Squid Proxy Server Configuration On Centos 5.3

By | October 13, 2009

In our organization we have implemented Squid proxy server on our gateway’s. Squid help us to restrict users from accessing denied sites.

First we need to install squid proxy server on the gateway machine. All other configurations are done on the squid.conf file. Following are the custom changes on squid.conf which help us to make are move.

Installation Of Squid

Install squid using yum command

# yum install squid

view the installe package.

# rpm -qa | grep squid

Changes On Squid Conf

# cd /etc/squid/

# cp squid.conf squid.conf.orginal

# vi squid.conf

#Recommended minimum configuration:

#Specify the network address, some times giving 0.0.0.0/255.255.255.0 will not work.

acl all src 192.168.0.0/255.255.255.0

#acl all src 0.0.0.0/255.255.255.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443

#To enable plesk and cpanels https:ip:8443,2083

acl SSL_ports port 8443

acl SSL_ports port 2083

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

#Add squid,cpanel and plesk port to safe ports

acl Safe_ports port 3128 # squid

acl Safe_ports port 8443 # Plesk

acl Safe_ports port 2083 # Cpanel

acl CONNECT method CONNECT

#

#Default:

# http_access deny all

#

#Recommended minimum configuration:

#

# Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager

# Deny requests to unknown ports

#Allow SSL connections and Safe ports are given here

http_access deny !Safe_ports

#Deny CONNECT to other than SSL ports

#Allow to SSL ports

#See above to allow 8443 and 2083

http_access deny CONNECT !SSL_ports

#

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on “localhost” is a local user

#http_access deny to_localhost

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt

# to list your (internal) IP networks from where browsing should

# be allowed

#acl our_networks src 192.168.1.0/24 192.168.2.0/24

#http_access allow our_networks

# And finally deny all other access to this proxy

##http_access allow localhost

##http_access deny all

#######################

#Add Lines For Our Network

acl our_networks src 192.168.0.0/24

#Create site list on a file

acl blocked_urls dstdomain “/etc/squid/blockedsites.acl”

acl bad_urls dstdomain “/etc/squid/badsites.acl”

acl blocked_proxy dstdomain “/etc/squid/blockedproxies.acl”

acl localnet dst 192.168.0.9

#Squid need to recompile for mac support

#acl mac_ournetwork arp “/etc/squid/macinternal.acl”

#acl mac_outsidenetwork arp “/etc/squid/macoutside.acl”

#Enable time for the site access

acl noon_hours time 13:00-13:30

acl evening_hours time 20:30-21:00

#First mention deny rule after that specify allow rule

#http_access deny mac_ournetwork

#Disable Squid Cache Facility

cache deny localnet

#Deny access to blocked urls and allow access to some of them by time intervals

http_access deny blocked_urls !noon_hours !evening_hours

http_access deny blocked_proxy

http_access deny bad_urls

http_access allow our_networks

#Mention localhost on single line otherwise squid might deny access to all sites

http_access allow localhost

#http_access deny all

###################

#Enabling transparent squid proxy server

#Squid normally listens to port 3128

http_port 3128 transparent

#To disable negative ttls

#Default:

# negative_ttl 5 minutes

negative_ttl 0 minutes

#Allow SVN access through squid proxy

#Default:

# none

extension_methods REPORT MERGE MKACTIVITY CHECKOUT PROPFIND

#Add server hostname to Squid proxy

#Default:

# none

visible_hostname gw2.talk2melbin.com

#Specify the Name Sever,by default squid looks on /etc/resolv.conf

#Default:

# none

dns_nameservers 192.168.0.252

#Finally we need to enable the Iptables. Redirect all the traffic through our squid proxy server.

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128

We can view the logs for errors and statics of user access.

tail -f /var/log/squid/access.log

tail -f /var/log/squid/squid.out

tail -f /var/log/squid/cache.log

*Monitoring tools like sarg can help us to show the statics of user web site accesses.

Cheers!

Melbin Mathew

www.talk2melbin.com

Melbin Mathew

I am Melbin Mathew, Systems Engineer from Kerala, India. I live with my parents, daughter and my wonderful wife. I graduated in 2004 with a bachelor’s degree in Electronics and Hardware from Mahatma Gandhi University, Kottayam and completed certification in MCITP, RHCE, CCNA, VCP ...Read More
Category: Linux

About Melbin Mathew

I am Melbin Mathew, Systems Engineer from Kerala, India. I live with my parents, daughter and my wonderful wife. I graduated in 2004 with a bachelor’s degree in Electronics and Hardware from Mahatma Gandhi University, Kottayam and completed certification in MCITP, RHCE, CCNA, VCP ...Read More

  • http://www.trafficmavericks.org Tyisha Grodecki

    Valuable facts like this a single should be kept and maintained so I am going to fit this one on my bookmark list! Many thanks for this amazing write-up and hoping to article more of this!

    • http://www.talk2melbin.com Melbin Mathew

      Thank you very much for the support.

  • Ajay Singh Rathore

    Sir I m install squid in rhel 5.3 desktop version

    • Ajay Singh Rathore

      Please help me install process squid in rhel 5.3. My contect no +919785207401