The procedure below was tested successfully on CentOS. The same thing was also implemented on my BSD box and works as well.
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on Unix and Windows and is licensed under the GNU GPL.
Squid provides with the best possible web access. Squid optimises the data flow between client and server to improve performance and caches frequently-used content to save bandwidth. Squid can also route content requests to servers in a wide variety of ways to build cache server hierarchies which optimise network throughput.
1. The easiest way to install and configure Squid Proxy is to install it via the distro package (e.g. RPM,.deb,.tgz) then install webmin for easy configuration of ACL and proxy restrictions.
2. Use SARG or Squid Report Generator for log analysis.
3. Most logical way to configure ACL is to have a list of Allowed Sites then deny All, so no need to create a Restricted Sites that’s difficult to manage. Meaning only sites set in Allowed sites can be access by a group, the rest is denied.
4. The squid has some limitations, if you want content web filtering, I recommend Dansguardian.
5. Internet sites access can be controlled by IP address or subnet, just make sure you know some basic subnetting 🙂
6. TCP port familiarization is also a helpful skill in squid configuration.
6. If you want more flexible and more advance, you can try to use LDAP to authenticate Squid proxy users
Any Linux or BSD distribution (CentOS, Redhat, Fedora Core, Debian, Gentoo / FreeBSD,OpenBSD)
Squid 2.5 Stable or higher
INSTALLATION AND COMPILATION
a. Download the source archive file (tarball) available at http://www.squid-cache.org or from ftp://www.squid-cache.org/pub
b. Untar the file and change the working directory to squid-*
[root@proxy]# tar zxvf squid-2.5.STABLE10.tar.gz
[root@proxy]# cd squid-2.5.STABLE10
c. In order to configure, compile and install squid, do these following commands:
[root@proxy]# ./configure –enable-underscores –prefix=/home/squid –enable-linux-netfilter –enable-snmp
–enable-underscores allow underscore on hostnames (URL)
–enable-linux-netfilter Enable Transparent Proxy support for Linux 2.4.
–enable-snmp Enable SNMP monitoring
This will by default, install into “/usr/local/squid”, if we want to install it to any directory, add –prefix=/home/squid for ex.
Basic configuration is to be done in configuration file: /home/squid/etc/squid.conf
One of the important things in the squid.conf file is cache_dir tag which needs to be defined carefully. The directories specified there must be created in the same path and with exact space as mentioned in the conf file with 777 permissions of each cache directory defined.
In the config file, edit the following lines: (these are current config of squid proxy )
This parameter allows the user to define the address on which Squid will listen for client’s http requests. This is a required parameter, and there are no defaults.
Without this configuration, Squid will never start.
(Check http_port, 3128 is a default)
Specifies the ideal amount of memory to be used for:
• Hot Objects
• Negative-Cached objects
• In-Transit objects
cache_mem 16 MB
Objects larger than this size will NOT be saved on disk. The value is specified in kilobytes, and the default is 4MB. If you wish to get a high BYTES hit ratio, you should probably increase this (one 32 MB object hit counts for 3200 10KB hits). Leave this value low if you wish to increase the speed more than what you want to save bandwidth.
Note: If using the LFUDA replacement policy you should increase this value to maximize the byte hit rate improvement of LFUDA! See replacement_policy below for a discussion of this policy.
maximum_object_size 8192 KB
All objects which are to be cached are stored in the disk space defined by this tag. This defines the path to cache directory, cache directory name, type and size of the cache area.
cache_dir ufs /cache 15000 16 256
(Set cache_dir to an area that has a large amount of hard disk space in order to devote to caching.)
All the activities the client does gets logged in this file. Using this, analysis on the access made by the clients can be done.
Customization of the logging can be done using the acl’s which logs only those clauses in the specified logformat. If no acl is specified, all requests will be logged to this file.
To disable logging of a request specify “none”.
(Logs the client request activity)
This defines the path and the file where general information about your cache’s behavior goes. This file contains startup configuration information, as well as assorted error information during Squid’s operation. This file is a good place to look when a website is found to have problems running through the web cache. Entries here may point towards a potential solution.
(Cache logging file. This is where general information about your cache’s behavior goes.)
This tag defines the location where the transaction log of all objects that are stored in the object store, as well as the time when the object get deleted. This file really doesn’t have very much use on a production cache, and it primarily recommended for use in debugging. Therefore, it can be turned off by entering none in the entry field.
(Logs the activities of the storage manager)
ACCESS CONTROL LISTS
You can limit users’ ability to browse the Internet with access control lists (ACLs). Each ACL line defines a particular type of activity, such as an access time or source network, they are then linked to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL.
