Squid Configuration in linux RHEL

What is Squid Proxy Server?

• Squid Proxy servers are used to share an Internet connection with many clients.
• Squid is a high-performance HTTP and FTP caching proxy server.  It isalso known as a Web proxy cache.
• Squid cache is a popular open source web proxy server and web cache software.
• It can make your network connections more efficient.

• Squid is caching proxy server, which improves the bandwidth and the reponse time by caching the recently requested web pages. 
• Now a days many servers in the world are configured with squid in order to provide high delivery speeds to the clients.

squid Proxy can be configured as:

1- non transparent proxy.
2- transparent  proxy .

• Configuring the squid in transparent mode, special configuartion is not required on the client side.
• All the requests originatinating from client and going to internet on port 80 are automatically redirected by proxy.

Service Profile- 

1.  Packages-                    squid
2.  Port Numbers-          3128 (default)
3.  Configuration File -  /etc/squid/squid.conf
4.  Service / Daemon--  squid
5.  Log File -  
6.   /var/log/squid/cache.log
7.   /var/log/squid/access.log              

How squid works ? 
Setup:

i) System: HP dual Xeon CPU system with 8 GB RAM (good for squid).
ii) Eth0: IP:192.168.1.1
iii) Eth1: IP: 192.168.0.254  (192.168.0.0/24 network  (around 150 windows XP systems and linux  machine))
iv) OS: Red Hat Enterprise Linux 4,5,6  (Following instruction should work with Debian and all other Linux distros)

Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.

Basic SQUID Configuration:---

Step-1

squid rpm is required to configure squid web proxy server machine check it for install if not found install it.

[root @ krnetworkcloud ~ ] # rpm   -qa   squid*         

[root @ krnetworkcloud ~ ] # yum  install  squid*   -y

step-2

check the hostname and ip address of server it will be use in editing of squid.conf

[root @ krnetworkcloud ~ ] # hostname

krnetworkcloud.example.com

[root @ krnetworkcloud ~ ] # ifconfig  eth1

let supose our system ip is -        192.168.0.254

Step-3

Now open /etc/squid/squid.conf for editing

[root @ krnetworkcloud ~ ] # vim   /etc/squid/squid.conf

Step-4

By default squid works on port no 3128 but can change this. like---

http_port  8080

Step-5

add the hostname which you have checked in pervious command 

visible_hostname      krnetworkcloud.example.coom

Step-6

Now We will create number of  access Control list. (ACL)

search ACL Syntax lines--

  /CONNECT    

  (  In ESC mode, to search pattern by using this method) 

  (  u will get like this )

ACL  CONNECT  method  CONNECT

Step-6

Append ACL below of this Syntax line......

acl   mylan   src   192.168.0.0/24

acl denysite  dstdomain   www.google.com

Step-7

Now allow or deny thease ACL name.

http_access deny denysite

http_access allow  mylan 

:wq

(save and quit )

Note-

 You have completed all necessary steps now start the squid service.

for testing purpose in our example we are blocking only  www.google.com site. 

[root @ krnetworkcloud ~ ] # service squid restart 

[root @ krnetworkcloud ~ ] # chkconfig squid on

[root @ krnetworkcloud ~ ] # netstat -tunlp | grep squid

[root @ krnetworkcloud ~ ] #  squid  -z

Note:- One common error is that the swap (cache) directory doesn’t exist. To solve this problem, run squid with the -z option to automatically create the directories:

Now apply Proxy settings in Your mozila firefox on linux machine..

How to apply proxy settings in linux mozila browsers:---

• Go to ‘Edit > Preference >Advanced’
• Select ‘Network‘ tab and click on ‘Settings‘.
• Select ‘Manual proxy configuration’ and make entries for ‘HTTP 
• proxy address‘: 192.168.0.254 and ‘Port’ number: 8080
• 
  
• Check ‘Use this proxy server for all products’
• then apply  and ok

Now test in mozila

www.google.com               (should not be open)

 *******************************************

Advanced SQUID proxy configuration 

dear friends- we can add number of ACL list in squid.conf file to configure advanced settings.

Now we will create first  ACL Rules and  then  will allow or deny thease ACl  according to needs.

Step-1
Again Edit the file  for advanced settings

#vim  /etc/squid/squid.conf

Step-1   for setting cache and cache log  file section to manage advanced proxy settings........

cache_mem   8  MB 

cache_dir ufs /var/spool/squid  1000  16 256
cache_access_log /var/log/squid/access.log    
cache_log /var/log/squid/cache.log            

Step-2 How do I block music files using squid content filtering ACL?

Now add following lines to your squid ACL section:

acl blockfiles urlpath_regex "/etc/squid/blocks.files.acl"

* Let SuposeYou want display custom error message when a file is blocked for all users......add this line

deny_info  ERR_BLOCKED_FILES  blockfiles

* deny this acl name in allow or deny ACL section....

http_access deny blockfiles

now save and exit from this file..

:wq

*Create custom error message HTML file called   ERR_BLOCKED_FILES in /etc/squid/error/ directory or /usr/share/squid/errors/English directory.

#cd  /etc/squid/error

#ls

# vi    ERR_BLOCKED_FILES

Append following content in this file:

<HTML>

<HEAD>

<TITLE>ERROR: Blocked file content</TITLE>

</HEAD>

<BODY>

<H1>File is blocked due to new IT policy</H1>

<p>Please contact admin for more information:</p>

<br>Email: krishna@krnetworkcloud.org<br>

Now save and exit 

:wq

Caution: Do not include HTML close tags </HTML> </BODY> as it will be closed by squid.

