squid

Install Squid to configure Proxy server. 

 Proxy Server

==============

 => Caching 

 => Monitoring

 => Filtering & Access Control 

 => BW control

 => Authentication

 => Gateway 

 => Log

 

Proxy Types:

=========

 => normal proxy (user can by pass)

 => transparent proxy (user cannot bypass)

 => reverse proxy 

packages:

-------------

 => squid 

 => daemon: squid

 => configuration file: /etc/squid/squid.conf

 => port: 3128 (Default)

Step 01: Package Installation

-----------------------------

[root@serverX ~]# rpm -qa | grep squid

[root@serverX ~]# yum install squid* -y

[root@serverX ~]# cd /etc/squid/

[root@serverX squid]# ls

[root@serverX squid]# cp squid.conf squid.conf.bkf

Step 02: Basic Configure:

------------------------

[root@serverX squid]# vim squid.conf

 :set nu

  8 #acl localnet src 10.0.0.0/8    # RFC1918 possible internal network

  9 #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

 10 #acl localnet src 192.168.0.0/16        # RFC1918 possible internal network

 11 #acl localnet src fc00::/7       # RFC 4193 local private network range

 12 #acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) mac    hines

 13  acl mylan src 192.168.11.0/24

 52 # http_access allow localnet       ; add '#'

 54   http_access allow mylan          ; add new line (allow local network)

 63   cache_dir ufs /var/spool/squid 100 16 256    ; remove '#'

 67  visible_hostname proxy.example.com            ; add new line

Note:

=====

100 - MB

16 - Folder

256 - Subfolder

Step03: Service Restart:

-----------------------

[root@serverX squid]# systemctl restart squid.service

[root@serverX squid]# systemctl enable squid.service

[root@serverX squid]# systemctl stop firewalld.service

Step04: Chekcing:

-----------------

[root@serverX squid]# squid -z

[root@serverX squid]# netstat -tlnup | grep 3128

Step05: Proxy Setting:

----------------------

 Firefox => Edit > Preference => Advanced => Network => Settings 

Step06: Monitoring Live access:

-------------------------------

[root@ns1 yum.repos.d]# tail -f /var/log/squid/access.log 

Step06: Site Block:

-------------------

[root@serverX ~]# vim /etc/squid/badsite.txt

www.bdnews24.com

www.bdjobs.com

www.porn.com

[root@serverX ~]# vim /etc/squid/squid.conf 

29 acl badsite dstdomain "/etc/squid/badsite.txt"

35 http_access deny badsite

Step 07: Keyword Block:

----------------------

[root@serverX ~]# vim /etc/squid/keywords.txt

movie

bdnews

sex

[root@serverX ~]# vim /etc/squid/squid.conf 

29 acl keywords url_regex -i "/etc/squid/keywords.txt"

35 http_access deny keywords

Step 08: IP Block:

------------------

[root@serverX ~]# vim /etc/squid/badip.txt

192.168.11.100

192.168.11.150

192.168.11.200

[root@serverX ~]# vim /etc/squid/squid.conf 

29 acl badip src "/etc/squid/badip.txt"

35 http_access deny badip

Step 09: Block HTTPs Site: 

-------------------------

[root@serverX ~]# vim /etc/squid/https.txt

Note: ******

www.facebook.com

www.youtube.com 

www.twitter.com

[root@serverX ~]# vim /etc/squid/squid.conf 

29 acl https_site dstdomain "/etc/squid/https.txt "

35 http_access deny CONNECT https_site

Step 10: Allow Exceptional

--------------------------

[root@serverX ~]# vim /etc/squid/allowip.txt

192.168.11.251

192.168.11.252

192.168.11.253

*** Note: Youtube allowed in www.youtube.com 

###################################################################################

Centos-6

1] Install Squid.

[root@prox ~]# yum -y install squid

[2] This is common forward proxy settings.

[root@prox ~]# vi /etc/squid/squid.conf

acl CONNECT method CONNECT

# line 29: add ( define new ACL )

acl lan src 10.0.0.0/24     OR    acl mylocalnet src 0.0.0.0/0.0.0.0

http_access allow localhost

# line 57: add ( allow defined ACL above )

http_access allow lan

# line 62: change

http_port 8080

# add follows to the end

request_header_access Referer deny all

request_header_access X-Forwarded-For deny all

request_header_access Via deny all

request_header_access Cache-Control deny all

# define hostname

visible_hostname prox.worldcm.com

# not display IP address

forwarded_for off

[root@prox ~]#wq

[root@prox ~]# /etc/rc.d/init.d/squid start

Starting squid:

[ OK ]

[root@prox ~]# chkconfig squid on 

############################################################################################################

[root@mail ~]# vi /etc/squid/squid.conf

      1 #

      2 # Recommended minimum configuration:

      3 #

      4 acl manager proto cache_object

      5 acl localhost src 127.0.0.1/32 ::1

      6 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

      7 

      8 # Example rule allowing access from your local networks.

