Squid proxy :
Squid is a proxy server for
caching
and filtering web content . Squid proxy is used by various organisation
and internet providers to reduce bandwidth and to increase
response time .Squid proxy service will cache the requested web-content and re-using it for the further request of the same content .
» Install squid proxy on centos 6 :
In this article we
can see how to install and
configure squid proxy on centos 6 . After installing Centos 6 (
Centos 6 installation step by step screenshots ) and
configuring network (
How to setup network in centos 6)
Update yum repositories and packages by typing the below command
[root@leela ~]# yum update
Step 1 » Install squid package and dependencies using the below command
[root@leela ~]# yum install squid
» By default squid configuration file “/etc/squid/squid.conf” will contains recommended minimum configuration and squid caching feature will work without making any changes . Recommended minimum configuration will looks like the below
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
|
Step 2» Now start squid service
[root@leela ~]# service squid start
and type this below command to start squid service automatically while booting.
[root@leela ~]# chkconfig --levels 235 squid on
Step 3 » Setup your web browser to access Internet through proxy server on port 3128 .
IE :
Tools » Internet options »Connections » LAN settings » Choose “Use a
proxy server for your LAN” » Type your Proxy server ip (192.168.1.11 )
and port no 3128
Firefox : Options / Preferences »
Advanced » Network » Settings » Choose “Manual proxy configuration ” »
Type your Proxy server ip (192.168.1.11 ) and port no 3128
Step 4 » Browse some sites and check the access log file on proxy server
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
[root@leela ~]# cat /var/log/squid/access.log
1343759484.331 1828 192.168.1.15 TCP_MISS/200 7005 GET http://www.krizna.com/ - DIRECT/216.172.163.231 text/html
1343759484.645 265 192.168.1.15 TCP_MISS/304 477 GET http://platform.twitter.com/widgets.js - DIRECT/23.64.79.144 application/javascript
1343759484.681 309 192.168.1.15 TCP_MISS/304 839 GET http://apis.google.com/js/plusone.js - DIRECT/173.194.36.36 -
1343759485.005 178 192.168.1.15 TCP_MISS/200 495 GET http://www.google-analytics.com/__utm.gif? - DIRECT/74.125.236.142 image/gif
1343759502.763 20292 192.168.1.15 TCP_MISS/200 1898 CONNECT s-static.ak.facebook.com:443 - DIRECT/23.64.66.110 -
1343759502.765 20292 192.168.1.15 TCP_MISS/200 1898 CONNECT s-static.ak.facebook.com:443 - DIRECT/23.64.66.110 -
1343759723.040 240567 192.168.1.15 TCP_MISS/200 2904 CONNECT plusone.google.com:443 - DIRECT/173.194.36.41 -
1343759933.642 958 192.168.1.15 TCP_MISS/304 394 GET http://www.krizna.com/ - DIRECT/216.172.163.231 -
1343759934.518 459 192.168.1.15 TCP_MISS/200 495 GET http://www.google-analytics.com/__utm.gif? - DIRECT/173.194.36.8 image/gif
1343759943.131 2186 192.168.1.15 TCP_MISS/200 8343 CONNECT www.facebook.com:443 - DIRECT/66.220.146.94 -
1343759943.266 10616 192.168.1.15 TCP_MISS/200 2790 CONNECT apis.google.com:443 - DIRECT/74.125.236.128 -
1343759943.267 10615 192.168.1.15 TCP_MISS/200 2228 CONNECT ssl.gstatic.com:443 - DIRECT/74.125.236.143 -
1343759950.875 2596 192.168.1.15 TCP_MISS/200 32219 CONNECT www.facebook.com:443 - DIRECT/66.220.146.94 -
1343759961.388 20443 192.168.1.15 TCP_MISS/200 1911 CONNECT s-static.ak.fbcdn.net:443 - DIRECT/23.64.77.177 -
|
Troubleshooting :
If
you not able to browse using proxy settings , Disable the firewall (
iptables ) and selinux service on your squid proxy server .
Disable firewall ( Iptables ) »
[root@leela ~]# service iptables stop
[root@leela ~]# chkconfig iptables off
Disable Selinux » open
the file /etc/selinux/config and find the line
SELINUX=enforcing
and replace with
SELINUX=disabled
now reboot the server and try step 4.
Configure squid proxy as web filter:
You can restrict user access to particular websites or keywords using access control lists (ACLs) .
» Restricting Access to specific web sites :
For example , we can see how to block facebook.com and gmail.com .
Step 1 » create a file ( /etc/squid/blockedsites.squid ) and add the site names one per line.
