA215BHBrZ3QDNARwb3MDMgRzZWMDdGQtb2ZsLWIEc2xrA3RpdGxlBHRlc3QDNjg0BHdvZQM5MTc5OTMzMg--/RV=1/RE=1410564437/RH=aHNyZC55YWhvby5jb20-/RO=2/RU=aHR0cHM6Ly9teS5zcG9ydHMueWFob28uY29tL2ZhbnRhc3kvc29jY2VyL3ByZW1pZXItbGVhZ3Vl/RS=%5EADA7H0JFo.Ud2RQRqK4zKbm5QoTGVg- proxyuser1 HIER_DIRECT/206.190.39.139 text/html
1409354854.482    280 192.168.0.1 TCP_MISS/200 446 GET http://toolbarqueries.google.com/tbr? proxyuser1 HIER_DIRECT/58.27.61.123 text/html
1409354854.750    549 192.168.0.1 TCP_MISS/200 4214 GET http://xml.alexa.com/data? proxyuser1 HIER_DIRECT/23.21.109.107 text/xml

I hope that above guidelines on how to Setup Squid Proxy in Ubuntu Server will help system administrator to start installing their own proxy server.

How to Setup Squid Proxy Server on Linux CentOS 6.3

This post describes the steps to setup a Squid 3 Proxy Server on CentOS6.3. Squid service plays two main roles which mainly act as a caching proxy server between the user and the web. Second role, squid also regularly used as a content accelerator, or reverse proxy, intercepting requests to a server and using a cached version of the page to serve the request. Follow below steps to install and configure squid.

1. Run yum install :

[root@centos63 ~]# yum install squid -y
Loaded plugins: fastestmirror, presto, priorities
Loading mirror speeds from cached hostfile
 * base: centos.ipserverone.com
 * extras: centos.ipserverone.com
 * updates: centos.ipserverone.com
CentOS6.3-Repository                                                         | 4.0 kB     00:00 ...
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package squid.i686 7:3.1.10-9.el6_3 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package             Arch               Version                         Repository             Size
====================================================================================================
Installing:
 squid               i686               7:3.1.10-9.el6_3                updates               1.7 M

Transaction Summary
====================================================================================================
Install       1 Package(s)

Total download size: 1.7 M
Installed size: 5.7 M
Downloading Packages:
Setting up and reading Presto delta metadata
Processing delta metadata
Package(s) data still to download: 1.7 M
squid-3.1.10-9.el6_3.i686.rpm                                                | 1.7 MB     00:14
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : 7:squid-3.1.10-9.el6_3.i686                                                      1/1
  Verifying  : 7:squid-3.1.10-9.el6_3.i686                                                      1/1

Installed:
  squid.i686 7:3.1.10-9.el6_3

Complete!

2. Configure main squid configuration file. Use vi to edit :

[root@centos63 ~]# vi /etc/squid/squid.conf

3. Add internal network name into the IP networks list where browsing should be allowed. In this example, your internal network name is ehowstuff :

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl ehowstuff src 192.168.1.0/24    # Your internal network

4. Add ehowstuff network in the ACL section list IP networks where browsing should be allowed :

http_access allow localnet
http_access allow localhost
http_access allow ehowstuff

5. Make sure squid proxy port is uncomment. You can change the proxy port to any available port here. As an example, other available port is 8080.

# Squid normally listens to port 3128
http_port 3128

6. Start squid service :

[root@centos63 ~]# service squid start
Starting squid:                                            [  OK  ]

7. Configure at proxy setting at client’s browser as below :

squid

How to Remove Squid on CentOS 6.3

Squid service plays two main roles which mainly act as a caching proxy server between the user and the web. Second role, squid also regularly used as a content accelerator, or reverse proxy, intercepting requests to a server and using a cached version of the page to serve the request.