      9 # Adapt to list your (internal) IP networks from where browsing

     10 # should be allowed

     11 #acl localnet src 10.0.0.0/8    # RFC1918 possible internal network

     12 #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

     13 #acl localnet src 192.168.0.0/16        # RFC1918 possible internal network

     14 acl localnet src fc00::/7       # RFC 4193 local private network range

     15 acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

     16 

     17 acl SSL_ports port 443

     18 acl Safe_ports port 80          # http

     19 acl Safe_ports port 21          # ftp

     20 acl Safe_ports port 443         # https

     21 acl Safe_ports port 70          # gopher

     22 acl Safe_ports port 210         # wais

     23 acl Safe_ports port 1025-65535  # unregistered ports

     24 acl Safe_ports port 280         # http-mgmt

     25 acl Safe_ports port 488         # gss-http

     26 acl Safe_ports port 591         # filemaker

     27 acl Safe_ports port 777         # multiling http

     28 acl CONNECT method CONNECT

     29 

     30 acl LAN src 192.168.10.0/24 202.22.192.0/24

     31 

     32 #

     33 # Recommended minimum Access Permission configuration:

     34 #

     35 # Only allow cachemgr access from localhost

     36 http_access allow manager localhost

     37 http_access deny manager

     38 

     39 # Deny requests to certain unsafe ports

     40 http_access deny !Safe_ports

     41 

     42 # Deny CONNECT to other than secure SSL ports

     43 #http_access deny CONNECT !SSL_ports

     44 

     45 # We strongly recommend the following be uncommented to protect innocent

     46 # web applications running on the proxy server who think the only

     47 # one who can access services on "localhost" is a local user

     48 http_access deny to_localhost

     49 

     50 #

     51 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

     52 #

     53 

     54 # Example rule allowing access from your local networks.

     55 # Adapt localnet in the ACL section to list your (internal) IP networks

     56 # from where browsing should be allowed

     57 http_access allow localnet

     58 http_access allow localhost

     59 http_access allow LAN

     60 # And finally deny all other access to this proxy

     61 http_access deny all

     62 

     63 # Squid normally listens to port 3128

     64 http_port 3128 transparent                  [Transparent Proxy]

     65 

     66 # Uncomment and adjust the following to add a disk cache directory.

     67 cache_dir ufs /var/spool/squid 5000 16 256

     68 

     69 # Leave coredumps in the first cache dir

     70 coredump_dir /var/spool/squid

     71 

     72 

     73 refresh_pattern ^ftp:           1440    20%     10080

     74 refresh_pattern ^gopher:        1440    0%      1440

     75 refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

     76 refresh_pattern .               0       20%     4320

     77 

     78 

     ## add follows to the end

request_header_access Referer deny all

request_header_access X-Forwarded-For deny all

request_header_access Via deny all

request_header_access Cache-Control deny all

     

# define hostname

visible_hostname mail.finlaydhaka.com

##

access_log /var/log/squid/access.log squid

dns_nameservers 103.20.140.18 203.22.201.144

     

# not display IP address

forwarded_for off

     

################################################################################################

[root@proxy ~]# vi /etc/squid/squid.conf

#

# Recommended minimum configuration:

#

acl manager proto cache_object

#acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl ftp proto FTP

acl dbl-mgt src "/etc/squid/mgt-dbl"

acl badurl-lim url_regex "/etc/squid/baddomain1.txt"

acl badurl url_regex "/etc/squid/baddomain.txt"

acl baddomain-lim dstdom_regex -i "/etc/squid/baddomain1.txt"

acl baddomain dstdom_regex -i "/etc/squid/baddomain.txt"

acl limited src "/etc/squid/limited-web"

acl lim url_regex "/etc/squid/lim"

acl localhost src 127.0.0.1/32 ::1

#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network

acl localnet src 172.16.0.0/12  # RFC1918 possible internal network

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl localnet src fc00::/7       # RFC 4193 local private network range

acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

acl lan src 192.168.100.0/24

#

# Recommended minimum Access Permission configuration:

#

# Only allow cachemgr access from localhost

http_access allow localnet

http_access allow manager localhost

http_access allow ftp

http_access deny baddomain

http_access allow dbl-mgt

http_access deny badurl

http_access deny badurl-lim

http_access deny baddomain-lim

http_access allow limited lim

http_access allow lim

http_access deny manager

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

#

# Recommended minimum configuration:

#

acl manager proto cache_object

#acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl ftp proto FTP

acl dbl-mgt src "/etc/squid/mgt-dbl"

acl badurl-lim url_regex "/etc/squid/baddomain1.txt"

acl badurl url_regex "/etc/squid/baddomain.txt"

acl baddomain-lim dstdom_regex -i "/etc/squid/baddomain1.txt"

acl baddomain dstdom_regex -i "/etc/squid/baddomain.txt"

acl limited src "/etc/squid/limited-web"

acl lim url_regex "/etc/squid/lim"

acl localhost src 127.0.0.1/32 ::1

#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network

acl localnet src 172.16.0.0/12  # RFC1918 possible internal network

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl localnet src fc00::/7       # RFC 4193 local private network range

acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

http_reply_access allow all

acl FTP proto FTP

always_direct allow FTP

#Allow ICP queries from everyone

icp_access allow all

# And finally deny all other access to this proxy

http_access deny all

# Squid normally listens to port 3128

http_port 3128 transparent

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir

coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

# define hostname

visible_hostname proxy.world.com

access_log /var/log/squid/access.log squid

dns_nameservers 103.20.140.18 202.22.200.44

#######################################################################

Configure squid so that it never caches some web sites

Add the following line in /etc/squid/squid.conf:

acl NOCACHEDOMAIN dstdomain www.redhat.com no_cache deny NOCACHEDOMAIN

It will not cache any content come from the domain www.redhat.com.

In /var/log/squid/access.log, it will show the page from that domain will always get "TCP_MISS" on consecutive visits.

1197363963.721    892 127.0.0.1 TCP_MISS/200 11813 GET http://www.redhat.com/ - DIRECT/209.132.177.50 text/html 1197364100.832    906 127.0.0.1 TCP_MISS/200 11813 GET http://www.redhat.com/ - DIRECT/209.132.177.50 text/html

----------