A proxy server is a computer which sits between two endpoint devices and acts as an intermediate device. When the client computer requests a resource from the server, it may be a file or a web page, the request is sent to the proxy server first. The proxy server then sends the request to the destination server and obtains the resource sent by the server. Once the resource is obtained by the proxy server, it sends the resource to the client machine. The use of a proxy server is that it can cache the resource, for example if a website is accessed frequently from a proxy server, it’s likely that the proxy server will have the content of the site in its cache, it can now serve the webpage directly to the user. A proxy server can be used to facilitate security, administrative controls and caching services. Proxy servers can also be used for anonymity as whenever obtaining a resource from a server, proxy server uses its own IP address rather than the client’s IP address.
What is Squid Proxy
Squid is a full-featured web proxy cache server application which provides proxy and cache services for HTTP, FTP, SSL requests and DNS lookups. It also performs transparent caching that reduces bandwidth and improves response time by caching and reusing frequently requested web pages.
In this tutorial we will learn to install Squid Proxy on CentOS 7. We will also learn about some basic configuration which can be done on Squid caching server.
Requirements
Squid does not have any minimum hardware requirements, but the amount of RAM may vary according to the users accessing the Internet through your proxy and the objects stored in the cache. To follow this tutorial you will need a CentOS 7.x server with root access on it. If you are logged in as non root user, run sudo -i to switch to root user. You can also use sudo command before all the administrative commands to run them as root user.
How to Install Squid on CentOS 7
Before installing any packages, it is recommended to update the system and packages using the following command.
sudo yum -y update
Squid packages are available in default yum repositories. Execute below command on your server to install SQUID proxy server.
sudo yum -y install squid
Now start squid service
sudo systemctl start squid
and type this below command to start squid service automatically while booting.
sudo systemctl enable squid
At this point your Squid web proxy should already be running and you can verify the status of the service with.
sudo systemctl status squid
Sample output:
systemctl status squid ● squid.service - Squid caching proxy Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2019-03-28 13:45:39 EDT; 1min 47s ago Main PID: 3659 (squid) CGroup: /system.slice/squid.service ├─3659 /usr/sbin/squid -f /etc/squid/squid.conf ├─3661 (squid-1) -f /etc/squid/squid.conf └─3662 (logfile-daemon) /var/log/squid/access.log Mar 28 13:45:38 lintut.loc systemd[1]: Starting Squid caching proxy... Mar 28 13:45:39 lintut.loc systemd[1]: Started Squid caching proxy. Mar 28 13:45:39 lintut.loc squid[3659]: Squid Parent: will start 1 kids Mar 28 13:45:39 lintut.loc squid[3659]: Squid Parent: (squid-1) process 3661...d Hint: Some lines were ellipsized, use -l to show in full.
If Firewalld is running, you need to allow squid proxy service.
sudo firewall-cmd --add-service=squid --permanent sudo firewall-cmd --reload
Configuring Squid
Squid can be easily configured by editing the global configuration file /etc/squid/squid.conf. To edit the configuration file run the following command.
sudo vi /etc/squid/squid.conf
You can use any editor of your choice, in this tutorial we will be using vi editor.
A minimum sample configuration file will look like this.
#
# Recommended minimum configuration:
## Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machinesacl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
## Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost# And finally deny all other access to this proxy
http_access deny all# Squid normally listens to port 3128
http_port 3128# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 20% 4320
Configure Squid Access Control List
To allow a range of IP address to use the Internet through your proxy server. You can add a new ACL entry. Squid supports CIDR notations. Consider an example, if you want to allow a range of IP address from 192.168.100.1 to 192.168.100.255 then you can make the following entry in Squid configuration file under the list of ACLs.
acl localnet src 1192.168.100.0/24
our list of ACLs will finally look like this.
