How to configure Squid Proxy Server in Linux?

Starting Squid

The methodologies vary depending on the variant of Linux you are using as you’ll see next.

Fedora / CentOS / RedHat

With these flavors of Linux you can use the chkconfig command to get squid configured to start at boot:

[root@bigboy tmp]# chkconfig squid on

To start, stop, and restart squid after booting use the service command:

[root@bigboy tmp]# service squid start

[root@bigboy tmp]# service squid stop

[root@bigboy tmp]# service squid restart

To determine whether squid is running you can issue either of these two commands. The first will give a status message. The second will return the process ID numbers of the squid daemons.

[root@bigboy tmp]# service squid status

[root@bigboy tmp]# pgrep spam

Note: Remember to run the chkconfig command at least once to ensure squid starts automatically on your next reboot.

Ubuntu / Debian

With these flavors of Linux the commands are different. Try installing the sysv-rc-conf and sysvinit-utils DEB packages as they provide commands that simplify the process. For help on downloading and installing the packages, see Chapter 6, “Installing Linux Software”.) You can use the sysv-rc-conf command to get squid configured to start at boot:

user@ubuntu:~$ sudo sysv-rc-conf squid on

To start, stop, and restart squid after booting the service command is the same:

user@ubuntu:~$ sudo service squid start

user@ubuntu:~$ sudo service squid stop

user@ubuntu:~$ sudo service squid restart

To determine whether squid is running you can issue either of these two commands. The first will give a status message. The second will return the process ID numbers of the squid daemons.

user@ubuntu:~$ sudo service squid status

user@ubuntu:~$ pgrep squid

Note: Remember to run the sysv-rc-conf command at least once to ensure squid starts automatically on your next reboot.

Squid Configuration Files

You can define most of Squid’s configuration parameters in the squid.conf file which may be located in either the /etc or /etc/squid directory depending on your version of Linux.

Remember to restart Squid after you make any changes to your configuration files. This is the only way to activate the new settings.

General Squid Configuration Guidelines

Each Squid server in your administrative zone has to be uniquely identifiable by either its hostname listed in the /etc/hosts file or the value set in the visible_hostname directive in squid.conf. This is especially important in more complex configurations where clusters of Squid servers pool their resources in order to achieve some common caching goal.

Your /etc/hosts file should be configured with your server’s hostname at the end of the localhost line. In this example the server name “bigboy” has been correctly added.

# File: /etc/hosts

127.0.0.1   localhost localhost.localdomain bigboy

If you want to give your Squid process a name that is different from your hostname, then add the visible_hostname directive to your squid.conf file. In this example, we give the server the hostname “cache-001”.

# File: squid.conf

visible_hostname cache-001

Misconfigured Squid instances will give an error like this when the hostname isn’t correctly defined

WARNING: Could not determine this machines public hostname. Please configure one or set ‘visible_hostname’.

Now it’s time to configure proxies and reverse proxies.

Configuring Squid Proxies

Squid offers many options to manage the access to the web for security, legal, resource utilization reasons. We’ll cover a few of these in the sections that follow.

Access Control Lists

You can limit users’ ability to browse the Internet with access control lists (ACLs). Each ACL line defines a particular type of activity, such as an access time or source network, they are then linked to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL.

Squid matches each Web access request it receives by checking the http_access list from top to bottom. If it finds a match, it enforces the allow or deny statement and stops reading further. You have to be careful not to place a deny statement in the list that blocks a similar allow statement below it. The final http_access statement denies everything, so it is best to place new http_access statements above it

Note: The very last http_access statement in the squid.conf file denies all access. You therefore have to add your specific permit statements above this line. In the chapter’s examples, I’ve suggested that you place your statements at the top of the http_access list for the sake of manageability, but you can put them anywhere in the section above that last line.

Squid has a minimum required set of ACL statements in the ACCESS_CONTROL section of the squid.conf file. It is best to put new customized entries right after this list to make the file easier to read.

Restricting Web Access By Time

You can create access control lists with time parameters. For example, you can allow only business hour access from the home network, while always restricting access to host 192.168.1.23.

