A proxy server is a device that usually sits between a client and the destination the user is trying to reach. It can provide security, anonymity, and even protection for the client behind the proxy. To help in this process is Squid, which is a web proxy server for Red Hat. It sits between the client and web server that the user is trying to connect to.
Many times these devices are used when you want to control access to the Internet (think web filtering). As a web proxy, it can also cache data that users request from the Web and make it locally available, reducing the load on your external devices such as gateways and firewalls.
Here, we look at how to set up a web proxy, define access control lists, and troubleshoot it.
Task 1: Installing Squid
Much as you did with the web server, you need to start by installing the package(s) needed for Squid. There is only one package required to install the Squid proxy server.
Step 1. Install the package with the following command:
# yum install -y squid
Step 2. After it’s installed, verify:
# rpm -qa | grep squid
Next, you should turn on Squid at boot time. You use the chkconfig command to do this.
Step 3. Enable Squid to start at boot:
# chkconfig squid on
Step 4. Verify the service will start at boot:
# chkconfig squid —list
squid 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Now that you know the package is installed and will start at boot, you can turn your attention to configuration.
Task2: Configuring Web Proxy Server
When setting up your proxy server, you need to know the following items:
- /etc/sysconfig/squid Startup options for the config file
- /etc/squid/squid.conf Main config file for the service
- /var/spool/squid Cache location on the proxy server
- /var/log/squid Log files for the proxy server
As with most services you configure, the first item on the agenda is the main config file.
I want to warn you first that although this config file has huge amounts of documentation and numerous examples, it contains over 4,000+ lines, so make sure you put aside some time if you plan to take on reading and going through this whole config file! As with Apache, configuring a web proxy server can be a daunting and sometimes lengthy process until you have it set up correctly.
Let’s look at some of the main configuration options:
- http_port Specifies the port to listen on
- visible_hostname Identifies the name of the Squid server
- hierarchy_stoplist Provides a list of words that tell the Squid server to handle the request
- access_log Keeps track of the web pages that are downloaded
- acl Defines an access control list
- http_access Defines which system or networks have access
You can use the default port to run the Squid proxy, which will make testing a little easier. However, you can set the visible_hostname option to the name of your server:
# nano /etc/squid/squid.conf
visible_hostname = RHEL01
You should also define the URL syntax for which the Squid server should not handle.
An example would be form data that you want the server to submit directly and not cache your private data:
hierarchy_stoplist cgi-bin ?
Acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
Task 3: Firewall and SElinux Configuration for Squid Server
The firewall and SELinux requirements for Squid are actually quite simple. Squid uses port 3128 by default for its communication, so you should open this port on the firewall. Both the TCP and UDP protocols are used.
Step 1. Use the iptables command to create your firewall rules:
# iptables -I INPUT 5 -p tcp -m tcp —dport 3128 -j ACCEPT
# iptables -I INPUT 5 -p udp -m udp —dport 3128 -j ACCEPT
Step 2. Save the rules you just created:
# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
Step 3. Restart the firewall service for the changes to take effect:
# service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
By default, you do not have to change SELinux for your Squid setup. You should know what the available options are, though:
squid_use_tproxy Allows Squid to run as a transparent proxy (TPROXY)
squid_connect_any Allows Squid to connect to all ports, not just HTTP, FTP, and Gopher ports
If you want to enable either of these features, just make sure to adjust the SELinux Boolean value appropriately.
As you can see, the firewall rules and SELinux requirements are really light for Squid. Before starting the service, though, we need to cover Squid security a little more in depth.