Installing Squid (Caching / Proxy) on CentOS 7

Squid is a caching and forwarding web proxy. It is most often used in conjunction with a traditional LAMP stack (Linux, Apache, MySQL, PHP), and can be used to filter traffic on HTTP, FTP, and HTTPS, and increase the speed (thus lower the response time) for a web server via caching.

squid_proxy_logo copy.jpg

Pre-Flight Check
  • These instructions are intended specifically for installing Squid on a single CentOS 7 node.
  • I’ll be working from a Liquid Web Core Managed CentOS 7 server, and I’ll be logged in as root.
  • Squid Sever IP-Address => 192.168.4.8
Step 1 Install Squid

First, clean-up yum:

# yum clean all

As a matter of best practice we’ll update our packages:

# yum -y update

Installing Squid and related packages is now as simple as running just one command:

# yum -y install squid


Step 2: Configure Squid to Start on Boot

And then start Squid:

# systemctl start squid

Be sure that Squid starts at boot:

# systemctl enable squid

To check the status of Squid:

# systemctl status squid

You will see an output similar to this.

[root@ip-172-31-23-60 ~]# systemctl status squid
 ● squid.service - Squid caching proxy
 Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
 Active: active (running) since Sun 2016-10-16 04:36:10 UTC; 4min 36s ago
 Main PID: 7416 (squid)
 CGroup: /system.slice/squid.service
 ├─7416 /usr/sbin/squid -f /etc/squid/squid.conf
 ├─7418 (squid-1) -f /etc/squid/squid.conf
 └─7419 (logfile-daemon) /var/log/squid/access.log
Oct 16 04:36:10 ip-172-31-23-60 systemd[1]: Starting Squid caching proxy... Oct 16 04:36:10 ip-172-31-23-60 systemd[1]: Started Squid caching proxy. Oct 16 04:36:10 ip-172-31-23-60 squid[7416]: Squid Parent: will start 1 kids Oct 16 04:36:10 ip-172-31-23-60 squid[7416]: Squid Parent: (squid-1) process...d Hint: Some lines were ellipsized, use -l to show in full.


Step 3: Verify and Checking the Version of the Squid the Installation

Squid should start immediately after the installation. Use the following command to view information on the command:

# squid -h

Use the following command to check the version number of Squid and the configuration options it was started with:

# squid -v

Your results should appear similar to:

Squid Cache: Version 3.3.8
configure options: ‘–build=x86_64-redhat-linux-gnu’ ‘–host=x86_64-redhat-linux-gnu’ ‘–program-prefix=’ ‘–prefix=/usr’ ‘–exec-prefix=/usr’ ‘–bindir=/usr/bin’ ‘–sbindir=/usr/sbin’ ‘–sysconfdir=/etc’ ‘–datadir=/usr/share’ ‘–includedir=/usr/include’ ‘–libdir=/usr/lib64’ ‘–libexecdir=/usr/libexec’ ‘–sharedstatedir=/var/lib’ ‘–mandir=/usr/share/man’ ‘–infodir=/usr/share/info’ ‘–disable-strict-error-checking’ ‘–exec_prefix=/usr’ ‘–libexecdir=/usr/lib64/squid’ ‘–localstatedir=/var’ ‘–datadir=/usr/share/squid’ ‘–sysconfdir=/etc/squid’ ‘–with-logdir=$(localstatedir)/log/squid’ ‘–with-pidfile=$(localstatedir)/run/squid.pid’ ‘–disable-dependency-tracking’ ‘–enable-eui’ ‘–enable-follow-x-forwarded-for’ ‘–enable-auth’ ‘–enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam’ ‘–enable-auth-ntlm=smb_lm,fake’ ‘–enable-auth-digest=file,LDAP,eDirectory’ ‘–enable-auth-negotiate=kerberos’ ‘–enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group’ ‘–enable-cache-digests’ ‘–enable-cachemgr-hostname=localhost’ ‘–enable-delay-pools’ ‘–enable-epoll’ ‘–enable-icap-client’ ‘–enable-ident-lookups’ ‘–enable-linux-netfilter’ ‘–enable-removal-policies=heap,lru’ ‘–enable-snmp’ ‘–enable-ssl’ ‘–enable-ssl-crtd’ ‘–enable-storeio=aufs,diskd,ufs’ ‘–enable-wccpv2’ ‘–enable-esi’ ‘–enable-ecap’ ‘–with-aio’ ‘–with-default-user=squid’ ‘–with-filedescriptors=16384’ ‘–with-dl’ ‘–with-openssl’ ‘–with-pthreads’ ‘build_alias=x86_64-redhat-linux-gnu’ ‘host_alias=x86_64-redhat-linux-gnu’ ‘CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie’ ‘LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -Wl,-z,now’ ‘CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie’ ‘PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig’

