How to Install Squid (Caching / Proxy) on CentOS 7

Original Post: http://broexperts.com/2014/08/squid-rpm-based-installation-using-yum/  and http://www.liquidweb.com/kb/how-to-install-squid-caching-proxy-on-centos-7/

Squid is a caching and forwarding web proxy. It is most often used in conjunction with a traditional LAMP stack (Linux, Apache, MySQL, PHP), and can be used to filter traffic on HTTP, FTP, and HTTPS, and increase the speed (thus lower the response time) for a web server via caching.

Pre-Flight Check
  • These instructions are intended specifically for installing Squid on a single CentOS 7 node.
  • I’ll be working from a Liquid Web Core Managed CentOS 7 server, and I’ll be logged in as root.
Step #1 Install Squid

First, clean-up yum:

yum clean all

As a matter of best practice we’ll update our packages:

yum -y update

Installing Squid and related packages is now as simple as running just one command:

yum -y install squid

Step #2: Verify and Checking the Version of the Squid the Installation

Squid should start immediately after the installation. Use the following command to view information on the command:

squid -h

Use the following command to check the version number of Squid and the configuration options it was started with:

squid -v

Your results should appear similar to:

Squid Cache: Version 3.3.8
configure options: ‘–build=x86_64-redhat-linux-gnu’ ‘–host=x86_64-redhat-linux-gnu’ ‘–program-prefix=’ ‘–prefix=/usr’ ‘–exec-prefix=/usr’ ‘–bindir=/usr/bin’ ‘–sbindir=/usr/sbin’ ‘–sysconfdir=/etc’ ‘–datadir=/usr/share’ ‘–includedir=/usr/include’ ‘–libdir=/usr/lib64′ ‘–libexecdir=/usr/libexec’ ‘–sharedstatedir=/var/lib’ ‘–mandir=/usr/share/man’ ‘–infodir=/usr/share/info’ ‘–disable-strict-error-checking’ ‘–exec_prefix=/usr’ ‘–libexecdir=/usr/lib64/squid’ ‘–localstatedir=/var’ ‘–datadir=/usr/share/squid’ ‘–sysconfdir=/etc/squid’ ‘–with-logdir=$(localstatedir)/log/squid’ ‘–with-pidfile=$(localstatedir)/run/squid.pid’ ‘–disable-dependency-tracking’ ‘–enable-eui’ ‘–enable-follow-x-forwarded-for’ ‘–enable-auth’ ‘–enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam’ ‘–enable-auth-ntlm=smb_lm,fake’ ‘–enable-auth-digest=file,LDAP,eDirectory’ ‘–enable-auth-negotiate=kerberos’ ‘–enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group’ ‘–enable-cache-digests’ ‘–enable-cachemgr-hostname=localhost’ ‘–enable-delay-pools’ ‘–enable-epoll’ ‘–enable-icap-client’ ‘–enable-ident-lookups’ ‘–enable-linux-netfilter’ ‘–enable-removal-policies=heap,lru’ ‘–enable-snmp’ ‘–enable-ssl’ ‘–enable-ssl-crtd’ ‘–enable-storeio=aufs,diskd,ufs’ ‘–enable-wccpv2′ ‘–enable-esi’ ‘–enable-ecap’ ‘–with-aio’ ‘–with-default-user=squid’ ‘–with-filedescriptors=16384′ ‘–with-dl’ ‘–with-openssl’ ‘–with-pthreads’ ‘build_alias=x86_64-redhat-linux-gnu’ ‘host_alias=x86_64-redhat-linux-gnu’ ‘CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie’ ‘LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -Wl,-z,now’ ‘CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie’ ‘PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig’

Step 3: Configure Squid to Start on Boot

And then start Squid:

systemctl start squid

Be sure that Squid starts at boot:

systemctl enable squid

To check the status of Squid:

systemctl status squid

To stop Squid:

systemctl stop squid

Be Sociable, Share!

