Centos

How to Install and Configure Squid Proxy on CentOS 7

Configure Squid Access Control List

To allow a range of IP address to use the Internet through your proxy server. You can add a new ACL entry. Squid supports CIDR notations. Consider an example, if you want to allow a range of IP address from 192.168.100.1 to 192.168.100.255 then you can make the following entry in Squid configuration file under the list of ACLs.

acl localnet src 1192.168.100.0/24

our list of ACLs will finally look like this.

    acl localnet src 10.0.0.0/8       # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16   # RFC1918 possible internal network
    acl localnet src fc00::/7         # RFC 4193 local private network range
    acl localnet src fe80::/10        # RFC 4291 link-local (directly plugged) machines
    acl localnet src 192.168.100.0/24 #Your newly added ACL

For changes to take effect you will need to restart your Squid server, use the following command for same.

sudo systemctl restart squid

Allow a Specific Port for HTTP Connections

By default Squid only consider very few ports as safe ports and allow connections through them. The ports which are allowed by default are:

    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http

The ports which are not listed above will not be accessed through the proxy. You can add a Port into the list of Safe_ports by modifying the list of ACLs for ports. For example it you want to allow port 168 to be accessed through the proxy server you can add the following ACL entry for this.

acl Safe_ports port 168

For changes to take effect you will need to restart your Squid server, use the following command for same.

sudo systemctl restart squid

Squid Proxy Client Authentication

You will most probably want your users to authenticate before using the proxy. For that purpose, you can enable basic http authentication. It is easy and fast to configure.
First you will need httpd-tools installed.

sudo yum -y install httpd-tools

Now create a new file and provide the ownership to squid daemon so that it can access it. Run the following command for same.

sudo touch /etc/squid/passwd && chown squid /etc/squid/passwd

Now you can add a new user to the password file using the htpasswd tool. In this tutorial we will be creating an example user testuser. You can replace testuser with anything you like. Run the following command to create a new user using htpasswd tool.

sudo htpasswd /etc/squid/passwd testuser

It will ask for the new password twice, provide the password and you will see following output.

sudo htpasswd /etc/squid/passwd testuser
New password: 
Re-type new password: 
Adding password for user testuser

By default htpasswd uses MD5 encryption for the password, hence your password will be stored in MD5 hash.
As we have our password file ready, you can now edit the squid configuration file using the following command

sudo vi /etc/squid/squid.conf

Add the following lines into the configuration file under the access control lists of ports.

auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
    auth_param basic children 5
    auth_param basic realm Squid Basic Authentication
    auth_param basic credentialsttl 2 hours
    acl auth_users proxy_auth REQUIRED
    http_access allow auth_users

Save the file and restart squid so that the new changes can take effect:

sudo systemctl restart squid

Now if you will try to use the proxy server, it will ask you for authentication. Provide your username and password and you will be able to use the proxy server. Unauthenticated user will be shown an error page.

Block Websites on Squid Proxy

Squid proxy can be used to restrict access to specific websites. For example to block access to youtube, facebook, netflix you would have to create a file that defines the domains of these websites as shown below;

sudo vi /etc/squid/restricted_sites

Now enter the list of sites you want to block. One website per line.

.youtube.com
.facebook.com
.netflix.com

The proceding dot tells squid to block all referecnes to that sites including www.netflix, subsite.netflix.com etc.
Now open Squid’s configuration file.

sudo vi /etc/squid/squid.conf

Just after the ports ACLs add the following two lines:

acl restricted_sites dstdomain "/etc/squid/restricted_sites"
http_access deny restricted_sites

Now save the file and restart squid:

sudo systemctl restart squid

Now if you will try to access the blocked sites, you will get an access denied message from Squid.

Previous page 1 2 3Next page

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close