The main configuration file for Squid proxy can be found on /etc/squid/squid.conf. You can now setup your browser to use the proxy server you just created. For Internet Explorer and Google Chrome, you can go to Control Panel > Internet Options. In the Connections tab, click on LAN settings and enter your proxy server IP address and port 3128. You will see that you are now browsing the internet through the proxy server.

By default the Squid proxy server is configured to connect to a local network only, if you are not into the local network of the proxy server, you will see an error saying “The proxy server is refusing connections”. If you are getting these kind of errors, then you will need to configure Access Control Lists or ACL into the squid configuration file.

You can check the error logs of Squid using the following command.

# tail -f /var/log/squid/access.log

You will see an output similar to shown below.

 [root@ip-172-31-23-60 ~]# tail -f /var/log/squid/access.log
    1476596170.987  61641 61.14.229.246 TCP_MISS/200 3460 CONNECT aus5.mozilla.org:443 - HIER_DIRECT/52.42.158.162 -
    1476596470.531 121781 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
    1476596574.995 101350 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
    1476596867.906 290539 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
    1476596875.984   4939 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
    1476597519.292 1561080 61.14.229.246 TCP_MISS/200 3828 CONNECT qa.sockets.stackexchange.com:443 - HIER_DIRECT/198.252.206.25 -
    1476597857.853 979174 61.14.229.246 TCP_MISS/200 216 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
    1476598063.413   4459 61.14.229.246 TCP_MISS/200 129 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
    1476598213.392 351400 61.14.229.246 TCP_MISS/200 158 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
    1476598576.745 511218 61.14.229.246 TCP_MISS/200 158 CONNECT qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -

Configuring Squid

Squid can be easily configured by editing the global configuration file /etc/squid/squid.conf. To edit the configuration file run the following command.

# vi /etc/squid/squid.conf

A minimum sample configuration file will look like this.

    # Recommended minimum configuration:
    ## Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7       # RFC 4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machinesacl SSL_ports port 443
    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http
    acl CONNECT method CONNECT#
    # Recommended minimum Access Permission configuration:
    #
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports# Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports# Only allow cachemgr access from localhost
    http_access allow localhost manager
    http_access deny manager# We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user
    #http_access deny to_localhost#
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    ## Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    http_access allow localnet
    http_access allow localhost# And finally deny all other access to this proxy
    http_access deny all# Squid normally listens to port 3128
    http_port 3128# Uncomment and adjust the following to add a disk cache directory.
    #cache_dir ufs /var/spool/squid 100 16 256# Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern 
^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i
(/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 20% 4320

Allow IP Address to Use the Internet Through Your Proxy Server

To allow a range of IP address to use the Internet through your proxy server. You can add a new ACL entry. Squid supports CIDR notations. Consider an example, if you want to allow a range of IP address from 192.168.4.1 to 192.168.4.255 then you can make the following entry in Squid configuration file under the list of ACLs.

    acl localnet src 192.168.4.8/24

Your list of ACLs will finally look like this.

    acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7       # RFC 4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
    acl localnet src 192.168.4.0/24 # Your newly added ACL

For changes to take effect you will need to restart your Squid server, use the following command for same.

