Contact for queries :

Login

  UpComing Live WebEx Workshop Series

Squid Web Proxy configuration in Linux

A proxy server is a device that usually sits between a client and the destination the user is trying to reach. It can provide security, anonymity, and even protection for the client behind the proxy. To help in this process is Squid, which is a web proxy server for Red Hat. It sits between the client and web server that the user is trying to connect to.

Many times these devices are used when you want to control access to the Internet (think web filtering). As a web proxy, it can also cache data that users request from the Web and make it locally available, reducing the load on your external devices such as gateways and firewalls.

Here, we look at how to set up a web proxy, define access control lists, and troubleshoot it.

Task 1: Installing Squid

Much as you did with the web server, you need to start by installing the package(s) needed for Squid. There is only one package required to install the Squid proxy server.
Step 1. Install the package with the following command:

# yum install -y squid

Step 2. After it’s installed, verify:

# rpm -qa | grep squid
squid-3.1.4-1.el6.x86_64

Next, you should turn on Squid at boot time. You use the chkconfig command to do this.

Step 3. Enable Squid to start at boot:

# chkconfig squid on

Step 4. Verify the service will start at boot:

# chkconfig squid —list
squid 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Now that you know the package is installed and will start at boot, you can turn your attention to configuration.

Task2: Configuring Web Proxy Server

When setting up your proxy server, you need to know the following items:

  • /etc/sysconfig/squid           Startup options for the config file
  • /etc/squid/squid.conf         Main config file for the service
  • /var/spool/squid                 Cache location on the proxy server
  • /var/log/squid                     Log files for the proxy server

As with most services you configure, the first item on the agenda is the main config file.

I want to warn you first that although this config file has huge amounts of documentation and numerous examples, it contains over 4,000+ lines, so make sure you put aside some time if you plan to take on reading and going through this whole config file! As with Apache, configuring a web proxy server can be a daunting and sometimes lengthy process until you have it set up correctly.

Let’s look at some of the main configuration options:

  • http_port Specifies the port to listen on
  • visible_hostname Identifies the name of the Squid server
  • hierarchy_stoplist Provides a list of words that tell the Squid server to handle the request
  • access_log Keeps track of the web pages that are downloaded
  • acl Defines an access control list
  • http_access Defines which system or networks have access

You can use the default port to run the Squid proxy, which will make testing a little easier. However, you can set the visible_hostname option to the name of your server:

# nano /etc/squid/squid.conf
visible_hostname = RHEL01

You should also define the URL syntax for which the Squid server should not handle.

An example would be form data that you want the server to submit directly and not cache your private data:

hierarchy_stoplist cgi-bin ?
Acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

Task 3: Firewall and SElinux Configuration for Squid Server

The firewall and SELinux requirements for Squid are actually quite simple. Squid uses port 3128 by default for its communication, so you should open this port on the firewall. Both the TCP and UDP protocols are used.

Step 1. Use the iptables command to create your firewall rules:

# iptables -I INPUT 5 -p tcp -m tcp —dport 3128 -j ACCEPT
# iptables -I INPUT 5 -p udp -m udp —dport 3128 -j ACCEPT

Step 2. Save the rules you just created:

# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]

Step 3. Restart the firewall service for the changes to take effect:

# service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]

By default, you do not have to change SELinux for your Squid setup. You should know what the available options are, though:

squid_use_tproxy    Allows Squid to run as a transparent proxy (TPROXY)
squid_connect_any   Allows Squid to connect to all ports, not just HTTP, FTP, and Gopher ports

If you want to enable either of these features, just make sure to adjust the SELinux Boolean value appropriately.

As you can see, the firewall rules and SELinux requirements are really light for Squid. Before starting the service, though, we need to cover Squid security a little more in depth.

November 14, 2015

0 responses on "Squid Web Proxy configuration in Linux"

Leave a Message

Your email address will not be published. Required fields are marked *

About iGURKUL

IGURKUL I.T. Training Hub offering various Career Certification courses in Computer Networking, Unix, Linux, Cloud Computing and DevOps Technologies. With its rich experience in IT training service sector, iGURKUL has been able to set Industry best practices in IT Training for the past five years.

In Past five years, more than 5000 professionals have been trained by iGURKUL for System administration, Cloud Computing and DevOps Skill set through our Online Training portal www.unixadminschool.com. And , each day , more than 10000 working professionals from all over the globe visiting our knowledge base www.unixadminschool.com/blog for the best practices and Knowledge learning.

top
copyright protected - 2011 © igurkul I.T. solutions. All rights reserved.