Squid matches each Web access request it receives by checking the http_access list from top to bottom. If it finds a match, it enforces the allow or deny statement and stops reading further. You have to be careful not to place a deny statement in the list that blocks a similar allow statement below it. The final http_access statement denies everything, so it is best to place new http_access statements above it
Note: The very last http_access statement in the squid.conf file denies all access. You therefore have to add your specific permit statements above this line. In the chapter’s examples, I’ve suggested that you place your statements at the top of the http_access list for the sake of manageability, but you can put them anywhere in the section above that last line.
Squid has a minimum required set of ACL statements in the ACCESS_CONTROL section of the squid.conf file. It is best to put new customized entries right after this list to make the file easier to read.
Here are the following ACL created in squid.conf:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl lan src 192.168.17.0/255.255.255.0
acl lanpub src 202.x.x.250/255.255.255.255
acl isp src 210.x.x/255.255.255.0
acl AllowedSites dstdomain “/usr/local/etc/allowed-sites.squid”
acl RestrictedSites dstdomain “/usr/local/etc/restricted-sites.squid”
acl lansnmp snmp_community freelinux
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
This is used for filtering based on the acl matchings. If none of the “access” lines cause a match, the default is the opposite of the last line in the list. If the last line was deny, then the default is allow. Conversely, if the last line is allow, the default will be deny. For these reasons, it is a good idea to have an “deny all” or “allow all” entry at the end of your access lists to avoid potential confusion.
http_access allow lan AllowedSites
http_access allow isp
http_access deny all
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.17/255
http_access deny all
This is used for filtering based on the acl matchings but on the client requests reply. If none of the access lines cause a match, then the opposite of the last line will apply. Thus it is good practice to end the rules with an “allow all” or “deny all” entry.
http_reply_access allow all
This tag controls icp access on defined access lists.
icp_access allow all
This is the address which will be added to any error pages that are displayed to clients. Defaults to either webmaster.
Squid is designed to start as root but very soon after drop to the user/group specified here. This allows you to restrict, for security reasons, the permissions that Squid will have when operating. By default, Squid will operate as either nobody user and the nogroup group.
Note: If these tags are not configured properly, then Squid will have problems while starting.
To enable and enable snmp monitoring
acl lansnmp snmp_community nocteam (nocteam=sample community string)
snmp_access allow lansnmp all
A good practice is to enable the cache_access_log and cache_log for debugging purposes. Even though they take up ample space, they can always be rotated on daily basis using the logrotate feature.
( You can set up a cron job scheduled every midnight to rotate logs e.g.
0 0 * * * /home/squid/sbin/squid -k rotate )
You can Configure MRTG and Nagios for monitoring SQUID’s performance.
ALLOWING / RESTRICTING ACESS TO SPECIFIC WEB SITES
Squid is also capable of reading files containing lists of web sites and/or domains for use in ACLs. In this example we create to lists in files named /usr/local/etc/allowed-sites.squid and /usr/local/etc/restricted-sites.squid.
# File: /usr/local/etc/allowed-sites.squid
After you’ve finished editing the configuration file, you can start Squid for the first time. First, you must create the swap directories. Do this by running Squid with the -z option:
Once that completes, you can start Squid and try it out. Probably the best thing to do is run it from your terminal and watch the debugging output. Use this command:
If everything is working fine, then your console displays: “Ready to serve requests”.
If you want to run squid in the background, as a daemon process
You should be a privileged user to start/stop squid..
Or you can run the Squid Script:
#service squid start to start the squid service
#service squid stop to stop the squid service
#service squid status to check the status of the squid service
Check the cache.log file in your logs directory to find out if squid works correctly. This file contains the informational and error messages that Squid generates at runtime.
#tail –f /home/squid/var/log/access.log
Squid logs both informational and error messages to files in the /var/log/squid/ directory. It is best to review these files first whenever you have difficulties.The squid.out file can be especially useful as it contains Squids’ system errors.
Another source of errors could be unintended statements in the squid.conf file that cause no errors; mistakes in the configuration of hours of access and permitted networks that were forgotten to be added are just two possibilities.
CONFIGURATION IN THE WEB BROWSER
If you don’t have a firewall that supports redirection, then you need to configure your firewall to only accept HTTP Internet access from the Squid server, as well as configure your PC browser’s proxy server settings manually to use the Squid server. The method you use depends on your browser.
For example, to make these changes using Internet Explorer
1. Click on the “Tools” item on the menu bar of the browser.
2. Click on “Options”
3.Clich the tab “Network”
4. Click on “Settings”
5. Click on “Manual proxy configuration”
6. Configure the HTTP Proxy address with Proxy Server IP address and port 8080 used by your Squid Proxy server
7. Input also all internal sites that will bypass the Proxy server for direct connection.
8. Click “OK”.