To remove squid service, execute the following command :

[root@centos63 ~]# yum remove squid -y

Examples :

[root@centos63 ~]# yum remove squid -y
Loaded plugins: fastestmirror, presto
Setting up Remove Process
Resolving Dependencies
--> Running transaction check
---> Package squid.i686 7:3.1.10-1.el6_2.4 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package         Arch           Version                       Repository                       Size
====================================================================================================
Removing:
 squid           i686           7:3.1.10-1.el6_2.4            @CentOS6.3-Repository           5.7 M

Transaction Summary
====================================================================================================
Remove        1 Package(s)

Installed size: 5.7 M
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Erasing    : 7:squid-3.1.10-1.el6_2.4.i686                                                    1/1
  Verifying  : 7:squid-3.1.10-1.el6_2.4.i686                                                    1/1

Removed:
  squid.i686 7:3.1.10-1.el6_2.4

Complete!

How to Install Squid on CentOS 6.3

This post cover the simple steps to install Squid on CentOS 6.3. Squid service plays two main roles which mainly act as a caching proxy server between the user and the web. Second role, squid also regularly used as a content accelerator, or reverse proxy, intercepting requests to a server and using a cached version of the page to serve the request. Execute the following command to install squid :

[root@centos63 ~]# yum install squid -y

Example :

[root@centos63 ~]# yum install squid -y
Loaded plugins: fastestmirror, presto
Loading mirror speeds from cached hostfile
 * base: mirror1.ku.ac.th
 * extras: mirror.yourconnect.com
 * updates: mirror1.ku.ac.th
CentOS6.3-Repository                                                         | 4.0 kB     00:00 ...
CentOS6.3-Repository/primary_db                                              | 3.5 MB     00:00 ...
base                                                                         | 3.7 kB     00:00
base/primary_db                                                              | 3.5 MB     00:31
extras                                                                       | 3.0 kB     00:00
extras/primary_db                                                            | 6.4 kB     00:00
updates                                                                      | 3.5 kB     00:00
updates/primary_db                                                           | 2.2 MB     00:19
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package squid.i686 7:3.1.10-1.el6_2.4 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package         Arch           Version                        Repository                      Size
====================================================================================================
Installing:
 squid           i686           7:3.1.10-1.el6_2.4             CentOS6.3-Repository           1.7 M

Transaction Summary
====================================================================================================
Install       1 Package(s)

Total download size: 1.7 M
Installed size: 5.7 M
Downloading Packages:
Setting up and reading Presto delta metadata
Processing delta metadata
Package(s) data still to download: 1.7 M
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
  Installing : 7:squid-3.1.10-1.el6_2.4.i686                                                    1/1
  Verifying  : 7:squid-3.1.10-1.el6_2.4.i686                                                    1/1

Installed:
  squid.i686 7:3.1.10-1.el6_2.4

Complete!

Start Squid :

[root@centos63 ~]# service squid start
Starting squid: .                                          [  OK  ]

Check Squid status :

[root@centos63 ~]# service squid status
squid (pid  11806) is running...

How to Install and Configure Squid Proxy Server on Fedora 16

Squid service plays two main roles which mainly act as a caching proxy server between the user and the web. Second role, squid also regularly used as a content accelerator, or reverse proxy, intercepting requests to a server and using a cached version of the page to serve the request. Follow the following steps to install and configure squid 3.2 proxy server on fedora 16.

1. Install Squid proxy using yum command.

[root@fedora16 ~]# yum install squid -y

Examples :

[root@fedora16 ~]# yum install squid -y
Fedora16-Repository                                                          | 3.7 kB     00:00 ...
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package squid.i686 7:3.2.0.16-1.fc16 will be installed
--> Processing Dependency: libecap.so.2 for package: 7:squid-3.2.0.16-1.fc16.i686
--> Running transaction check
---> Package libecap.i686 0:0.2.0-2.fc16 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package              Arch              Version                          Repository            Size
====================================================================================================
Installing:
 squid                i686              7:3.2.0.16-1.fc16                updates              2.3 M
Installing for dependencies:
 libecap              i686              0.2.0-2.fc16                     updates               18 k

