How to install squid proxy on centos 6 and 7

How to Install Squid (Caching / Proxy) on CentOS 7

yum clean all

yum -y update

yum -y install squid

squid -h

squid -v

systemctl start squid

systemctl enable squid

systemctl status squid

systemctl stop squid

Proxy LAN Interface

lan-images-proxyfonc

Proxy

Proxy

Yum update

Update yum repositories and packages by typing the below command:

[root@naz ~]# yum update

Install Squid

Install squid package and dependencies using the below command:

[root@naz ~]# yum install squid

squid configuration file

By default squid configuration file “/etc/squid/squid.confwill contains recommended minimum configuration  and squid caching feature will work without making any changes .

Now start squid service

[root@naz ~]# service squid start

and type this below command to start squid service automatically while booting.

[root@naz ~]# chkconfig –levels 235 squid on

Setup your web browser to access Internet through proxy server on port 3128

IE : Tools » Internet options »Connections » LAN settings » Choose “Use a proxy server for your LAN” » Type your Proxy server ip (192.168.1.11 ) and port no 3128

Firefox : Options / Preferences » Advanced » Network » Settings » Choose “Manual proxy configuration ” » Type your Proxy server ip (192.168.1.11 ) and port no 3128

Browse some sites and check the access log file on proxy server

[root@naz ~]# cat /var/log/squid/access.log

1343759484.331   1828 192.168.1.15 TCP_MISS/200 7005 GET http://www.krizna.com/ – DIRECT/216.172.163.231 text/html

1343759484.645    265 192.168.1.15 TCP_MISS/304 477 GET http://platform.twitter.com/widgets.js – DIRECT/23.64.79.144 application/javascript

1343759484.681    309 192.168.1.15 TCP_MISS/304 839 GET http://apis.google.com/js/plusone.js – DIRECT/173.194.36.36 –

Troubleshooting

If you not able to browse using proxy settings , Disable the firewall ( iptables ) and selinux service on your squid proxy server .

  1. Disable firewall ( Iptables ) »

[root@naz ~]# service iptables stop

[root@naz ~]# chkconfig iptables off

  1. Disable Selinux »

open the file /etc/selinux/config and find the line

SELINUX=enforcing

and replace with

SELINUX=disabled

now reboot the server

Configure squid proxy as web filter

You can restrict user access to particular websites or keywords using access control lists (ACLs) .

» Restricting Access to specific web sites :

For example , we can see how to block facebook.com and gmail.com .

Step 1 » create a file ( /etc/squid/blockedsites.squid ) and add the site names one per line.

[root@naz ~]# cat /etc/squid/blockedsites.squid

#blocked sites

http://www.facebook.com

http://www.gmail.com

Step 2 » Open the /etc/squid/squid.conf and create a new acl ” blocksites” and acl type “dstdomain” in the acl section like the below .

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

# ACL blocksites

acl blocksites dstdomain “/etc/squid/blockedsites.squid”

and add the following line “http_access deny blocksites” to http_section to deny the access to the acl “blocksites” .

# Recommended minimum Access Permission configuration:

# Only allow cachemgr access from localhost

http_access allow manager localhost

# Deny access to blocksites ACL

http_access deny blocksites

Now restart squid service

[root@naz ~]# service squid restart

Try to access facebook.com in your browser

Try to access facebook.com in your browser. and check the log file you can see the facebook request is denied .

[root@naz ~]# tail -f /var/log/squid/access.log

………………………………………………………………………

1343820985.542      1 192.168.1.15 TCP_DENIED/403 4255 GET http://www.facebook.com/ – NONE/- text/html

Restricting Access to specific keywords

create a file ( /etc/squid/blockkeywords.squid ) and add the keywords one per line.

[root@naz ~]# cat /etc/squid/blockkeywords.squid

#blocked keywords

sex

porn

xxx

Open the /etc/squid/squid.conf and create a new acl “blockkeywords” and acl type “url_regex” in the acl section

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

# ACL blocksites

acl blocksites dstdomain “/etc/squid/blockedsites.squid”

# ACL blockkeywords

acl blockkeywords url_regex -i “/etc/squid/blockkeywords.squid”

and add the following line “http_access deny blockkeywords” to http_section to deny the access to the acl “blockkeywords” .

# Recommended minimum Access Permission configuration:

#

# Only allow cachemgr access from localhost

http_access allow manager localhost

# Deny access to blocksites ACL

http_access deny blocksites

# Deny access to blockkeywords ACL

http_access deny blockkeywords

Restricting Access to specific Ipaddress

create a file ( /etc/squid/blockip.squid ) and add the ip adresses one per line.

[root@naz ~]# cat /etc/squid/blockip.squid

#blocked ips

192.168.1.20

192.168.1.21

Open the /etc/squid/squid.conf and create a new acl “blockip” and acl type “src” in the acl section

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

# ACL blocksites

acl blocksites dstdomain “/etc/squid/blockedsites.squid”

# ACL blockkeywords

acl blockkeywords url_regex -i “/etc/squid/blockkeywords.squid”

# ACL blockip

acl blockip src “/etc/squid/blockip.squid”

and add the following line “http_access deny blockip” to http_section to deny the access to the acl “blockip” .

# Recommended minimum Access Permission configuration:

#

# Only allow cachemgr access from localhost

http_access allow manager localhost

# Deny access to blockip ACL

http_access deny blockip

# Deny access to blocksites ACL

http_access deny blocksites

# Deny access to blockkeywords ACL

http_access deny blockkeywords

Allow Full access to specific Ipaddress

You can allow specific ip address to gain full access without blocking sites and keywords . just create a file “/etc/squid/allowip.squid ” and add the ip address one per line and create an acl “allowip”  and acl type “src” in the acl section

# ACL allowip

acl allowip src “/etc/squid/allowip.squid“

and add the “allowip” in the http_access as below

# Recommended minimum Access Permission configuration:

#

# Only allow cachemgr access from localhost

http_access allow manager localhost

# Deny access to blockip ACL

http_access deny blockip

# Deny access to blocksites ACL

http_access deny blocksites !allowip

# Deny access to blockkeywords ACL

http_access deny blockkeywords !allowip

Changing squid proxy port number

You can change squid proxy port number , by default it uses 3128 port .

Just find the below line in “/etc/squid/squid.conf”

http_port 3128

and replace with

http_port 8000 # whatever port number you want

Restricting Download size

You can restrict download file size using reply_body_max_size .

Add the below line at the bottom of the http_access section

#Restrict download size

reply_body_max_size 10 MB all

or

#Restrict download size

reply_body_max_size 10 MB !allowip

Configuring Squid as Transparent Proxy

You can configure squid as transparent proxy .

Step 1 » just find the below line

# Squid normally listens to port 3128

http_port 3128

and replace with

# Squid normally listens to port 3128

http_port 3128 intercept

just run the script

[root@naz ~]# sh /root/squidfw.sh

and add the below line to “/etc/rc.local” to run the script during startup

sh /root/squidfw.sh

Step 4 (Updated) » Change default gateway ip to squid server ip on the user machines .

Now users can access Internet without setting proxy in the browser settings.

That’s it , hope this article will help you to learn little things about configuring squid proxy on centos 6.

References

How to install squid proxy on centos 6

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s