SQUID TIPS

How to install squid proxy on centos 6

Squid is a proxy server for caching and filtering web content . Squid proxy is used by various organisation and internet providers to reduce bandwidth and to increase response time .

Squid proxy service will cache the requested web-content and re-using it for the further request of the same content.

Steps to install and configure a perfect squid proxy server in Linux. This configuration Should work on all rpm based distributions(Redhat,CentOS,Fedora,etc.)
Linux Proxy server

Step1: Install squid packages first
[root@server ~#]yum install squid

Step2: Edit the squid’s configuration file “squid.conf” located in /etc/squid/
[root@server ~#]vi /etc/squid/squid.conf

#In 18th line add your proxy client network(if 192.168.10.1 to 255) and a name for network (here netusers is acl name)
acl your_network src 192.168.10.0/24

#In the 51st line, allow internet access to above specified network range
http_access allow your_network

# in the 64th line (remove # if present), and change port number if required
http_port 3128

#Add the below 3 lines to the bottom of file
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all

#Add the below line to bottom  add (hide IP address)
forwarded_for off

#Add below line to bottom(add your visible hostname)
visible_hostname vjetnamnet

#(now save the squid.conf file)

Step3: start squid daemon
[root@server ~#]service squid start

Then verify the port 3128 is open
# netstat -tulpn | grep 3128

Configure firewall:
# iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
 
# iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT

Step4: In the allowed clients(192.168.10.1 to 192.168.10.255) Configure web browser’s proxy settings to use the proxy server for internet access.

Configuring Squid as Transparent Proxy

squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.

An intercepting proxy (also known as a “transparent proxy“) combines a proxy server with a gateway. Connections made by client browsers through the gateway are redirected through the proxy without client-side configuration (or often knowledge). So the client never realize and don’t have to configure the client machine to use the proxy, but they are using it.

You can configure squid as transparent proxy.
[root@server ~]# vi /etc/squid/squid.conf

Squid normally listens to port 3128
http_port 3128

and replace with
http_port 3128 intercept

The most important line is:

“http_port 3128 intercept” : This line means, Squid proxy run as transparent proxy at port 3128. Later you need to edit the iptables to bypass every request/response connection through this port.
Note: That setting is for Squid v3.1. For other version like Squid v2.6 or v2.7, “intercept” option is being deprecated, you need to use option “transparent” instead.

Redirect the all HTTP traffic.

If you would like to redirect the all HTTP traffic through the proxy without needing to set up a proxy manually in all your applications you will need to add some rules
[root@server ~]# iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
 
[root@server ~]# iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT

Example:
[root@server ~]# iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.10.1:3128
 
[root@server ~]# iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128

Where eth1,eth0 are the LAN (eth1), WAN (eth0) devices and 192.168.10.1 (squid server IP)  is the IP address of your LAN device.

If you wish to monitor the performance of your proxy you can look as some log parser’s (sarg, calamaris, ect.)

How to change Squid server default listening port

Every network services has a particular port numbers. Same way the Squid proxy server will listen on port 3128/TCP by default. But you can change the listening port by editing the squid.conf file. And you should open the same port in squid servers firewall and in ip packet forwarding devices if required. Below is the way to change Squid listen port number.
Change Squid port number
[root@server ~]# vi /etc/squid/squid.conf

Go to 64th line if you are using squid version 3.0 or above.
Here changed the port from 3128 to 8080 (see below)
Squid normally listens to port 3128
http_port 8080

Now save the squid.conf file and restart squid server
Squid server listen on multiple ports
Squid server can listen on multiple ports at same time, use the below configuration
http_port 8080 9090
Now squid will listen on both 8080 and 9090 ports as well.
Restart Squid server to apply new configurations
[root@server ~]# service squid restart
Stopping squid: …………….                                [  OK  ]
 
Starting squid: .                                               [  OK  ]

 

How to open a port in squid server

y default the following TCP port numbers are opened in squid proxy server.
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
If a web server listening on custom port 81/TCP, squid server will not allow to browse to  that server due to the port 81/TCP is not listed as Safe_ports.
Follow the steps to enable a port in squid server
[root@server ~]# vi /etc/squid/squid.conf
acl Safe_ports port 81                          # Add this line with the default port acls
 
http_access allow Safe_ports                    # allow access
Add the above two lines to squid,conf
Restart or reload squid server with changes
[root@server ~]# service squid reload
                or
[root@server ~]# service squid restart

How to enable time based access restrictions in squid proxy server

Sometimes you may need to enable a time based access restrictions in your squid server. Squid proxy can do this with “time” access list(ACL). All you need to create a “time” ACL with required time and dates from the week and apply with access restriction ACLs.

Creating time ACL
[root@server ~]# vi /etc/squid/squid.conf

Configure the time based restrictions like below
acl danny src 192.168.10.66/32
acl officehours time MTWHFA 8:00-17:00
http_access allow danny officehours
Now save the squid.conf file
Where…..
MTWHFA is the days Monday to Saturday in a week
8:00-17:00 is restrict access in between 8:00 to 17:00 (24hr format)
Reload/restart the squid service
[root@server ~]# service squid reload
Now the user james with ip address 192.168.10.66 cannot access the internet from 8:00 to 17:00 Monday to Saturday.
You can use the time ACL with any other ACLs to restrict access within the time range.

