squid
Install Squid to configure Proxy server.
Proxy Server
==============
=> Caching
=> Monitoring
=> Filtering & Access Control
=> BW control
=> Authentication
=> Gateway
=> Log
Proxy Types:
=========
=> normal proxy (user can by pass)
=> transparent proxy (user cannot bypass)
=> reverse proxy
packages:
-------------
=> squid
=> daemon: squid
=> configuration file: /etc/squid/squid.conf
=> port: 3128 (Default)
Step 01: Package Installation
-----------------------------
[root@serverX ~]# rpm -qa | grep squid
[root@serverX ~]# yum install squid* -y
[root@serverX ~]# cd /etc/squid/
[root@serverX squid]# ls
[root@serverX squid]# cp squid.conf squid.conf.bkf
Step 02: Basic Configure:
------------------------
[root@serverX squid]# vim squid.conf
:set nu
8 #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
9 #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
10 #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
11 #acl localnet src fc00::/7 # RFC 4193 local private network range
12 #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) mac hines
13 acl mylan src 192.168.11.0/24
52 # http_access allow localnet ; add '#'
54 http_access allow mylan ; add new line (allow local network)
63 cache_dir ufs /var/spool/squid 100 16 256 ; remove '#'
67 visible_hostname proxy.example.com ; add new line
Note:
=====
100 - MB
16 - Folder
256 - Subfolder
Step03: Service Restart:
-----------------------
[root@serverX squid]# systemctl restart squid.service
[root@serverX squid]# systemctl enable squid.service
[root@serverX squid]# systemctl stop firewalld.service
Step04: Chekcing:
-----------------
[root@serverX squid]# squid -z
[root@serverX squid]# netstat -tlnup | grep 3128
Step05: Proxy Setting:
----------------------
Firefox => Edit > Preference => Advanced => Network => Settings
Step06: Monitoring Live access:
-------------------------------
[root@ns1 yum.repos.d]# tail -f /var/log/squid/access.log
Step06: Site Block:
-------------------
[root@serverX ~]# vim /etc/squid/badsite.txt
www.bdnews24.com
www.bdjobs.com
www.porn.com
[root@serverX ~]# vim /etc/squid/squid.conf
29 acl badsite dstdomain "/etc/squid/badsite.txt"
35 http_access deny badsite
Step 07: Keyword Block:
----------------------
[root@serverX ~]# vim /etc/squid/keywords.txt
movie
bdnews
sex
[root@serverX ~]# vim /etc/squid/squid.conf
29 acl keywords url_regex -i "/etc/squid/keywords.txt"
35 http_access deny keywords
Step 08: IP Block:
------------------
[root@serverX ~]# vim /etc/squid/badip.txt
192.168.11.100
192.168.11.150
192.168.11.200
[root@serverX ~]# vim /etc/squid/squid.conf
29 acl badip src "/etc/squid/badip.txt"
35 http_access deny badip
Step 09: Block HTTPs Site:
-------------------------
[root@serverX ~]# vim /etc/squid/https.txt
Note: ******
www.facebook.com
www.youtube.com
www.twitter.com
[root@serverX ~]# vim /etc/squid/squid.conf
29 acl https_site dstdomain "/etc/squid/https.txt "
35 http_access deny CONNECT https_site
Step 10: Allow Exceptional
--------------------------
[root@serverX ~]# vim /etc/squid/allowip.txt
192.168.11.251
192.168.11.252
192.168.11.253
*** Note: Youtube allowed in www.youtube.com
###################################################################################
Centos-6
1] Install Squid.
[root@prox ~]# yum -y install squid
[2] This is common forward proxy settings.
[root@prox ~]# vi /etc/squid/squid.conf
acl CONNECT method CONNECT
# line 29: add ( define new ACL )
acl lan src 10.0.0.0/24 OR acl mylocalnet src 0.0.0.0/0.0.0.0
http_access allow localhost
# line 57: add ( allow defined ACL above )
http_access allow lan
# line 62: change
http_port 8080
# add follows to the end
request_header_access Referer deny all
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all
# define hostname
visible_hostname prox.worldcm.com
# not display IP address
forwarded_for off
[root@prox ~]#wq
[root@prox ~]# /etc/rc.d/init.d/squid start
Starting squid:
[ OK ]
[root@prox ~]# chkconfig squid on
############################################################################################################
[root@mail ~]# vi /etc/squid/squid.conf
1 #
2 # Recommended minimum configuration:
3 #
4 acl manager proto cache_object
5 acl localhost src 127.0.0.1/32 ::1
6 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
7
8 # Example rule allowing access from your local networks.
