Friday, December 12

Configure SQUID Proxy Server with Examples on Linux RHEL/CentOS

                                  
A Proxy server is a device that usually sits between a client and the destination the user is trying to reach. It can provide security  and even protection for the client behind the proxy. To help in this process is squid, which is a web proxy server for Red Hat.

It sits between the client and web server that the user is trying to connect to many times these devices are used when you want to control access to the Internet (think web filtering).  

As a web proxy, it can also cache data that users request from the web and make it locally available, reducing the load on your external devices such as gateways and firewalls.

When setting up your proxy server, you need to know the following items:

/etc/sysconfig/squid      :    Startup options for the config file.
/etc/squid/squid.conf    :    Main config file for the service.
/var/spool/squid            :    cache location on the proxy server.
/var/log/squid                :    Log files for the proxy server.

Let’s look at some of the main configuration options:

http_port                     :   Specifies the port to listen on
visable_hostname      :   Identifies the name of the squid server.
access_log                  :   Keeps track of the web pages that are downloaded.
Acl                              :   Defines an access control list
http_access                :   Defines which System or Network have access.



Install & Configuring the Squid Proxy Server:

Step1: Install the package with the following command

       # yum install squid*  -y

Step2: To verify that package

      # rpm  –qa  /grep  squid

Step3: To start squid proxy

      # service squid start

Step3: Enable squid to start at boot


     # chkconfig squid on

Step4: Verify the service will start at boot
     # chkconfig  squid  --list

Web Proxy Sercurity:

             Squid uses host-based security through the use of access control lists. These ACL’s are configured in the main config file, "/etc/squid/squid.conf". In the config file, you can define an ACL for your network and give all other networks access to the proxy server.

1).Configure SQUID to Block Specific Website :

   Add below rules for block specific website in squid configuration file. In this example we are block www.facebook.com , and www.youtube.com

     # vim  /etc/squid/squid.conf

         acl blocksite1 dstdomain www.facebook.com
         acl blocksite2 dstdomain www.youtube.com
         http_access deny blocksite1
         http_access deny blocksite2

2). Block multiple domains with single file :

  If you have number of websites,create a file "/etc/squid/blocksites.txt" and put website names in this file.

    # vim /etc/squid/blocksites.txt

         www.google.com
         www.rediff.com
         www.yahoo.com
         www.gmail.com
         -------------
         -------------
         www.amazon.com

     :wq (save&quit)

  Add above file in Squid Configuration file for block mentioned domains

   # vim   /etc/squid/squid.conf

       acl  blocksites  dstdomain "/etc/squid/blocksites.txt"
       http_access deny blocksites

Client side configuration :

   Open a webbrowser > Tools > Internet option > Network settings > and setup Squid server IP address and port # 3128.         
                                                            


 

3). Configure Squid to Block Specific Keyword

   Add below rules for block specific Keyword in squid configuration file. In this example we are block "mail" and "tube" keywords.

       # vim  /etc/squid/squid.conf

         acl blockkey1 url_regex  mail
         acl blockkey2 url_regex  tube
         http_access deny blockkey1
         http_access deny blockkey2

4). Configure Squid to Block list of Keywords

    If you have number of keywords,create a file "/etc/squid/blockkeywords.txt" and put keyword names in this file.

      # vim /etc/squid/blockkeywords.txt

           Gmail
           Tube
           Facebook
           Social
           Media

        :wq (save&quit)

  Add above file in Squid Configuration file for block mentioned keywords.

     # vim  /etc/squid/squid.conf

        acl  blockkewords  dstdomain  "/etc/squid/ blockkeywords.txt "
        http_access deny blockkewords
                                  

                   Configure Squid for MAC Address based

5). Block single site for Single MAC Address
     In this example we are block www.youtube.com site to system MAC address EC:A8:6B:F6:66:68

  ACL Rule:

       acl blocksite1 dstdomain www.youtube.com
       acl sysmac1 arp  EC:A8:6B:F6:66:68
       http_access deny blocksite1 sysmac1

6). Block all sites for Single MAC Address

     In this example we are block entire sites to system MAC address EC:A8:6B:F6:66:68

   ACL Rule:

       acl sysmac1 arp  EC:A8:6B:F6:66:68
       http_access deny  sysmac1

7). Block single site for Multiple MAC Addresses

   In this example we are block www.bsrtech.net site to system MAC addresses EC:A8:6B:F6:66:68,AT:B8:6D:F6:46:35 and etc...
   create a file "/etc/squid/mac-addrs.txt" and put MAC Addresses in this file.

