A Proxy server is a device that usually sits between a client and the destination the user is trying to reach. It can provide security and even protection for the client behind the proxy. To help in this process is squid, which is a web proxy server for Red Hat.
It sits between the client and web server that the user is trying to connect to many times these devices are used when you want to control access to the Internet (think web filtering).
As a web proxy, it can also cache data that users request from the web and make it locally available, reducing the load on your external devices such as gateways and firewalls.
When setting up your proxy server, you need to know the following items:
/etc/sysconfig/squid : Startup options for the config file.
/etc/squid/squid.conf : Main config file for the service.
/var/spool/squid : cache location on the proxy server.
/var/log/squid : Log files for the proxy server.
Let’s look at some of the main configuration options:
http_port : Specifies the port to listen on
visable_hostname : Identifies the name of the squid server.
access_log : Keeps track of the web pages that are downloaded.
Acl : Defines an access control list
http_access : Defines which System or Network have access.
Install & Configuring the Squid Proxy Server:
Step1: Install the package with the following command
# yum install squid* -y
Step2: To verify that package
# rpm –qa /grep squid
Step3: To start squid proxy
# service squid start
Step3: Enable squid to start at boot
# chkconfig squid on
Step4: Verify the service will start at boot
# chkconfig squid --list
Web Proxy Sercurity:
Squid uses host-based security through the use of access control lists. These ACL’s are configured in the main config file, "/etc/squid/squid.conf". In the config file, you can define an ACL for your network and give all other networks access to the proxy server.
1).Configure SQUID to Block Specific Website :
Add below rules for block specific website in squid configuration file. In this example we are block www.facebook.com , and www.youtube.com
# vim /etc/squid/squid.conf
acl blocksite1 dstdomain www.facebook.com
acl blocksite2 dstdomain www.youtube.com
http_access deny blocksite1
http_access deny blocksite2
2). Block multiple domains with single file :
If you have number of websites,create a file "/etc/squid/blocksites.txt" and put website names in this file.
# vim /etc/squid/blocksites.txt
www.google.com
www.rediff.com
www.yahoo.com
www.gmail.com
-------------
-------------
www.amazon.com
:wq (save&quit)
Add above file in Squid Configuration file for block mentioned domains
# vim /etc/squid/squid.conf
acl blocksites dstdomain "/etc/squid/blocksites.txt"
http_access deny blocksites
Client side configuration :
Open a webbrowser > Tools > Internet option > Network settings > and setup Squid server IP address and port # 3128.
3). Configure Squid to Block Specific Keyword
Add below rules for block specific Keyword in squid configuration file. In this example we are block "mail" and "tube" keywords.
# vim /etc/squid/squid.conf
acl blockkey1 url_regex mail
acl blockkey2 url_regex tube
http_access deny blockkey1
http_access deny blockkey2
4). Configure Squid to Block list of Keywords
If you have number of keywords,create a file "/etc/squid/blockkeywords.txt" and put keyword names in this file.
# vim /etc/squid/blockkeywords.txt
Gmail
Tube
Social
Media
:wq (save&quit)
Add above file in Squid Configuration file for block mentioned keywords.
# vim /etc/squid/squid.conf
acl blockkewords dstdomain "/etc/squid/ blockkeywords.txt "
http_access deny blockkewords
Configure Squid for MAC Address based
5). Block single site for Single MAC Address
In this example we are block www.youtube.com site to system MAC address EC:A8:6B:F6:66:68
ACL Rule:
acl blocksite1 dstdomain www.youtube.com
acl sysmac1 arp EC:A8:6B:F6:66:68
http_access deny blocksite1 sysmac1
6). Block all sites for Single MAC Address
In this example we are block entire sites to system MAC address EC:A8:6B:F6:66:68
ACL Rule:
acl sysmac1 arp EC:A8:6B:F6:66:68
http_access deny sysmac1
7). Block single site for Multiple MAC Addresses
In this example we are block www.bsrtech.net site to system MAC addresses EC:A8:6B:F6:66:68,AT:B8:6D:F6:46:35 and etc...
create a file "/etc/squid/mac-addrs.txt" and put MAC Addresses in this file.
# vim /etc/squid/mac-addrs.txt
EC:A8:6B:F6:66:68
AT:B8:6D:F6:46:35
-----------------
-----------------
CT:B8:6D:F6:46:48
SG:B8:6D:F6:46:21
ACL Rule:
acl blocksite1 dstdomain www.bsrtech.net
acl sysmacs arp “/etc/squid/mac-addrs.txt”
http_access deny blocksite1 sysmacs
8). Block all sites for Multiple MAC Addresses
In this example we are block all websites to system MAC addresses EC:A8:6B:F6:66:68, AT:B8:6D:F6:46:35 and etc...
create a file "/etc/squid/mac-addrs.txt" and put MAC Addresses in this file.