* create /etc/squid/blocks.files.acl file to define songs extenstion:

# vi /etc/squid/blocks.files.acl

Append following text in  this file:

\.[Ee][Xx][Ee]$

\.[Aa][Vv][Ii]$

\.[Mm][Pp][Gg]$

\.[Mm][Pp][Ee][Gg]$

\.[Mm][Pp]3$

:wq         (save and exit from this file)

#service   squid   restart

#chkconfig  squid  on

* now open mozila firefox and try to download any songs, you will get error message which is defined by you and it will not allow to download any songs.....means Your ACL rule is working properly. 

Step-3 How to deny a user from accessing particular site? 

To block site called www.facebook.com you need to add following two lines to your squid configuration file.

# vi /etc/squid/squid.conf

* append this line in bottom of ACL Section....

acl  blocksites  dstdomain  .facebook.com

* append this line in bottom of ACL allow or deny section....

http_access deny  blocksites

Save and close the file. Restart Squid:

# service  squid restart

now open browser , and try to open facebook, you will get error message ,,, means your ACL rule is working properly

Step-4 How to deny a user from accessing all site for browsing with number of keywords ? 

Let us say you would like to deny access for anyone who browses to a URL with the word "bar"  "sex" "hotel" "naukri" "marrige"in it. 

Append following ACL:

acl blockurl url_regex -i bar naukri marrige sex hotel

http_access deny  blockurl

Save and close the file.

#service squid restart

Now try to serach on google using any keyword, you will allow to to open any web site related to thease all keywords.

Step-5  How to allow internet on particular time? 

Append following ACL:

acl officehour  time    S M T W H F A  09:30-18:30

http_access allow officehour

* Not internet service will available on this time.

Step-6  How do I block multiple web site using squid  file based technique?
Append following ACL:

acl   denysite   dstdomain   "/etc/squid/denysite.txt"

http_access   deny denysite

save and exit

#vim /etc/squid/denysite.txt

www.google.com

www.krnetworkcloud.org

www.yahoo.com

:wq

#service squid  restart

* now we try to open thease website, you will get error message.

Step-6 How do I block multiple ip's to use internet?

#vim  /etc/squid/squid.conf

Append following ACL:

acl   ipdeny   src    "/etc/squid/ipdeny.txt"

http_access deny  ipdeny

:wq

save and exit

# vim /etc/squid/ipdeny.txt

192.168.0.10

192.168.0.11

192.168.0.12

192.168.0.13

192.168.0.15

:wq

#service  squid restart

* now try to access internet from thease client ip's, They will allow to access internet.

Step-7 Configure an SQUID  NCSA-style username and password authentication

I am going to assume that squid is installed and working fine.

#useradd  krishna
#htpasswd  -c  /etc/squid/passwd  krishna    

(to create password storage file)

#chmod  o+r  /etc/squid/passwd
#rpm -ql  | grep   ncsa_auth

 output will like this:  

/usr/lib/squid/ncsa_auth

Now open /etc/squid/squid.conf file

# vi /etc/squid/squid.conf

Append (or modify) following configration directive:

auth_param   basic program  /usr/lib/squid/ncsa_auth    /etc/squid/passwd

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

Also find out your ACL section and append/modify

acl ncsa_users proxy_auth  REQUIRED

http_access   allow   ncsa_users

:wq

Save and close the file.

#service  squid  restart

* now try to access internet, It will prompt for username and password.means ACL rule is working properly.

username:   krishna
password:   redhat123


Step-7 Configure Transparent SQUID proxy  ?


Main benefit of setting transparent proxy is you do not have to setup up individual browsers to work with proxies

#vim  /etc/squid/squid.conf

edit like :.....

http_port   192.168.0.254:8080  transparent

:wq

##iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080

To redirect the client requests going to internet on port 80 through the proxy, configure

the iptables by issuing the following command at the terminal prompt.

#service  iptables restart
#chkconfig iptables off

#echo 1 | cat > /proc/sys/net/ipv4/ip_forward

(to enable ip forwarding)

Now on the client side, specify the default gateway ipaddress as the proxy server ip

address and do not configure any proxy settings in the client side browser.

Help guide for syntax used in squid file::::::

Where,

This specifies the top level directory squid will use as its cache folder.

`1000' specifies the amount of space allocated in MB for this folder (100MB is the default, you can increase this value depending on your usage).

`16' is the number of upper level folders created under the top level cache folder. These upper level folders store the web pages that are more frequently accessed.

`256' is the number of lower level folders created under each of the 16 upper level folders. These lower level folders store the web pages that are less frequently accessed.

The top level folder `/var/spool/squid' is created automatically, the 16 upper level and 256 lower level folders are created only when the squid server service is started for the first time.

• auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd : Specify squid password file and helper program location
• auth_param basic children 5 : The number of authenticator processes to spawn.
• auth_param basic realm Squid proxy-caching web server : Part of the text the user will see when prompted their username and password
• auth_param basic credentialsttl 2 hours : Specifies how long squid assumes an externally validated username:password pair is valid for - in other words how often the helper program is called for that user with password prompt. It is set to 2 hours.
• auth_param basic casesensitive off : Specifies if usernames are case sensitive. It can be on or off only
• acl ncsa_users proxy_auth REQUIRED : The REQURIED term means that any authenticated user will match the ACL named ncsa_users
• http_access allow ncsa_users : Allow proxy access only if user is successfully authenticated.