Transaction Summary
====================================================================================================
Install       2 Packages

Total download size: 2.3 M
Installed size: 7.7 M
Downloading Packages:
(1/2): libecap-0.2.0-2.fc16.i686.rpm                                         |  18 kB     00:00
(2/2): squid-3.2.0.16-1.fc16.i686.rpm                                        | 2.3 MB     00:27
----------------------------------------------------------------------------------------------------
Total                                                                81 kB/s | 2.3 MB     00:28
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : libecap-0.2.0-2.fc16.i686                                                        1/2
  Installing : 7:squid-3.2.0.16-1.fc16.i686                                                     2/2

Installed:
  squid.i686 7:3.2.0.16-1.fc16

Dependency Installed:
  libecap.i686 0:0.2.0-2.fc16

Complete!

2. Configure server hosts file :

[root@fedora16 ~]# vi /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.1.47   fedora16.ehowstuff.local

3. Configure main squid configuration file. Use vi to edit.

[root@fedora16 ~]# vi /etc/squid/squid.conf

3.1 Add your internal network name into the IP networks list where browsing should be allowed. In this example, your internal network name is ehowstuff.

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

Add acl for ehowstuff network as below :

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl ehowstuff src 192.168.1.0/24        # ehowstuff network

3.2 Add ehowstuff network in the ACL section list IP networks where browsing should be allowed :

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

Add ehowstuff to http_access allow as below :

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
http_access allow ehowstuff

3.3 Make sure squid proxy port is uncomment. normal Squid port listed to port 3128. You can change the proxy port to any available port. As an example, other available port is 8080.

# Squid normally listens to port 3128
http_port 3128

4. Configure auto start at boot for squid service :

[root@fedora16 ~]# chkconfig squid on

5. Start and Stop Squid service :
Start Squid Service :

[root@fedora16 ~]# service squid restart
Redirecting to /bin/systemctl  restart squid.service

Stop Squid Service :

[root@fedora16 ~]# service squid stop
Redirecting to /bin/systemctl  stop squid.service

6. Add Squid port to by pass in iptables firewall. Alternativelym, you can disabled the iptables, but it is recommended to implement iptables on server.

[root@fedora16 ~]# service iptables stop
Redirecting to /bin/systemctl  stop iptables.service
[root@fedora16 ~]# service ip6tables stop
Redirecting to /bin/systemctl  stop ip6tables.service

7.Client browser configuration should be as below :
squid

Full Squid 3 Configuration :

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl ehowstuff src 192.168.1.0/24        # ehowstuff network

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
http_access allow ehowstuff

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320



How to Configure Squid Proxy for LDAP Authentication on CentOS 6.2 using squid_ldap_auth

In this post i will show on how to configure squid proxy server to go through 389 LDAP authentication on linux CentOS 6.2 server. This authentication is using squid_ldap_auth module in that come with squid proxy. Assumed that you have 389 Ldap Directory server and Squid proxy configured. Squid service plays two main roles which mainly act as a caching proxy server between the user and the web. 389 Directory Server is an enterprise-class open source LDAP server for Linux.

Some informations regarding proxy server and ldap server.
Proxy server : 192.168.1.44 proxy.ehowstuff.local
LDAP server : 192.168.1.48 ldap.ehowstuff.local

Prerequisites :
How to Install and Configure Squid Proxy Server on CentOS 6.2
How to Restrict Web Access By Time Using Squid Proxy Server on CentOS 6.2
How to Install 389 Directory Server on CentOS 6.2
How to Setup and Configure 389 Directory Server on CentOS 6.2

Add in this lines on your squid.conf file :

auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=ehowstuff,dc=local" -f "uid=%s" -h ldap.ehowstuff.local
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth
http_access deny all

“http_access deny all” is optional, it’s depend on your configuration.