[root@leela ~]# cat /etc/squid/blockedsites.squid
#blocked sites
www.facebook.com
www.gmail.com
Step 2 » Open the /etc/squid/squid.conf and create a new acl ” blocksites” and acl type “dstdomain” in the acl section like the below .
|
|
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# ACL blocksites
acl blocksites dstdomain "/etc/squid/blockedsites.squid"
|
and add the following line “http_access deny blocksites” to http_section to deny the access to the acl “blocksites” .
|
|
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
# Deny access to blocksites ACL
http_access deny blocksites
|
Step 3 » Now restart squid service
[root@leela ~]# service squid restart
Step 4 » Try to access facebook.com in your browser . you could see the blocked page as below .
and check the log file you can see the facebook request is denied .
|
|
[root@leela ~]# tail -f /var/log/squid/access.log
.................................................................................
1343820985.542 1 192.168.1.15 TCP_DENIED/403 4255 GET http://www.facebook.com/ - NONE/- text/html
1343820986.998 1411 192.168.1.15 TCP_MISS/200 13152 GET http://www.squid-cache.org/Artwork/SN.png - DIRECT/198.186.193.234 image/png
1343820987.004 0 192.168.1.15 TCP_DENIED/403 4178 GET http://www.facebook.com/favicon.ico - NONE/- text/html
|
» Restricting Access to specific keywords :
Step 1 » create a file ( /etc/squid/blockkeywords.squid ) and add the keywords one per line.
[root@leela ~]# cat /etc/squid/blockkeywords.squid
#blocked keywords
sex
porn
xxx
Step 2 » Open the /etc/squid/squid.conf and create a new acl “blockkeywords” and acl type “url_regex” in the acl section
|
|
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# ACL blocksites
acl blocksites dstdomain "/etc/squid/blockedsites.squid"
# ACL blockkeywords
acl blockkeywords url_regex -i "/etc/squid/blockkeywords.squid"
|
and add the following line “http_access deny blockkeywords” to http_section to deny the access to the acl “blockkeywords” .
|
|
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
# Deny access to blocksites ACL
http_access deny blocksites
# Deny access to blockkeywords ACL
http_access deny blockkeywords
|
» Restricting Access to specific Ipaddress :
Step 1 » create a file ( /etc/squid/blockip.squid ) and add the ip adresses one per line.
[root@leela ~]# cat /etc/squid/blockip.squid
#blocked ips
192.168.1.20
192.168.1.21
Step 2 » Open the /etc/squid/squid.conf and create a new acl “blockip” and acl type “src” in the acl section
|
|
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# ACL blocksites
acl blocksites dstdomain "/etc/squid/blockedsites.squid"
# ACL blockkeywords
acl blockkeywords url_regex -i "/etc/squid/blockkeywords.squid"
# ACL blockip
acl blockip src "/etc/squid/blockip.squid"
|
and add the following line “http_access deny blockip” to http_section to deny the access to the acl “blockip” .
|
|
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
# Deny access to blockip ACL
http_access deny blockip
# Deny access to blocksites ACL
http_access deny blocksites
# Deny access to blockkeywords ACL
http_access deny blockkeywords
|
» Allow Full access to specific Ipaddress :
You
can allow specific ip address to gain full access without blocking
sites and keywords . just create a file “/etc/squid/allowip.squid ” and
add the ip address one per line and create an acl “allowip” and acl
type “src” in the acl section
|
|
# ACL allowip
acl allowip src "/etc/squid/allowip.squid"
|
and add the “allowip” in the http_access as below
|
|
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
# Deny access to blockip ACL
http_access deny blockip
# Deny access to blocksites ACL
http_access deny blocksites !allowip
# Deny access to blockkeywords ACL
http_access deny blockkeywords !allowip
|
» Changing squid proxy port number:
You can change squid proxy port number , by default it uses 3128 port .
Just find the below line in “/etc/squid/squid.conf”
http_port 3128
and replace with
http_port 8000 # whatever port number you want
» Restricting Download size :
You can restrict download file size using reply_body_max_size .
Add the below line at the bottom of the http_access section
#Restrict download size
reply_body_max_size 10 MB all
or
#Restrict download size
reply_body_max_size 10 MB !allowip
» Configuring Squid as Transparent Proxy :
You can configure squid as transparent proxy .
Step 1 » just find the below line
# Squid normally listens to port 3128
http_port 3128
and replace with
# Squid normally listens to port 3128
http_port 3128 intercept
Step 2 » Create a file “/root/squidfw.sh” and add the following firewall script ( modify as per your interface configuration ).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.1.11"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
|
Step 3 » just run the script
[root@leela ~]# sh /root/squidfw.sh
and add the below line to “/etc/rc.local” to run the script during startup
sh /root/squidfw.sh
Step 4 (Updated) » Change default gateway ip to squid server ip on the user machines .
Now users can access Internet without setting proxy in the browser settings.
That’s it , hope this article will help you to learn little things about configuring squid proxy on centos 6.
source http://www.krizna.com/centos/how-to-install-squid-proxy-on-centos-6/
http://www.nhatnghe.com/forum/showthread.php?t=35129
Không có nhận xét nào:
Đăng nhận xét