9 # Adapt to list your (internal) IP networks from where browsing
10 # should be allowed
11 #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
12 #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
13 #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
14 acl localnet src fc00::/7 # RFC 4193 local private network range
15 acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
16
17 acl SSL_ports port 443
18 acl Safe_ports port 80 # http
19 acl Safe_ports port 21 # ftp
20 acl Safe_ports port 443 # https
21 acl Safe_ports port 70 # gopher
22 acl Safe_ports port 210 # wais
23 acl Safe_ports port 1025-65535 # unregistered ports
24 acl Safe_ports port 280 # http-mgmt
25 acl Safe_ports port 488 # gss-http
26 acl Safe_ports port 591 # filemaker
27 acl Safe_ports port 777 # multiling http
28 acl CONNECT method CONNECT
29
30 acl LAN src 192.168.10.0/24 202.22.192.0/24
31
32 #
33 # Recommended minimum Access Permission configuration:
34 #
35 # Only allow cachemgr access from localhost
36 http_access allow manager localhost
37 http_access deny manager
38
39 # Deny requests to certain unsafe ports
40 http_access deny !Safe_ports
41
42 # Deny CONNECT to other than secure SSL ports
43 #http_access deny CONNECT !SSL_ports
44
45 # We strongly recommend the following be uncommented to protect innocent
46 # web applications running on the proxy server who think the only
47 # one who can access services on "localhost" is a local user
48 http_access deny to_localhost
49
50 #
51 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
52 #
53
54 # Example rule allowing access from your local networks.
55 # Adapt localnet in the ACL section to list your (internal) IP networks
56 # from where browsing should be allowed
57 http_access allow localnet
58 http_access allow localhost
59 http_access allow LAN
60 # And finally deny all other access to this proxy
61 http_access deny all
62
63 # Squid normally listens to port 3128
64 http_port 3128 transparent [Transparent Proxy]
65
66 # Uncomment and adjust the following to add a disk cache directory.
67 cache_dir ufs /var/spool/squid 5000 16 256
68
69 # Leave coredumps in the first cache dir
70 coredump_dir /var/spool/squid
71
72
73 refresh_pattern ^ftp: 1440 20% 10080
74 refresh_pattern ^gopher: 1440 0% 1440
75 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
76 refresh_pattern . 0 20% 4320
77
78
## add follows to the end
request_header_access Referer deny all
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all
# define hostname
visible_hostname mail.finlaydhaka.com
##
access_log /var/log/squid/access.log squid
dns_nameservers 103.20.140.18 203.22.201.144
# not display IP address
forwarded_for off
################################################################################################
[root@proxy ~]# vi /etc/squid/squid.conf
#
# Recommended minimum configuration:
#
acl manager proto cache_object
#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl ftp proto FTP
acl dbl-mgt src "/etc/squid/mgt-dbl"
acl badurl-lim url_regex "/etc/squid/baddomain1.txt"
acl badurl url_regex "/etc/squid/baddomain.txt"
acl baddomain-lim dstdom_regex -i "/etc/squid/baddomain1.txt"
acl baddomain dstdom_regex -i "/etc/squid/baddomain.txt"
acl limited src "/etc/squid/limited-web"
acl lim url_regex "/etc/squid/lim"
acl localhost src 127.0.0.1/32 ::1
#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl lan src 192.168.100.0/24
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow localnet
http_access allow manager localhost
http_access allow ftp
http_access deny baddomain
http_access allow dbl-mgt
http_access deny badurl
http_access deny badurl-lim
http_access deny baddomain-lim
http_access allow limited lim
http_access allow lim
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#
# Recommended minimum configuration:
#
acl manager proto cache_object
#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl ftp proto FTP
acl dbl-mgt src "/etc/squid/mgt-dbl"
acl badurl-lim url_regex "/etc/squid/baddomain1.txt"
acl badurl url_regex "/etc/squid/baddomain.txt"
acl baddomain-lim dstdom_regex -i "/etc/squid/baddomain1.txt"
acl baddomain dstdom_regex -i "/etc/squid/baddomain.txt"
acl limited src "/etc/squid/limited-web"
acl lim url_regex "/etc/squid/lim"
acl localhost src 127.0.0.1/32 ::1
#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
http_reply_access allow all
acl FTP proto FTP
always_direct allow FTP
#Allow ICP queries from everyone
icp_access allow all
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128 transparent
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# define hostname
visible_hostname proxy.world.com
access_log /var/log/squid/access.log squid
dns_nameservers 103.20.140.18 202.22.200.44
#######################################################################
Configure squid so that it never caches some web sites
Add the following line in /etc/squid/squid.conf:
acl NOCACHEDOMAIN dstdomain www.redhat.com no_cache deny NOCACHEDOMAIN
It will not cache any content come from the domain www.redhat.com.
In /var/log/squid/access.log, it will show the page from that domain will always get "TCP_MISS" on consecutive visits.
1197363963.721 892 127.0.0.1 TCP_MISS/200 11813 GET http://www.redhat.com/ - DIRECT/209.132.177.50 text/html 1197364100.832 906 127.0.0.1 TCP_MISS/200 11813 GET http://www.redhat.com/ - DIRECT/209.132.177.50 text/html
----------