In web hosting, server administrators often face the challenge of managing network traffic efficiently. One solution to this problem is the use of a proxy server. A proxy server acts as an intermediary between clients seeking resources and the server providing those resources. This not only helps manage network traffic but also provides an additional layer of security.
One of the most popular proxy server software is Squid. Squid is a caching proxy that supports HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid also offers a variety of features such as LDAP authentication, which adds another layer of security by requiring users to authenticate before they can use the proxy.
In this tutorial, we will guide you through the process of setting up Squid as a caching proxy with LDAP authentication on a Red Hat Enterprise Linux server.
Step 1: Install the Squid Package
The first step in setting up Squid as a caching proxy with LDAP authentication is to install the Squid package. This can be done using the package manager of your Linux distribution.
# yum install squid
This command will install the Squid package on your server.
Step 2: Edit the Squid Configuration File
After installing Squid, the next step is to edit the Squid configuration file, which is located at /etc/squid/squid.conf.
# vi /etc/squid/squid.conf
This command will open the Squid configuration file in the vi text editor. If you prefer to use a different text editor, replace “vi” with the name of your preferred text editor.
Step 3: Configure the basic_ldap_auth Helper Utility
Squid uses helper utilities to handle authentication. For LDAP authentication, we will use the basic_ldap_auth helper utility. To configure this utility, add the following configuration entry to the top of /etc/squid/squid.conf:
auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "cn=users,cn=accounts,dc=example,dc=com" -D "uid=proxy_user,cn=users,cn=accounts,dc=example,dc=com" -W /etc/squid/ldap_password -f "(&(objectClass=person)(uid=%s))" -ZZ -H ldap://ldap_server.example.com:389
This configuration entry tells Squid to use the basic_ldap_auth helperutility for LDAP authentication. The parameters passed to the basic_ldap_auth helper utility are explained below:
- -b “cn=users,cn=accounts,dc=example,dc=com”: This sets the LDAP search base.
- -D “uid=proxy_user,cn=users,cn=accounts,dc=example,dc=com”: This sets the distinguished name (DN) of the account Squid uses to search for the authenticating user in the directory.
- -W /etc/squid/ldap_password: This sets the path to the file that contains the password of the proxy service user. Using a password file prevents the password from being visible in the operating system’s process list.
- -f “(&(objectClass=person)(uid=%s))”: This specifies the LDAP search filter. Squid replaces the %s variable with the username provided by the authenticating user.
- -ZZ: This enforces a TLS-encrypted connection over the LDAP protocol using the STARTTLS command. If your LDAP server does not support encrypted connections or if the port specified in the URL uses the LDAPS protocol, you can omit this parameter.
- -H ldap://ldap_server.example.com:389: This specifies the protocol, hostname or IP address, and port of the LDAP server in URL format.
Step 4: Configure Squid to Allow Only Authenticated Users
Next, we need to configure Squid to allow only authenticated users to use the proxy. This can be done by adding the following Access Control List (ACL) and rule to the Squid configuration file:
acl ldap-auth proxy_auth REQUIRED http_access allow ldap-auth
These settings should be specified before the http_access deny all rule in the configuration file.
Step 5: Disable Bypassing of Proxy Authentication
By default, Squid allows bypassing of proxy authentication from IP ranges specified in localnet ACLs. To disable this, remove the following rule from the Squid configuration file:
http_access allow localnet
Step 6: Configure Ports for HTTPS Protocol
If users should be able to use the HTTPS protocol on ports other than 443, you need to add an ACL for each of these ports. For example, to add port 8443, you would add the following line to the Squid configuration file:
acl SSL_ports port 8443
Step 7: Configure Access to Safe Ports
Next, update the list of acl Safe_ports rules to configure which ports Squid can establish a connection to. For example, to configure that clients using the proxy can only access resources on ports 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the following acl Safe_ports statements in the configuration:
acl Safe_ports port 21 acl Safe_ports port 80 acl Safe_ports port 443
By default, the configuration contains the http_access deny !Safe_ports rule that defines access denial to ports that are not defined in Safe_ports ACLs.