Open squid.conf file and modify as below :

..
..
..
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl ehowstuff.com src 192.168.1.0/24    # Your internal network

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT


#Specifies the base DN for LDAP authentication :
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=ehowstuff,dc=local" -f "uid=%s" -h ldap.ehowstuff.local
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth


#Add this at the bottom of the ACL Section
#
acl surfing_hours time M T W H F 17:00-24:00
acl Bad_Websites  dstdomain "/etc/squid/web/Bad_Websites.squid"

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Only allow cachemgr access from ehowstuff.com
http_access allow ehowstuff.com surfing_hours !Bad_Websites
http_access deny Bad_Websites
http_access deny ehowstuff.com
..
..
..

Proxy ip : 192.168.1.44
Domain/Hostname : proxy.ehowstuff.local
Port : 3128

Browser that was configured with proxy setting will prompt as below :
squid

Complete Squid configuration :

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl ehowstuff.com src 192.168.1.0/24    # Your internal network

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT


#Specifies the base DN for LDAP authentication :
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=ehowstuff,dc=local" -f "uid=%s" -h ldap.ehowstuff.local
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth


#Add this at the bottom of the ACL Section
#
acl surfing_hours time M T W H F 17:00-24:00
acl Bad_Websites  dstdomain "/etc/squid/web/Bad_Websites.squid"

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Only allow cachemgr access from ehowstuff.com
http_access allow ehowstuff.com surfing_hours !Bad_Websites
http_access deny Bad_Websites
http_access deny ehowstuff.com



# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

How to Restrict the Access to Specific Web sites Using Squid Proxy Server on CentOS 6.2

This howto covers the steps necessary to restrict the access to specific web sites using Squid Proxy cache server for CentOS 6.2. Before beginning this steps, please make sure you have properly configured the squid proxy server. If not, please follow this article to install squid proxy server on CentOS 6.2 (How to Install and Configure Squid Proxy Server on CentOS 6.2)

Squid has capability to read the containing lists of web sites or domains for use in ACLs. In this example, the setup always restricting access to ehowstuff.com network and Bad_Websites, but allow surfing during surfing_hours group’s only if the sites does not in Bad_Wesites (other that Bad_Websites). Follow this steps to implement restricting access to specific websites.

1. Open the squid.conf configuration file :

    [root@centos62 ~]# vi /etc/squid/squid.conf
    

2. Create web folder under /etc/squid. This is to store any anonymous files such as Bad_Websites.squid.

    [root@centos62 ~]# mkdir /etc/squid/web
    

3.Create Bad_Websites.squid and add the bad websites list.

    [root@centos62 ~]# vi /etc/squid/web/Bad_Websites.squid
    

Example Bad website list :

    #List in /etc/squid/web/Bad_Websites.squid
    www.porn.com
    www.badwebsites.com
    

4. Define surfing_hour group’s name, surfing time and restricted websites file list.

    #Add this at the bottom of the ACL Section
    #
    acl surfing_hours time M T W H F 08:00-17:00
    acl Bad_Websites  dstdomain "/etc/squid/web/Bad_Websites.squid"
    #
    

5. Always restricting access to ehowstuff.com network and Bad_Wesites, but allow surfing during surfing_hours group’s only if the sites does not in Bad_Websites (other that Bad_Websites).

    # Only allow cachemgr access from ehowstuff.com
    http_access allow ehowstuff.com surfing_hours !Bad_Websites
    http_access deny Bad_Websites
    http_access deny ehowstuff.com
    

6. Restart Squid proxy server to take effect :

    [root@centos62 ~]# service squid restart
    Stopping squid: ................                           [  OK  ]
    Starting squid: .                                          [  OK  ]
    

Full Configuration of the Squid Cache Proxy Configuration :

    #
    # Recommended minimum configuration:
    #
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32 ::1
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
    