# systemctl restart squid

Allow a Specific Port for HTTP Connections

By default Squid only consider very few ports as safe ports and allow connections through them. The ports which are allowed by default are:

    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http

The ports which are not listed above will not be accessed through the proxy. You can add a Port into the list of Safe_ports by modifying the list of ACLs for ports. For example it you want to allow port 168 to be accessed through the proxy server you can add the following ACL entry for this.

    acl Safe_ports port 168

For changes to take effect you will need to restart your Squid server, use the following command for same.

# systemctl restart squid

Using Basic Authentication with Squid

If you want to authenticate the user before they can use your proxy server, you can do it using the basic authentication feature available in Squid proxy. Although Squid supports many kind of authentication but basic authentication is very easy to set up.

First of all you will need to install httpd-tools, which comes with a tool htpasswd which we will use to create an encrypted password file. Run the following command to install httpd-tools.

# yum -y install httpd-tools

Now create a new file and provide the ownership to squid daemon so that it can access it. Run the following command for same.

# touch /etc/squid/passwd && chown squid /etc/squid/passwd

Now you can add a new user to the password file using the htpasswd tool. In this tutorial we will be creating an example user pxuser. You can replace pxuser with anything you like. Run the following command to create a new user using htpasswd tool.

# htpasswd /etc/squid/passwd pxuser

It will ask for the new password twice, provide the password and you will see following output.

    [root@ip-172-31-23-60 ~]# htpasswd /etc/squid/passwd pxuser
    New password:
    Re-type new password:
    Adding password for user pxuser

By default htpasswd uses MD5 encryption for the password, hence your password will be stored in MD5 hash.

As we have our password file ready, you can now edit the squid configuration file using the following command.

# vi /etc/squid/squid.conf

Add the following lines into the configuration file under the access control lists of ports.

    auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
    auth_param basic children 5
    auth_param basic realm Squid Basic Authentication
    auth_param basic credentialsttl 2 hours
    acl auth_users proxy_auth REQUIRED
    http_access allow auth_users

Write the changes to the file and exit from editor. Reload the Squid daemon using the following command.

# vi systemctl restart squid

Now if you will try to use the proxy server, it will ask you for authentication. Provide your username and password and you will be able to use the proxy server. Unauthenticated user will be shown an error page.

Blocking Websites

You can easily block a single or a list of websites from the users. Using a separate file for the list of websites to be blocked is a good way to manage the blocked websites. Create a new file to store the list of websites to be blocked using your favorite editor.

# vi /etc/squid/blocked_sites

Now enter the list of sites you want to block. One website per line.

    liptanbiswas.com
    liptan.com

Save the file and exit the editor. In this example we used some example websites, you can put a list of actual websites you wish to block. Now open the Squid configuration file again using the following command.

# vi /etc/squid/squid.conf

Enter the following lines under acl list and http_access list.

    acl blocked_sites dstdomain "/etc/squid/blocked_sites"
    http_access deny blocked_sites

Write the changes to the file and exit from editor. Reload the Squid daemon using the following command.

# systemctl restart squid

Now if you will try to access the blocked sites, you will get an access denied message from Squid.

Changing Squid Port

You can easily change the port on which squid listens to. Edit the configuration file using the following command.

# vi/etc/squid/squid.conf

Scroll down to find the following lines into the file.

    # Squid normally listens to port 3128
    http_port 3128

Now change the http_port from 3128 to any port you want. Make sure that no other service is using the port which you will use for Squid. Now restart the Squid daemon and you will see that the changes are in effect.

That’s it. You have successfully install Squid Server on CentOS 7.
Thank you.
 For more reading materials please click here
Advertisements
Installing Squid (Caching / Proxy) on CentOS 7

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s