How to enable ftp access through squid proxy server

Squid work as a http proxy with default configurations and will not process ftp requests from clients. You can configure squid as ftp proxy by editing the “squid.conf” configuration file in “/etc/squid/” directory.
Follow the steps below..
[root@server ~#]vi /etc/squid/squid.conf
acl SSL_ports port 443 21                 #(Edit add the ftp port 21 to SSL port acl)
acl Safe_ports port 21                    # ftp
acl ftp proto FTP                         #(Create a new acl for ftp protocol)
 
http_access allow ftp                     #(Allow browsing above created ftp acl)

Save the squid.conf file

Reload squid service with changes
[root@server ~#]service squid reload

Use Internet explorer or firefox for ftp upload and download

To access a ftp server use this way     ftp://username:password@ipaddress:port     (press enter)

Block https sites in squid proxy

here the post will show you how to block complete “http” and “https” facebook access in office times in your squid proxy server.

eg: block  https://www.facebook.com, https://twitter.com, and https://www.blogger.com. Create an acl with facebook domain (dstdomain) and deny both http and https access.

Step1: Create a new acl with facebook.com twitter.com and blogger.com (Dont forget to add a dot (“.”) before facebook.com)

Add the Configurations to squid.conf
[root@server ~#]vi /etc/squid/squid.conf

Create an acl for facebook domain  (any required sites)
acl badsites dstdomain .facebook.com .twitter.com .blogger.com

Step2: Deny the above domain to connect via ssl connection (https)
http_access deny CONNECT badsites

(save the squid.conf configuration file)
And finaly reload squid service to take effect changes
[root@server ~#]service squid reload

Tips: The way to include multiple sites in one ACL

How to block flash ads in squid proxy server

Configure your Squid proxy server to block flash ads (advertisements) in websites. So squid server filter flash ads contents.
Steps to block all flash ads in squid proxy server.
Edit squid configuration file and add the below configurations to squid.conf file.
[root@server ~]# vi /etc/squid/squid.conf
1: Create an acl for ads content type

acl flash_ads rep_mime_type application/x-shockwave-flash

#2: Deny flash ads by denying the above acl (against any ipaddress acl)
http_reply_access deny flash_ads

Now Save the squid.conf file

3: Reload squid service to take effect changes
[root@server ~]# service squid reload

Important: Sometimes clearing the client browser’s cache/cookie is required.)

Block Downloading File Types Like mp3, exe, zip, etc In Squid

Squid server can block/deny downloading particular file types like pictures, musics, videos, executable files etc. This file content filtering in squid is based on the file extension types like .exe, .mp3, .avi, .jpeg, .torrent, .zip etc.

Blocking file types in squid. First of all, create an ACL file includes all the file types to block downloading them.
[root@server ~]# vi /etc/squid/bad_files.acl

\.[Ee][Xx][Ee]$                                                       #Block downloading exe executable files
\.[Mm][Pp]3$                                                           #Block mp3 music files
\.[Zz][Ii][Pp]$                                                           #Block ZIP archive files
\.[Jj][Pp][Ee][Gg]$                                                #Block jpeg picture files
\.[Aa][Vv][Ii]$                                                         #Block avi video files
\.[Tt][Oo][Rr][Rr][Ee][Nn][Tt]$                #Block torrent files
(Add the above required file extensions types and save the file)

Then, edit the squid configuration file and add an ACL for above created acl file.
[root@server ~]# vi /etc/squid/squid.conf
acl lan src 192.168.10.0/24                                       (specify address range to deny downloading files)
acl badfiles urlpath_regex “/etc/squid/bad_files.acl”             (ACL for blocked file types)
http_access deny badfiles lan                                     (Deny the file types to lan)

(Add the above three lines and save the squid.conf file)

Restart or reload squid server
[root@server ~]# service squid reload

Verify the file type filtering/blocking by downloading any files from the Internet

How to block utorrent application and torrent large file downloading in squid

Utorrent application uses all the unregistered posts 1025-65535 with random selection method. So blocking all those port numbers will block the bulk file downloading with utorrent application.

Edit the Squid.conf configuration file
[root@server ~]# vi /etc/squid/squid.conf

By default all the port numbers from 1025-65535 are configured as “Safe_ports” and allowed for browsing.
So disable that ACL by adding a “#” infront of the line (see below)
#acl Safe_ports port 1025-65535          # unregistered ports

And create a new ACL for the same port range just below the above line (with different acl name, like below)
acl Denied_ports port 1025-65535

And deny browsing to the websites with denied port numbers (both normal and secure)
http_access deny Denied_ports
http_access deny CONNECT Denied_ports

# now save the squid.conf file

Reload Squid server with new configuration.
[root@server ~]# service squid reload

Verify Denying
Verify denying with squid access.log file
[root@server ~]# vi /var/log/squid/access.log

How to block a Web Browser in Squid proxy

Blocking  some web browsers is possible in squid proxy server. Squid can block all the requests from web browsers like Internet explorer, Chrome, Firefox, etc.

Create an “acl” with the bad web browser types and finaly deny the access. Add all the below configurations to the Squid server configuration file “/etc/squid/squid.conf”.
[root@server ~#]vim /etc/squid/squid.conf

#Block Chrome in squid proxy
acl bad_browser browser Chrome

#Deny the requests from chrome
http_access deny bad_browser all
#Block Mozilla Firefox in squid proxy
acl bad_browser browser Firefox

#Deny the requests from firefox
http_access deny bad_browser all
#Block Opera in squid proxy
acl bad_browser browser Opera

#Deny the requests from chrome
http_access deny bad_browser all

#Block Internet Explorer in squid proxy
acl bad_browser browser IE
#Deny the requests from Internet explorer
http_access deny bad_browser all