Thursday, April 12, 2012

Squid proxy server configuration




use: To share the internet through out the network with filter

[ISP] (dhcp/static)
|        |
|        |
|        |--->(cache saved in /var/spool/squid)
|        |     ........................
 --------    |
  |           |
  |           |.........................

Profile: It is use for to share the internet throughout the network with filter

Package: squid, httpd

Port: 3128(default )


script: /etc/init.d/squid

Configuration file: /etc/squid/squid.conf
Related: ACL

Service type: system-V-manage service

To configure squid we Required:

-->PC with 2 NIC cards names eth0 and eth1
-->ISP (internet public IP address) dhcp/static provide to eth0

check 3128 port is open or not

#netstat -ntlp | grep 3128

RULES in squid server

    1. allow the network (eg: src )
    2. Deny the website (eg: dstdomain)
    3. Deny the Bad Words (eg: url_regex)
    4. Time resoritation (eg: time)
    5. password Auth for MD (eg: proxy_Auth)

STEPS to configure the SQUID PROXY:

step 1. install squid ,http packages

#yum install squid* http* -y

step 2.Restart and enable services

#service squid restart
#service httpd restart
#chkconfig squid on
#chkconfig httpd on

3.To allow the Network

  go to squid configuration file, i.e,

  #vim /etc/squid/squid.conf for word "http_port" it is the squid listens port 3128 defalt( use   /http_port to search) for word "INSERT" add below line

    acl mynet<rulename> src(keyword>

    http_access allow mynet

    save and exit

  3. restart service

     #service squid restart

4.To deny website

#vim /etc/squid/squid

#INSERT your own RULES: 
acl mynet src
acl password proxy_auth REQUIRED
acl badsites dstdomain
acl badtime time 10:00-16:00 #(10am to 4pm)
acl badwords url_regex -i "/etc/badwords" #(create file /etc/badwords and write all bad words)
http_access deny badwords badtime
http_access deny badsites
http_access allow password
http_access allow mynet

To allowing users in bad time:

1.install a package htpasswd

#yum install http* -y
2. To allow user called bob

#htpasswd -mc /usr/etc/passwd bob

3. search for word called ncsa and write the following

auth_param basic program /usr/lib/squid/ncsa_auth /usr/etc/passwd


Please follow these steps you will configure the squid with

#vim /etc/sysctl.conf

net.ipv4.ip_forward = 1

save & quit

#vim /etc/squid/squid.conf

##--please enable this options--##

http_port 3128 transparent

acl our_network src

http_access allow our_network

cache_mem 16M

access_log /var/log/squid/access.log

cache_log /var/log/squid/cache.log

store_log /var/log/squid/store.log

cache_dir /var/spool/squid 200016 256



save and quit

#squid -z

#service squid restart

#then if u want to make it transparent kindly add rules to iptable firewall##

#iptable -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-port 3128

##If you would like to redirect the all http traffic through the proxy without needing to setup a proxy manually in all your applications you will need to add some rules,,

#ipables  -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination

#####......Note: eth0 is connected with your LAN switch.......##

CHILD PROXY CONFIGURATION:==========================

|             |
|             |MAIN PROXY SERVER
|             |
|             |
|             |
|             |

            |               |
            |               |CHILD PROXY SERVER
            |               |
            |               |
            |               |
            |               |

#vim /etc/squid/squid.conf

##search word for cache_peer
##uncomment following line

        hostname     type   Proxy icp port  options
cache_peer parent 3128   3130     default

#service squid restart


  1. Thank you so much for your nice tutorial.

    Recently I setup a Reverse Proxy Server with Squid (server accelerator) and wrote a full detailed tutorial that you can find in:

    where I explain how to configure Squid (version 3.x) as a reverse Proxy Server (server accelerator), providing examples about how to do it using two
    computers (one as a Proxy server and another as a Web Server) or just by using one single computer.

    I also describe how to format the Squid's logs and how to send the logs to a remote computer.
    Also, you can find an explanation of how to deny access to certain files and how to get correct logs in Apache Web Server.

    I wish it is useful to someone.