After Installing Squid From Source Code now I will install squid RPM using yum, yum is a famous package manager for RPM based Operating Systems like Fedora, CentOS and Red Hat.

Step 1:

To install squid RPM and dependencies using the yum command.

yum install squid -y

Sample Output:

Installed:
squid.x86_64 7:3.3.8-11.el7Dependency Installed:
libecap.x86_64 0:0.2.0-8.el7
perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.el7
perl-Compress-Raw-Zlib.x86_64 1:2.061-4.el7
perl-DBI.x86_64 0:1.627-4.el7
perl-Data-Dumper.x86_64 0:2.145-3.el7
perl-Digest.noarch 0:1.17-245.el7
perl-Digest-MD5.x86_64 0:2.52-3.el7
perl-IO-Compress.noarch 0:2.061-2.el7
perl-Net-Daemon.noarch 0:0.48-5.el7
perl-PlRPC.noarch 0:0.2020-14.el7

Squid is installed successfully from RPM, by default squid generate its configuration file under /etc/squid directory.

Step 2:

Let’s perform steps for basic configuration:

  • Allow our network in acl.
  • Add visible hostname

Edit squid.conf file which is located here /etc/squid/squid.conf
Its recommended to create backup of default configuration file to be on safe side.

cp /etc/squid/squid.conf /etc/squid/squid.conf.org.back

 

Now open config file in vi text editor.

vi /etc/squid/squid.conf

 

Add 192.168.2.0/24 network as follows

acl broexperts_network src 192.168.2.0/24
http_access allow broexperts_network

 

Un-comment and adjust the following to add cache directory.

cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256

 

And at the last of config file add visible hostname

visible_hostname pxy.broexperts.com

 

See below my recommended minimum squid.conf file:

# Recommended minimum configuration:
# Adapt to list your (internal) IP networks from where browsing
# should be allowedacl broexperts_network src 192.168.2.0/24acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# from where browsing should be allowed
http_access allow localhost
http_access allow broexperts_network

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname pxy.broexperts.com

Now save and exit.

 

Step 3:

Start squid service and make it available on startup.

service squid start
chkconfig squid on

 

Step 4:

Add firewall rule to allow squid 3128 port.

firewall-cmd –zone=public –add-port=3128/tcp –permanent

 

Save rules and restart service

firewall-cmd –reload

Done configuration part now time to test browsing pointing squid ip and default port in client browser.

 

Step 5:

Open up firefox browser and go to Tools > Options > Advance tab > Network > Settings > select manual proxy settings radio button and provide squid server IP 192.168.1.100 and port 3128 and check use this use this proxy server for all protocols and then click oK.

 

Browse broexperts.com and see squid access.log file.

tail -f /var/log/squid/access.log

Sample output:

1407790956.166 558 192.168.2.10 TCP_MISS/200 4360 GET http://www.broexperts.com/wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css? – HIER_DIRECT/216.172.181.206 text/css
1407790956.195 587 192.168.2.10 TCP_MISS/200 773 GET http://www.broexperts.com/wp-content/plugins/crayon-syntax-highlighter/fonts/monaco.css? – HIER_DIRECT/216.172.181.206 text/css
1407790956.195 294 192.168.2.10 TCP_MISS/200 3556 GET http://www.broexperts.com/wp-content/plugins/jetpack/modules/sharedaddy/sharing.css? – HIER_DIRECT/216.172.181.206 text/css
1407790956.298 686 192.168.2.10 TCP_MISS/200 2018 GET http://www.broexperts.com/wp-content/themes/BroExperts2/style.responsive.css? – HIER_DIRECT/216.172.181.206 text/css
1407790956.311 704 192.168.2.10 TCP_MISS/200 664 GET http://www.broexperts.com/wp-content/plugins/jetpack/modules/subscriptions/subscriptions.css? – HIER_DIRECT/216.172.181.206 text/css
1407790956.322 713 192.168.2.10 TCP_MISS/200 1297 GET http://www.broexperts.com/wp-content/plugins/crayon-syntax-highlighter/themes/classic/classic.css? – HIER_DIRECT/216.172.181.206 text/css

 

Perfect our log file is receiving information which means squid is working smoothly.