    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
    acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
    acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
    acl localnet src fc00::/7       # RFC 4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
    acl ehowstuff.com src 192.168.1.0/24    # Your internal network
    
    acl SSL_ports port 443
    acl Safe_ports port 80		# http
    acl Safe_ports port 21		# ftp
    acl Safe_ports port 443		# https
    acl Safe_ports port 70		# gopher
    acl Safe_ports port 210		# wais
    acl Safe_ports port 1025-65535	# unregistered ports
    acl Safe_ports port 280		# http-mgmt
    acl Safe_ports port 488		# gss-http
    acl Safe_ports port 591		# filemaker
    acl Safe_ports port 777		# multiling http
    acl CONNECT method CONNECT
    
    #Add this at the bottom of the ACL Section
    #
    acl surfing_hours time M T W H F 08:00-17:00
    acl Bad_Websites  dstdomain "/etc/squid/web/Bad_Websites.squid"
    
    #
    # Recommended minimum Access Permission configuration:
    #
    # Only allow cachemgr access from localhost
    http_access allow manager localhost
    http_access deny manager
    
    # Only allow cachemgr access from ehowstuff.com
    http_access allow ehowstuff.com surfing_hours !Bad_Websites
    http_access deny Bad_Websites
    http_access deny ehowstuff.com
    
    
    
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports
    
    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports
    
    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user
    #http_access deny to_localhost
    
    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #
    
    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    #http_access allow localnet
    http_access allow localhost
    
    # And finally deny all other access to this proxy
    http_access deny all
    
    # Squid normally listens to port 3128
    http_port 3128
    
    # We recommend you to use at least the following line.
    hierarchy_stoplist cgi-bin ?
    
    # Uncomment and adjust the following to add a disk cache directory.
    #cache_dir ufs /var/spool/squid 100 16 256
    
    # Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid
    
    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp:		1440	20%	10080
    refresh_pattern ^gopher:	1440	0%	1440
    refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
    refresh_pattern .		0	20%	4320
    

How to Restrict Web Access By Time Using Squid Proxy Server on CentOS 6.2

This howto covers the steps necessary to control internet access by time using Squid Proxy cache server for CentOS 6.2. Before beginning this steps, please make sure you have properly configured the squid proxy server. If not, please follow this article to install squid proxy server on CentOS 6.2 (How to Install and Configure Squid Proxy Server on CentOS 6.2)

1. Open the squid.conf configuration file :

    [root@centos62 ~]# vi /etc/squid/squid.conf
    

2. In this example, the setup just allow surfing_hour’s access from the ehowstuff.com network, while always restricting access to ehowstuff.com network other than surfing hour.

    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    acl ehowstuff.com src 192.168.1.0/24    # Your ehowstuff.com internal network
    

3. Define surfing_hour group’s name and time.

    #Add this at the bottom of the ACL Section
    #
    acl surfing_hours time M T W H F 08:00-17:00
    #
    

4. Always restricting access to ehowstuff.com, but allow during surfing hours only.

    # Only allow cachemgr access from ehowstuff.com
    http_access allow ehowstuff.com surfing_hours
    http_access deny ehowstuff.com
    

5. Restart Squid proxy server to take effect :

    [root@centos62 ~]# service squid restart
    Stopping squid: ................                           [  OK  ]
    Starting squid: .                                          [  OK  ]
    

Full Configuration of the Squid Cache Proxy Configuration :

    #
    # Recommended minimum configuration:
    #
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32 ::1
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
    
    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
    acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
    acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
    acl localnet src fc00::/7       # RFC 4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
    acl ehowstuff.com src 192.168.1.0/24    # Your ehowstuff.com internal network
    
    acl SSL_ports port 443
    acl Safe_ports port 80		# http
    acl Safe_ports port 21		# ftp
    acl Safe_ports port 443		# https
    acl Safe_ports port 70		# gopher
    acl Safe_ports port 210		# wais
    acl Safe_ports port 1025-65535	# unregistered ports
    acl Safe_ports port 280		# http-mgmt
    acl Safe_ports port 488		# gss-http
    acl Safe_ports port 591		# filemaker
    acl Safe_ports port 777		# multiling http
    acl CONNECT method CONNECT
    