# vim /etc/squid/mac-addrs.txt
EC:A8:6B:F6:66:68
AT:B8:6D:F6:46:35
-----------------
-----------------
CT:B8:6D:F6:46:48
SG:B8:6D:F6:46:21
ACL Rule:
acl sysmacs arp “/etc/squid/mac-addrs.txt”
http_access deny sysmacs
9). Allow Specific site for Single MAC Address
In this example we are allow www.bsrtech.net site to system MAC addresses EC:A8:6B:F6:66:68 and deny other sites.
ACL Rule :
acl allowsite1 dstdomain www.bsrtech.net
acl sysmac1 arp EC:A8:6B:F6:66:68
http_access allow allowsite1 sysmac1
http_access deny sysmac1
10). Allow Multiple sites for Single MAC Address
In this example we are allow multiple sites to system MAC address EC:A8:6B:F6:66:68 and deny other sites.
create a file /etc/squid/allowsites.txt and put website names in this file.
# vim /etc/squid/allowsites.txt
www.google.com
www.rediff.com
www.yahoo.com
www.gmail.com
-------------
-------------
www.amazon.com
:wq (save&quit)
ACL Rule :
acl allowsites dstdomain “/etc/squid/allowsites.txt”
acl sysmac1 arp EC:A8:6B:F6:66:68
http_access allow allowsites sysmac1
http_access deny sysmac1
11). Allow Specific site for Multiple MAC Addresses
In this example we are allow www.bsrtech.net website to system MAC addresses EC:A8:6B:F6:66:68, AT:B8:6D:F6:46:35 and etc... and deny other sites.
create a file "/etc/squid/mac-addrs.txt" and put MAC Addresses in this file.
# vim /etc/squid/mac-addrs.txt
EC:A8:6B:F6:66:68
AT:B8:6D:F6:46:35
-----------------
-----------------
CT:B8:6D:F6:46:48
SG:B8:6D:F6:46:21
ACL Rule:
acl allowsite1 dstdomain www.bsrtech.net
acl sysmacs arp “/etc/squid/mac-addrs.txt”
http_access allow allowsite1 sysmacs
http_access deny sysmacs
12). Allow Multiple sites for Multiple MAC Addresses
In this example we are allow multiple websites to system MAC addresses EC:A8:6B:F6:66:68, AT:B8:6D:F6:46:35 and etc... and deny other sites.
Create a file "/etc/squid/allowsites.txt" and put website names in this file.
# vim /etc/squid/allowsites.txt
www.google.com
www.rediff.com
www.yahoo.com
www.gmail.com
-------------
-------------
www.amazon.com
:wq (save&quit)
create a file "/etc/squid/mac-addrs.txt" and put MAC Addresses in this file.
# vim /etc/squid/mac-addrs.txt
EC:A8:6B:F6:66:68
AT:B8:6D:F6:46:35
-----------------
-----------------
CT:B8:6D:F6:46:48
SG:B8:6D:F6:46:21
ACL Rule:
acl allowsites dstdomain “/etc/squid/allowsites.txt”
acl sysmacs arp “/etc/squid/mac-addrs.txt”
http_access allow allowsites sysmacs
http_access deny sysmacs
Thanks for taking the time to read this article, I hope it's helpful for all Linux Legends.
Hello Sir,
ReplyDeleteThank you for good article. Is last version squid supports Java on the web not Javascript?
Thank you a lot ¡¡¡ i'm learning and proving " acl arp--->http_access sysmacs"
ReplyDeleteHi,
ReplyDeleteArticle was good. Can we configure squid in ubuntu 14.04
Good Post..
ReplyDeletedo you have any Active Directory Authenticate squid tutorials?
ReplyDeleteGreat blog. All posts have something to learn. Your work is very good and i appreciate you and hopping for some more informative posts. proxy service
ReplyDeleteThe quicker the info can be requested and conveyed, the less the requirement for an extensive stock. prywatnoscwsieci.pl
ReplyDeleteThat's awesome! I have pleased to read the entirety of the post on the proxy. It is really impressive to learn something new on a proxy which is great to me. I just loved it. I am going to share it on my social media pages to see my friends and followers. Anyway, I got a list. Is this okay to choose one from that list?
ReplyDelete