Monday, February 15, 2010

Squid Server Configuration

What is a Squid?

Squid is a versatile HTTP proxy and can be used for number of different tasks. Internet web cache for improving web quality, Internet Web gateway/access control to control in web usage. Squid is used to control the web pages usage, and protect the usage of unauthorized sites where Internet usage is there. You can implement the squid over the network on any system which acts like an gateway for Internet service. Here are the few simple steps how you can implement squid over a Linux environment.

The /etc/squid/squid.conf file is used to configure all the different options for your Squid proxy server.
Before configuration identify few things

1.

It is a better practice to have two Ethernet cards to configure squid say eth0 and eth1.
2.

The eth0 is the one which holds the incoming connection of the Internet to your LAN ( say 192.168.0.2) and eth1 is the forwarding Ethernet card’s IP (say 192.168.0.3 ), through which your local systems are accessing the Internet connection, i.e. eth0 is for incoming and eth1 is for outgoing from the server.
3.

Know your http_port, which specifies the socket address where the Squid will listen to the client’s request; by default this is set to 3128, but can be changed to a user defined value also. Along with the port value, one can also give the IP address of the machine on which Squid is running ( 192.168.0.2 ); this can be changed to:

http_port 192.168.0.2:8080
4.

How your Internet connection has been done through cables.
5.

Check have you enabled your Ethernet cards properly and whether can you able to ping between these two IP’s in the server.
6.

Make a list of what are the sites that you would like to block and phrases of the contents.

How to check whether the Squid is installed or not?

Login as root user, and issue the command

# rpm -q squid

squid-2.5.STABLE6-3.4E.11

The above result will displays the version of Squid that your system is having i.e., 2.5 and STABLE6-3.4E.11 is the Squid rpm package

If your Internet server does not installed with squid then download from any source and install via rpm or yum etc…

# rpm -ihv squid-2.5.STABLE6-3.4E.11.rpm
Controlling Squid Actions

Use following commands to start, stop, restart and to know the status of Squid on the system

Starting the squid

# service squid start

Stopping the squid

# service squid stop

Restarting the squid

# service squid restart

Knowing the status of squid

# service squid status
Before configuring squid.conf file better you know these things

Squid access control has two different components i.e. ACL elements and access list. An access list infact allows or deny the access to the service.

A few important type of ACL elements are listed below

src : Source i.e. client’s IP addresses

time : Time of day and day of week

url_regex : URL regular expression pattern matching
Steps to configure simple Squid proxy server:

1.

Create a .txt or .list file which contain the entries of blocked sites that you would like to block using Squid, say ‘blocked_sites.list‘ file in /etc/squid/

[Note: The file can be placed anywhere in the filesystem]
2.

Using any of the editors edit, /etc/squid/squid.conf file
3.

All the commands are listed in this file, but you should have the patience to read and execute what exactly that you are looking for. For every command line there will be a help note, what the command exactly does and what options that you can use etc…
4.

Now start editing the contents by removing the comment ( # ) symbol
5.

Edit the http_port to specify the IP address and the socket address where squid will listen to the client’s requests.
6.

Edit the file and uncomment below entries

# This represents your incoming Internet servers’ IP address and port address

http_port 192.168.0.2:8080

# This allows only machine whose IPs’ are 192.168.0.22 192.168.0.23 192.168.0.24 to have access to Internet and the rest of IP addresses are not listed are denied the service.

acl allowed_clients src 192.168.1.22 192.168.1.23 192.168.1.24

# This allows the access to all the clients IPs who are listed to access the Internet from Monday to Sunday between 08:30 am to 07:00pm

acl office_hours time MTWHFAS 8:30-19:00

# List all the site names or text phrases that you would like to block the access in a file and the ACL will pickup these information from the file and prevent the access to the banned sites and the URL which contain the mentioned phrases.

acl banned_sites url_regex “/etc/squid/blocked_sites.list”

#This will deny the http access to the banned_sites ACL

http_access deny banned_sites

# http_access: Allows http clients to access the http port. Allow HTTP access to a particular ACL element or to a group of them.

http_access allow allowed_clients office_hours

#It denies the Internet service to the machines which are not listed in the allowed_clients ACL

http_access deny !allowed_clients

http_access deny all

NOTE: Make sure that you are entering these lines in the same order, the order changes make your squid not to work properly. All entries should be between http_port and http_access deny all

Save the file and start OR restart the squid service as shown above. This will complete the server part of the settings.
Setting up client machines

Since the clients request will be placed at a particular port of the proxy server, client machine’s have to be configured for the same purpose. It is taken at this point that these machines are already connected to LAN ( with valid IP address) and are able to ping the Linux Squid Server for Internet usage.

For Mozilla Firefox,

1.

Go to ‘Edit > Preference >Advanced’
2.

Select ‘Network‘ tab and click on ‘Settings‘.
3.

Select ‘Manual proxy configuration’ and make entries for ‘HTTP proxy address‘: 192.168.0.3 and ‘Port’ number: 8080
4.

- Here the OS will automatically forward the IP from 192.168.0.2 to 192.168.0.3. In case if it not is not happening, you need to manually forward it. So that is the reason when you are accessing the Internet you need to make use of 192.168.0.3.

- If you make use of 192.168.0.2, you get error though you does not have direct connection to eth0 , you have to make use of eth1
5.

Check ‘Use this proxy server for all products’

Configure the proxy and port if you are using different browsers.

NOTE: The log history of squid will be saved in /var/log/squid/access.log, cache.log, squid.out files, using which you can trace out from which client what and all sites are accessing and number of hits etc…

No comments:

Post a Comment