    #Add this at the bottom of the ACL Section
    #
    acl surfing_hours time M T W H F 08:00-17:00
    #
    # Recommended minimum Access Permission configuration:
    #
    # Only allow cachemgr access from localhost
    http_access allow manager localhost
    http_access deny manager
    
    # Only allow cachemgr access from ehowstuff.com
    http_access allow ehowstuff.com surfing_hours
    http_access deny ehowstuff.com
    
    
    
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports
    
    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports
    
    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user
    #http_access deny to_localhost
    
    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #
    
    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    #http_access allow localnet
    http_access allow localhost
    http_access allow ehowstuff.com
    
    # And finally deny all other access to this proxy
    http_access deny all
    
    # Squid normally listens to port 3128
    http_port 3128
    
    # We recommend you to use at least the following line.
    hierarchy_stoplist cgi-bin ?
    
    # Uncomment and adjust the following to add a disk cache directory.
    #cache_dir ufs /var/spool/squid 100 16 256
    
    # Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid
    
    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp:		1440	20%	10080
    refresh_pattern ^gopher:	1440	0%	1440
    refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
    refresh_pattern .		0	20%	4320
    

How to Install and Configure Squid Proxy Server on CentOS 6.2

This howto will show you the steps to install and configure a Squid 3 Proxy Server on CentOS6.2. Squid service plays two main roles which mainly act as a caching proxy server between the user and the web. Second role, squid also regularly used as a content accelerator, or reverse proxy, intercepting requests to a server and using a cached version of the page to serve the request. Follow below steps to install and configure squid.

1. Install Squid proxy using yum command. This installation is performed using local yum repository as documented in this article. (How to Setup Local Yum Repository from CD-ROM/DVD-ROM image on CentOS 6.2)

