Thursday, April 12, 2012

Squid proxy server configuration

1.SQUID PROXY
    BASIC
    TRANSPARENT SQUID PROXY
    CHILD SQUID PROXY

WITHOUT SQUID:
==============
ISP
 |
 |-----|SWITCH(Normal)|-----|---PC
                                       |---PC1
                                       |---PC2



SQUID PROXY:
=========

use: To share the internet through out the network with filter

[ISP] (dhcp/static)
  |
  |
[eth0]
  |
______
|        |
|        |
|        |--->(cache saved in /var/spool/squid)
|        |     ........................
 --------    |
  |           |
  |           |.........................
[eth1]--------[SWITCH]--|---[_]-->...{www.google.com}
                                  |---[_]
                                  |---[_]
                                  |---[_]

Profile: It is use for to share the internet throughout the network with filter

Package: squid, httpd

Port: 3128(default )

Demons
:squid

script: /etc/init.d/squid

Configuration file: /etc/squid/squid.conf
 
Related: ACL

Service type: system-V-manage service

To configure squid we Required:


-->PC with 2 NIC cards names eth0 and eth1
-->ISP (internet public IP address) dhcp/static 51.73.171.26 provide to eth0

check 3128 port is open or not

#netstat -ntlp | grep 3128

RULES in squid server

    1. allow the network (eg: src )
    2. Deny the website (eg: dstdomain)
    3. Deny the Bad Words (eg: url_regex)
    4. Time resoritation (eg: time)
    5. password Auth for MD (eg: proxy_Auth)


STEPS to configure the SQUID PROXY:
========================

step 1. install squid ,http packages

#yum install squid* http* -y

step 2.Restart and enable services

#service squid restart
#service httpd restart
#chkconfig squid on
#chkconfig httpd on

3.To allow the Network
  ==============

  go to squid configuration file, i.e,

  #vim /etc/squid/squid.conf

  1.search for word "http_port" it is the squid listens port 3128 defalt( use   /http_port to search)

  2.search for word "INSERT" add below line

    acl mynet<rulename> src(keyword> 192.168.0.0/24

    http_access allow mynet

    save and exit

  3. restart service

     #service squid restart


4.To deny website
============

#vim /etc/squid/squid

#INSERT your own RULES: 
                              
acl mynet src 192.168.0.0/24
acl password proxy_auth REQUIRED
acl badsites dstdomain www.yahoo.com
acl badtime time 10:00-16:00 #(10am to 4pm)
acl badwords url_regex -i "/etc/badwords" #(create file /etc/badwords and write all bad words)
http_access deny badwords badtime
http_access deny badsites
http_access allow password
http_access allow mynet


To allowing users in bad time:
===================

1.install a package htpasswd

#yum install http* -y
2. To allow user called bob

#htpasswd -mc /usr/etc/passwd bob

3. search for word called ncsa and write the following

auth_param basic program /usr/lib/squid/ncsa_auth /usr/etc/passwd
 
******************************************************


SQUID TRANSPARENT CONFIGURATION:=========================

Please follow these steps you will configure the squid with

#vim /etc/sysctl.conf

net.ipv4.ip_forward = 1

save & quit

#vim /etc/squid/squid.conf


##--please enable this options--##


http_port 3128 transparent

acl our_network src 192.168.1.0/24

http_access allow our_network

cache_mem 16M

access_log /var/log/squid/access.log

cache_log /var/log/squid/cache.log

store_log /var/log/squid/store.log

cache_dir /var/spool/squid 200016 256

cache_mgr user@desktop7.example.com

visible_hostname desktop7.example.com


save and quit

#squid -z

#service squid restart


#then if u want to make it transparent kindly add rules to iptable firewall##


#iptable -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-port 3128


##If you would like to redirect the all http traffic through the proxy without needing to setup a proxy manually in all your applications you will need to add some rules,,


#ipables  -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128


#####......Note: eth0 is connected with your LAN switch.......##





CHILD PROXY CONFIGURATION:==========================

_________
|             |
|             |MAIN PROXY SERVER
|             |192.168.0.254
|             |
|             |
|             |
-------------



            __________
            |               |
            |               |CHILD PROXY SERVER
            |               |
            |               |
            |               |
            |               |
            --------------

#vim /etc/squid/squid.conf

##search word for cache_peer
##uncomment following line

        hostname     type   Proxy icp port  options
cache_peer 192.168.0.254 parent 3128   3130     default

#service squid restart



3 comments:

  1. Thank you so much for your nice tutorial.

    Recently I setup a Reverse Proxy Server with Squid (server accelerator) and wrote a full detailed tutorial that you can find in:

    http://cosmolinux.no-ip.org/raconetlinux/html/17-squid.html

    where I explain how to configure Squid (version 3.x) as a reverse Proxy Server (server accelerator), providing examples about how to do it using two
    computers (one as a Proxy server and another as a Web Server) or just by using one single computer.

    I also describe how to format the Squid's logs and how to send the logs to a remote computer.
    Also, you can find an explanation of how to deny access to certain files and how to get correct logs in Apache Web Server.

    I wish it is useful to someone.

    ReplyDelete