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl localnet src 192.168.100.0/24 #Your newly added ACL
For changes to take effect you will need to restart your Squid server, use the following command for same.
sudo systemctl restart squid
Allow a Specific Port for HTTP Connections
By default Squid only consider very few ports as safe ports and allow connections through them. The ports which are allowed by default are:
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
The ports which are not listed above will not be accessed through the proxy. You can add a Port into the list of Safe_ports by modifying the list of ACLs for ports. For example it you want to allow port 168 to be accessed through the proxy server you can add the following ACL entry for this.
acl Safe_ports port 168
For changes to take effect you will need to restart your Squid server, use the following command for same.
sudo systemctl restart squid
Squid Proxy Client Authentication
You will most probably want your users to authenticate before using the proxy. For that purpose, you can enable basic http authentication. It is easy and fast to configure.
First you will need httpd-tools installed.
sudo yum -y install httpd-tools
Now create a new file and provide the ownership to squid daemon so that it can access it. Run the following command for same.
sudo touch /etc/squid/passwd && chown squid /etc/squid/passwd
Now you can add a new user to the password file using the htpasswd tool. In this tutorial we will be creating an example user testuser. You can replace testuser with anything you like. Run the following command to create a new user using htpasswd tool.
sudo htpasswd /etc/squid/passwd testuser
It will ask for the new password twice, provide the password and you will see following output.
sudo htpasswd /etc/squid/passwd testuser New password: Re-type new password: Adding password for user testuser
By default htpasswd uses MD5 encryption for the password, hence your password will be stored in MD5 hash.
As we have our password file ready, you can now edit the squid configuration file using the following command
sudo vi /etc/squid/squid.conf
Add the following lines into the configuration file under the access control lists of ports.
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow auth_users
Save the file and restart squid so that the new changes can take effect:
sudo systemctl restart squid
Now if you will try to use the proxy server, it will ask you for authentication. Provide your username and password and you will be able to use the proxy server. Unauthenticated user will be shown an error page.
Block Websites on Squid Proxy
Squid proxy can be used to restrict access to specific websites. For example to block access to youtube, facebook, netflix you would have to create a file that defines the domains of these websites as shown below;
sudo vi /etc/squid/restricted_sites
Now enter the list of sites you want to block. One website per line.
.youtube.com .facebook.com .netflix.com
The proceding dot tells squid to block all referecnes to that sites including www.netflix, subsite.netflix.com etc.
Now open Squid’s configuration file.
sudo vi /etc/squid/squid.conf
Just after the ports ACLs add the following two lines:
acl restricted_sites dstdomain "/etc/squid/restricted_sites" http_access deny restricted_sites
Now save the file and restart squid:
sudo systemctl restart squid
Now if you will try to access the blocked sites, you will get an access denied message from Squid.
Block Sites based on Specific Keywords
Just like how you block a website based on a domain, you can also restrict access to a website by the use of a keyword. Create a file with specific keywords.
sudo vi /etc/squid/restricted_keyword
Now enter the list of keywords you want to block. One keyword per line.
porn ads movie gamble
Make the necessary changes on squid configuration file.
sudo vi /etc/squid/squid.conf
Just after the ports ACLs add the following two lines:
acl keyword-ban url_regex "/etc/squid/restricted_keyword" http_access deny keyword-ban
Now save the file and restart squid:
sudo systemctl restart squid
Changing Squid Port
You can easily change the port on which squid listens to. Edit the configuration file using the following command.
sudo vi/etc/squid/squid.conf
Scroll down to find the following lines into the file.
# Squid normally listens to port 3128 http_port 3128
Now change the http_port from 3128 to any port you want. Make sure that no other service is using the port which you will use for Squid. Now restart the Squid daemon and you will see that the changes are in effect.
Conclusion
In this detailed tutorial we learned how to install Squid proxy server on CentOS 7 systems. You can now easily setup a basic installation of Squid. You also learnt about some basic configuration of Squid proxy server inclusding enabling basic authentication.
If you have any questions or comments, please post them in the comment section below.