    [root@centos62 ~]# yum install squid -y
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
     * base: centos.maulvi.net
     * extras: centos.maulvi.net
     * updates: centos.maulvi.net
    Setting up Install Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package squid.i686 7:3.1.10-1.el6_2.1 will be installed
    --> Processing Dependency: perl(Getopt::Long) for package: 7:squid-3.1.10-1.el6_2.1.i686
    --> Processing Dependency: perl(integer) for package: 7:squid-3.1.10-1.el6_2.1.i686
    --> Processing Dependency: perl(Pod::Usage) for package: 7:squid-3.1.10-1.el6_2.1.i686
    --> Processing Dependency: perl(DBI) for package: 7:squid-3.1.10-1.el6_2.1.i686
    --> Processing Dependency: perl(Digest::MD5) for package: 7:squid-3.1.10-1.el6_2.1.i686
    --> Processing Dependency: perl(vars) for package: 7:squid-3.1.10-1.el6_2.1.i686
    --> Processing Dependency: libltdl.so.7 for package: 7:squid-3.1.10-1.el6_2.1.i686
    --> Processing Dependency: perl(strict) for package: 7:squid-3.1.10-1.el6_2.1.i686
    --> Processing Dependency: /usr/bin/perl for package: 7:squid-3.1.10-1.el6_2.1.i686
    --> Processing Dependency: perl(Getopt::Std) for package: 7:squid-3.1.10-1.el6_2.1.i686
    --> Processing Dependency: perl(Net::POP3) for package: 7:squid-3.1.10-1.el6_2.1.i686
    --> Running transaction check
    ---> Package libtool-ltdl.i686 0:2.2.6-15.5.el6 will be installed
    ---> Package perl.i686 4:5.10.1-119.el6_1.1 will be installed
    --> Processing Dependency: perl-libs = 4:5.10.1-119.el6_1.1 for package: 4:perl-5.10.1-119.el6_1.1.i686
    --> Processing Dependency: perl-libs for package: 4:perl-5.10.1-119.el6_1.1.i686
    --> Processing Dependency: perl(Pod::Simple) for package: 4:perl-5.10.1-119.el6_1.1.i686
    --> Processing Dependency: libperl.so for package: 4:perl-5.10.1-119.el6_1.1.i686
    --> Processing Dependency: perl(version) for package: 4:perl-5.10.1-119.el6_1.1.i686
    --> Processing Dependency: perl(Module::Pluggable) for package: 4:perl-5.10.1-119.el6_1.1.i686
    ---> Package perl-DBI.i686 0:1.609-4.el6 will be installed
    --> Running transaction check
    ---> Package perl-Module-Pluggable.i686 1:3.90-119.el6_1.1 will be installed
    ---> Package perl-Pod-Simple.i686 1:3.13-119.el6_1.1 will be installed
    --> Processing Dependency: perl(Pod::Escapes) >= 1.04 for package: 1:perl-Pod-Simple-3.13-119.el6_1.1.i686
    ---> Package perl-libs.i686 4:5.10.1-119.el6_1.1 will be installed
    ---> Package perl-version.i686 3:0.77-119.el6_1.1 will be installed
    --> Running transaction check
    ---> Package perl-Pod-Escapes.i686 1:1.04-119.el6_1.1 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ====================================================================================================
     Package                     Arch       Version                    Repository                  Size
    ====================================================================================================
    Installing:
     squid                       i686       7:3.1.10-1.el6_2.1         updates                    1.7 M
    Installing for dependencies:
     libtool-ltdl                i686       2.2.6-15.5.el6             CentOS6.2-Repository        45 k
     perl                        i686       4:5.10.1-119.el6_1.1       CentOS6.2-Repository       9.7 M
     perl-DBI                    i686       1.609-4.el6                CentOS6.2-Repository       705 k
     perl-Module-Pluggable       i686       1:3.90-119.el6_1.1         CentOS6.2-Repository        37 k
     perl-Pod-Escapes            i686       1:1.04-119.el6_1.1         CentOS6.2-Repository        30 k
     perl-Pod-Simple             i686       1:3.13-119.el6_1.1         CentOS6.2-Repository       209 k
     perl-libs                   i686       4:5.10.1-119.el6_1.1       CentOS6.2-Repository       590 k
     perl-version                i686       3:0.77-119.el6_1.1         CentOS6.2-Repository        49 k
    
    Transaction Summary
    ====================================================================================================
    Install       9 Package(s)
    
    Total download size: 13 M
    Installed size: 38 M
    Downloading Packages:
    (1/9): squid-3.1.10-1.el6_2.1.i686.rpm                                       | 1.7 MB     00:14
    ----------------------------------------------------------------------------------------------------
    Total                                                               881 kB/s |  13 MB     00:15
    warning: rpmts_HdrFromFdno: Header V4 RSA/SHA1 Signature, key ID c105b9de: NOKEY
    Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
    Importing GPG key 0xC105B9DE:
     Userid : CentOS-6 Key (CentOS 6 Official Signing Key) 
     Package: centos-release-6-2.el6.centos.7.i686 (@anaconda-CentOS-201112130233.i386/6.2)
     From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
      Installing : 1:perl-Pod-Escapes-1.04-119.el6_1.1.i686                                         1/9
      Installing : 3:perl-version-0.77-119.el6_1.1.i686                                             2/9
      Installing : 4:perl-libs-5.10.1-119.el6_1.1.i686                                              3/9
      Installing : 1:perl-Pod-Simple-3.13-119.el6_1.1.i686                                          4/9
      Installing : 1:perl-Module-Pluggable-3.90-119.el6_1.1.i686                                    5/9
      Installing : 4:perl-5.10.1-119.el6_1.1.i686                                                   6/9
      Installing : perl-DBI-1.609-4.el6.i686                                                        7/9
      Installing : libtool-ltdl-2.2.6-15.5.el6.i686                                                 8/9
      Installing : 7:squid-3.1.10-1.el6_2.1.i686                                                    9/9
    
    Installed:
      squid.i686 7:3.1.10-1.el6_2.1
    
    Dependency Installed:
      libtool-ltdl.i686 0:2.2.6-15.5.el6             perl.i686 4:5.10.1-119.el6_1.1
      perl-DBI.i686 0:1.609-4.el6                    perl-Module-Pluggable.i686 1:3.90-119.el6_1.1
      perl-Pod-Escapes.i686 1:1.04-119.el6_1.1       perl-Pod-Simple.i686 1:3.13-119.el6_1.1
      perl-libs.i686 4:5.10.1-119.el6_1.1            perl-version.i686 3:0.77-119.el6_1.1
    
    Complete!
    