Step 8: Configure the Cache
Squid uses a cache to store and quickly retrieve frequently-requested web pages. You can configure the cache type, the path to the cache directory, the cache size, and other cache-specific settings using the cache_dir parameter. For example:
cache_dir ufs /var/spool/squid 10000 16 256
With these settings:
- Squid uses the ufs cache type.
- Squid stores its cache in the /var/spool/squid/ directory.
- The cache can grow up to 10,000 MB.
- Squid creates 16 level-1 sub-directories in the /var/spool/squid/ directory.
- Squid creates 256 sub-directories in each level-1 directory.
If you do not set a cache_dir directive, Squid stores the cache in memory. If you set a different cache directory than /var/spool/squid/ in the cache_dir parameter, you will need to create the cache directory and configure the appropriate permissions.
Step 9: Store the LDAP Service User Password
Next, store the password of the LDAP service user in the /etc/squid/ldap_password file and set appropriate permissions for the file:
# echo "password" > /etc/squid/ldap_password # chown root:squid /etc/squid/ldap_password # chmod 640 /etc/squid/ldap_password
Step 10: Open the Squid Port in the Firewall
By default, Squid listens on port 3128. You need to open this port in your firewall to allow incoming connections:
# firewall-cmd --permanent --add-port=3128/tcp # firewall-cmd --reload
Step 11: Start and Enable the Squid Service
Finally, start the Squid service and enable it to start automatically when the system boots:
# systemctl start squid # systemctl enable squid
- yum install squid – This command installs the Squid package on your server.
- vi /etc/squid/squid.conf – This command opens the Squid configuration file in the vi text editor.
- echo “password” > /etc/squid/ldap_password – This command stores the password of the LDAP service user in the /etc/squid/ldap_password file.
- chown root:squid /etc/squid/ldap_password – This command changes the ownership of the /etc/squid/ldap_password file to the root user and the squid group.
- chmod 640 /etc/squid/ldap_password – This command sets the permissions of the /etc/squid/ldap_password file to 640 (read and write permissions for the owner, read permissions for the group, and no permissions for others).
- firewall-cmd –permanent –add-port=3128/tcp – This command opens port 3128 in the firewall to allow incoming connections.
- firewall-cmd –reload – This command reloads the firewall configuration to apply the changes.
- systemctl start squid – This command starts the Squid service.
- systemctl enable squid – This command enables the Squid service to start automatically when the system boots.
Congratulations! You have successfully set up Squid as a caching proxy with LDAP authentication on a Red Hat Enterprise Linux server. This setup will help you manage your network traffic more efficiently and improve your server’s security.
By following this guide, you will be able to enhance your server’s performance and security. Whether you’re using dedicated hosting, VPS hosting, or cloud hosting, this guide will be beneficial for you.
I hope you found this guide helpful. If you have any questions or comments, please feel free to leave them below.
What is Squid?
Squid is a popular proxy server software. It is a caching proxy that supports HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid also offers a variety of features such as LDAP authentication, which adds another layer of security.
What is LDAP authentication?
LDAP (Lightweight Directory Access Protocol) authentication is a method of validating users based on their credentials stored in an LDAP server. It adds an extra layer of security by requiring users to authenticate before they can use the proxy.
Why should I use a proxy server?
A proxy server acts as an intermediary between clients seeking resources and the server providing those resources. This helps manage network traffic, provides an additional layer of security, and can improve server performance by caching frequently-requested web pages.
What types of hosting can benefit from using Squid?
Whether you’re using dedicated hosting, VPS hosting, or cloud hosting, Squid can be beneficial. It helps manage network traffic, improves server performance, and adds an extra layer of security with features like LDAP authentication.
What is the default port for Squid?
By default, Squid listens on port 3128. However, this can be changed in the Squid configuration file.