#

# Add this to the bottom of the ACL section of squid.conf

#

acl home_network src 192.168.1.0/24

acl business_hours time M T W H F 9:00-17:00

acl RestrictedHost src 192.168.1.23

 

#

# Add this at the top of the http_access section of squid.conf

#

http_access deny RestrictedHost

http_access allow home_network business_hours

Or, you can allow morning access only:

#

# Add this to the bottom of the ACL section of squid.conf

#

acl mornings time 08:00-12:00

 

#

# Add this at the top of the http_access section of squid.conf

#

http_access allow mornings

Restricting Access to specific Web sites

Squid is also capable of reading files containing lists of web sites and/or domains for use in ACLs. In this example we create to lists in files named /usr/local/etc/allowed-sites.squid and /usr/local/etc/restricted-sites.squid.

# File: /usr/local/etc/allowed-sites.squid

http://www.openfree.org

linuxhomenetworking.com

 

# File: /usr/local/etc/restricted-sites.squid

http://www.porn.com

illegal.com

These can then be used to always block the restricted sites and permit the allowed sites during working hours. This can be illustrated by expanding our previous example slightly.

#

# Add this to the bottom of the ACL section of squid.conf

#

acl home_network src 192.168.1.0/24

acl business_hours time M T W H F 9:00-17:00

acl GoodSites dstdomain “/usr/local/etc/allowed-sites.squid”

acl BadSites  dstdomain “/usr/local/etc/restricted-sites.squid”

 

#

# Add this at the top of the http_access section of squid.conf

#

http_access deny BadSites

http_access allow home_network business_hours GoodSites

Restricting Web Access By IP Address

You can create an access control list that restricts Web access to users on certain networks. In this case, it’s an ACL that defines a home network of 192.168.1.0.

#

# Add this to the bottom of the ACL section of squid.conf

#

acl home_network src 192.168.1.0/255.255.255.0

You also have to add a corresponding http_access statement that allows traffic that matches the ACL:

#

# Add this at the top of the http_access section of squid.conf

#

http_access allow home_network

Password Authentication Using NCSA

You can configure Squid to prompt users for a username and password. Squid comes with a program called ncsa_auth that reads any NCSA-compliant encrypted password file. You can use the htpasswd program that comes installed with Apache to create your passwords. Here is how it’s done:

1) Create the password file. The name of the password file should be /etc/squid/squid_passwd, and you need to make sure that it’s universally readable.

[root@bigboy tmp]# touch /etc/squid/squid_passwd

[root@bigboy tmp]# chmod o+r /etc/squid/squid_passwd

2) Use the htpasswd program to add users to the password file. You can add users at anytime without having to restart Squid. In this case, you add a username called www:

[root@bigboy tmp]# htpasswd /etc/squid/squid_passwd www

New password:

Re-type new password:

Adding password for user www

[root@bigboy tmp]#

3) Find your ncsa_auth file using the locate command.

[root@bigboy tmp]# locate ncsa_auth

/usr/lib/squid/ncsa_auth

[root@bigboy tmp]#

4) Edit squid.conf; specifically, you need to define the authentication program in squid.conf, which is in this case ncsa_auth. Next, create an ACL named ncsa_users with the REQUIRED keyword that forces Squid to use the NCSA auth_param method you defined previously. Finally, create an http_access entry that allows traffic that matches the ncsa_users ACL entry. Here’s a simple user authentication example; the order of the statements is important:

#

# Add this to the auth_param section of squid.conf

#

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

 

#

# Add this to the bottom of the ACL section of squid.conf

#

acl ncsa_users proxy_auth REQUIRED

 

#

# Add this at the top of the http_access section of squid.conf

#

http_access allow ncsa_users

5) This requires password authentication and allows access only during business hours. Once again, the order of the statements is important:

#

# Add this to the auth_param section of squid.conf

#

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

 

#

# Add this to the bottom of the ACL section of squid.conf

#

acl ncsa_users proxy_auth REQUIRED

acl business_hours time M T W H F 9:00-17:00

 

#

# Add this at the top of the http_access section of squid.conf

#

http_access allow ncsa_users business_hours