2. Configure server hosts file :

    [root@centos62 ~]# vi /etc/hosts
    
    127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
    ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
    
    192.168.1.44 centos62.ehowstuff.com
    

3. Configure main squid configuration file. Use vi to edit.

    [root@centos62 ~]# vi /etc/squid/squid.conf
    

4. Add your internal network name into the IP networks list where browsing should be allowed. In this example, your internal network name is ehowstuff.com.

    acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7       # RFC 4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
    acl ehowstuff.com src 192.168.1.0/24    # Your internal network
    

5. Add ehowstuff.com network in the ACL section list IP networks where browsing should be allowed :

    #http_access allow localnet
    http_access allow localhost
    http_access allow ehowstuff.com
    

6. Make sure squid proxy port is uncomment. You can change the proxy port to any available port here. As an example, other available port is 8080.

    # Squid normally listens to port 3128
    http_port 3128
    

7. Configure auto start at boot for squid service :

    [root@centos62 ~]# chkconfig squid on
    

8. Start squid service :

    [root@centos62 ~]# service squid restart
    Stopping squid: ................                           [  OK  ]
    Starting squid: .                                          [  OK  ]
    

9. Client browser configuration should be as below :

squid

How to Install and Configure Squid Proxy Server in CentOS 5.5

In this post, i will guide you on how to install and configure squid proxy server with basic configuration. Squid proxy server and make web browzing fast as it reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Please follow below steps to configure your squid proxy server.

    [root@server ~]# yum -y install squid
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
     * addons: centos.ipserverone.com
     * base: centos.ipserverone.com
     * epel: mirror01.idc.hinet.net
     * extras: centos.ipserverone.com
     * updates: centos.ipserverone.com
    Setting up Install Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package squid.i386 7:2.6.STABLE21-6.el5 set to be updated
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    =====================================================================================
     Package         Arch           Version                         Repository      Size
    =====================================================================================
    Installing:
     squid           i386           7:2.6.STABLE21-6.el5            base           1.3 M
    
    Transaction Summary
    =====================================================================================
    Install       1 Package(s)
    Upgrade       0 Package(s)
    
    Total download size: 1.3 M
    Downloading Packages:
    squid-2.6.STABLE21-6.el5.i386.rpm                             | 1.3 MB     00:24
    Running rpm_check_debug
    Running Transaction Test
    Finished Transaction Test
    Transaction Test Succeeded
    Running Transaction
      Installing     : squid                                                         1/1
    
    Installed:
      squid.i386 7:2.6.STABLE21-6.el5
    
    Complete!
    

1. Configure main squid configuration file. Use vi to edit.

    [root@server ~]# vi /etc/squid/squid.conf
    

2. The defaults port is TCP 3128. However you can change it to 9090 or 8080.
# Change Line 919 as below:

    http_port 8080
    

3. Add list of internal IP networks from where browsing should be allowed. In this example the ip network segment named intranet_local.
# add below on Line 590 ( allow only intranet_local)

    acl intranet_local src 192.168.2.0/24
    

# add below on Line 637

    http_access allow intranet_local
    
    4. Configure auto start at boot for squid service and start squid server: 

    [root@server ~]# chkconfig squid on
    [root@server ~]# /etc/init.d/squid start
    Starting squid: .                                          [  OK  ]
    

5. Configure your client browser with proxy server ip address with port 8080.
6. Test from client using this URL