 

Advertisements

6 thoughts on “How to Install Squid (Caching / Proxy) on CentOS 7

  1. I have a problem with squid. When i try to start the service(Centos 6.7) it’s failed. PID file cannot be created in /var/run/. (/var/run/squid.pid: (13) Permission denied)
    My workaround is to switch selinux enforcing to permissive, pid file will be created and service will start.
    What can i do ?
    Thank you!

    1. 1. Plese put command as root user
      2. Please see the log file from squid.log
      3. squid3 runs as the user proxy, so you set the owner user (and group) as proxy and then set permissions accordingly.
      You can do the following to change recursively the owner and owner group of all files under /var/cache/squid3 to user proxy and group proxy respectively:
      sudo chown -R proxy:proxy /var/cache/squid3
      Also make sure the owner has the right permission, the permission you currently have i.e. 0755 will do.
      In your case, as you can see the directory /var/cache/squid3 is only writable by root, hence you were getting the permission denied error.

      1. Hi Nazimcsekut,
        Firts af all thank you for your support. I solved the problem but seems appear another one and i can’t find a way to solve it.
        When in my squid.conf i put http_port 3128 work like a charm network and outside, but if i want to change to http_port 3128 intercept or transparent i have access denied in browser, i try many solutions and seems not solved my issue.

        My .conf look like this:
        # Recommended minimum configuration:
        #

        # Example rule allowing access from your local networks.
        # Adapt to list your (internal) IP networks from where browsing
        # should be allowed
        acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
        acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
        acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
        acl localnet src fc00::/7 # RFC 4193 local private network range
        acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machine s

        acl SSL_ports port 443
        acl Safe_ports port 80 # http
        acl Safe_ports port 21 # ftp
        acl Safe_ports port 443 # https
        acl Safe_ports port 70 # gopher
        acl Safe_ports port 210 # wais
        acl Safe_ports port 1025-65535 # unregistered ports
        acl Safe_ports port 280 # http-mgmt
        acl Safe_ports port 488 # gss-http
        acl Safe_ports port 591 # filemaker
        acl Safe_ports port 777 # multiling http
        acl CONNECT method CONNECT

        #
        # Recommended minimum Access Permission configuration:
        #
        # Deny requests to certain unsafe ports
        http_access deny !Safe_ports

        # Deny CONNECT to other than secure SSL ports
        http_access deny CONNECT !SSL_ports

        # Only allow cachemgr access from localhost
        http_access allow localhost manager
        http_access deny manager

        # We strongly recommend the following be uncommented to protect innocent
        # web applications running on the proxy server who think the only
        # one who can access services on “localhost” is a local user
        #http_access deny to_localhost

        #
        # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
        #

        # Example rule allowing access from your local networks.
        # Adapt localnet in the ACL section to list your (internal) IP networks
        # from where browsing should be allowed
        http_access allow localnet
        http_access allow localhost

        # And finally deny all other access to this proxy
        http_access allow all
        visible_hostname clickers.go.ro

        # Squid normally listens to port 3128
        http_port 3128

        # Uncomment and adjust the following to add a disk cache directory.
        cache_dir ufs /var/spool/squid 100 16 256

        # Leave coredumps in the first cache dir
        coredump_dir /var/spool/squid

        #
        # Add any of your own refresh_pattern entries above these.
        #
        refresh_pattern ^ftp: 1440 20% 10080
        refresh_pattern ^gopher: 1440 0% 1440
        refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
        refresh_pattern . 0 20% 4320

  2. I do trust all of the concepts you’ve offered in your post. They are really convincing and can definitely work. Still, the posts are very short for starters. May you please extend them a little from next time? Thank you for the post.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s