    # vim  /etc/squid/mac-addrs.txt

        EC:A8:6B:F6:66:68 
        AT:B8:6D:F6:46:35
        -----------------
        -----------------   
        CT:B8:6D:F6:46:48
        SG:B8:6D:F6:46:21

   ACL Rule:

      acl blocksite1 dstdomain www.bsrtech.net
      acl sysmacs arp  “/etc/squid/mac-addrs.txt”
      http_access deny blocksite1 sysmacs

8). Block all sites for Multiple MAC Addresses

     In this example we are block all websites to system MAC addresses EC:A8:6B:F6:66:68, AT:B8:6D:F6:46:35 and etc...
     create a file "/etc/squid/mac-addrs.txt" and put MAC Addresses in this file.

     # vim  /etc/squid/mac-addrs.txt

        EC:A8:6B:F6:66:68 
        AT:B8:6D:F6:46:35
        -----------------
        -----------------   
        CT:B8:6D:F6:46:48
        SG:B8:6D:F6:46:21

   ACL Rule:

       acl sysmacs arp  “/etc/squid/mac-addrs.txt”
       http_access deny  sysmacs

9). Allow Specific site for Single MAC Address

   In this example we are allow www.bsrtech.net site to system MAC addresses EC:A8:6B:F6:66:68 and deny other sites.

  ACL Rule :

      acl allowsite1 dstdomain www.bsrtech.net
      acl sysmac1 arp  EC:A8:6B:F6:66:68
      http_access allow allowsite1 sysmac1
      http_access deny sysmac1

10). Allow Multiple sites for Single MAC Address

    In this example we are allow multiple sites to system MAC address EC:A8:6B:F6:66:68 and deny other sites.
    create a file /etc/squid/allowsites.txt and put website names in this file.

     # vim /etc/squid/allowsites.txt

         www.google.com
         www.rediff.com
         www.yahoo.com
         www.gmail.com
         -------------
         -------------
         www.amazon.com

     :wq (save&quit)

  ACL Rule :

      acl allowsites dstdomain  “/etc/squid/allowsites.txt”
      acl sysmac1 arp  EC:A8:6B:F6:66:68
      http_access allow allowsites sysmac1
      http_access deny sysmac1

11). Allow Specific site for Multiple MAC Addresses

    In this example we are allow www.bsrtech.net website  to system MAC addresses EC:A8:6B:F6:66:68, AT:B8:6D:F6:46:35 and etc... and deny other sites.
    create a file "/etc/squid/mac-addrs.txt" and put MAC Addresses in this file.

      # vim  /etc/squid/mac-addrs.txt

        EC:A8:6B:F6:66:68 
        AT:B8:6D:F6:46:35
        -----------------
        -----------------   
        CT:B8:6D:F6:46:48
        SG:B8:6D:F6:46:21

   ACL Rule:

       acl allowsite1 dstdomain www.bsrtech.net
       acl sysmacs arp  “/etc/squid/mac-addrs.txt”
       http_access allow allowsite1  sysmacs
       http_access deny  sysmacs

12). Allow Multiple sites for Multiple MAC Addresses

  In this example we are allow multiple websites  to system MAC addresses EC:A8:6B:F6:66:68,   AT:B8:6D:F6:46:35 and etc... and deny other sites.
Create a file "/etc/squid/allowsites.txt" and put website names in this file.

    # vim /etc/squid/allowsites.txt

         www.google.com
         www.rediff.com
         www.yahoo.com
         www.gmail.com
         -------------
         -------------
         www.amazon.com

      :wq (save&quit)

  create a file "/etc/squid/mac-addrs.txt" and put MAC Addresses in this file.

    # vim  /etc/squid/mac-addrs.txt

        EC:A8:6B:F6:66:68 
        AT:B8:6D:F6:46:35
        -----------------
        -----------------   
        CT:B8:6D:F6:46:48
        SG:B8:6D:F6:46:21

  ACL Rule:

      acl allowsites dstdomain  “/etc/squid/allowsites.txt”
      acl sysmacs arp  “/etc/squid/mac-addrs.txt”
      http_access allow allowsites  sysmacs
      http_access deny  sysmacs
    
       Thanks for taking the time to read this article, I hope it's helpful for all Linux Legends.

5 comments:

  1. Hello Sir,

    Thank you for good article. Is last version squid supports Java on the web not Javascript?

    ReplyDelete
  2. Thank you a lot ¡¡¡ i'm learning and proving " acl arp--->http_access sysmacs"

    ReplyDelete
  3. Hi,
    Article was good. Can we configure squid in ubuntu 14.04

    ReplyDelete
  4. do you have any Active Directory Authenticate squid tutorials?

    ReplyDelete

:: Linux - Legends ::