Squid is a proxy server and web cache daemon. It has a wide variety of uses, from speeding up a web server by caching repeated requests; to caching web, DNS and other computer network lookups for a group of people sharing network resources; to aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including TLS, SSL, Internet Gopher and HTTPS
yum -y install squid
chkconfig squid on
IMPORTANT: First write all the ACLS and Later the http_access order. The Order in which the rules are written in having effect on the working of Proxy.
#Port to which squid listens
http_port 3128
Allowing the Know network/IP
============================
Declare all the known network and allow those network/IP
acl our_networks src 192.168.25.0/24 192.168.2.0/24 10.1.0.1
http_access allow our_networks
The same way we can deny the access using
http_access deny our_networks
Blocking Sites using proxy.
==========================
acl blocksite1 dstdomain www.yahoo.com .facebook.com
http_access deny blocksite1
Blocking List of Sites.
======================
acl blocksitelist dstdomain "/etc/squid/restricted_sites"
http_access deny blocksitelist
Blocking Sites with Specific Words using proxy.
==============================================
acl blockwords url_regex gmail
http_access deny blockwords
Blocking List of Words.
======================
acl blockwordlist url_regex "/etc/squid/restricted_words"
http_access deny blockwordlist
Display Custom message For Blocked Site.
========================================
deny_info <Error-Page-Name> <acl-name>
You can get the error page name from /usr/share/squid/errors/templates/ some of the error pages are as follow's.
ERR_ACCESS_DENIED ERR_FTP_FAILURE ERR_INVALID_URL ERR_SOCKET_FAILURE
ERR_CACHE_ACCESS_DENIED ERR_FTP_FORBIDDEN ERR_LIFETIME_EXP ERR_TOO_BIG
ERR_CACHE_MGR_ACCESS_DENIED ERR_FTP_NOT_FOUND ERR_NEW ERR_UNSUP_HTTPVERSION
ERR_CANNOT_FORWARD ERR_FTP_PUT_CREATED ERR_NO_RELAY ERR_UNSUP_REQ
ERR_CONNECT_FAIL ERR_FTP_PUT_ERROR ERR_ONLY_IF_CACHED_MISS ERR_URN_RESOLVE
ERR_DIR_LISTING ERR_FTP_PUT_MODIFIED ERR_PRECONDITION_FAILED ERR_WRITE_ERROR
ERR_DNS_FAIL ERR_FTP_UNAVAILABLE ERR_READ_ERROR ERR_ZERO_SIZE_OBJECT
ERR_ESI ERR_ICAP_FAILURE ERR_READ_TIMEOUT
ERR_FORWARDING_DENIED ERR_INVALID_REQ ERR_SECURE_CONNECT_FAIL
ERR_FTP_DISABLED ERR_INVALID_RESP ERR_SHUTTING_DOWN
If we need to input custom pages we need to create the page here and mention it in deny_info part. Theis can be mentioned just above corresponding http_access.
For example if we make a Error page as ERR_NEW the rules will be like.
acl blockwordlist url_regex "/etc/squid/restricted_words"
deny_info ERR_NEW blockwordlist
http_access deny blockwordlist
FOR HTTPS WE WILL GET A PROXY REFUSING MESSAGE DUE TO https://bugzilla.mozilla.org/show_bug.cgi?id=493699 .
Blocking and Allowing By Time
=============================
In second acl the time MTWHFA means the Monday to Saturday
Time 16:00-19:00 is the time frame in 24hr time frame
acl myip src 192.168.25.31
acl worktime time MTWHFA 16:00-19:00
http_access allow myip worktime
Setting up maxconn ACL
======================
acl ACCOUNTSDEPT 192.168.5.0/24
acl limitusercon maxconn 3
http_access deny ACCOUNTSDEPT limitusercon
acl ACCOUNTSDEPT 192.168.3.0/24 : Our accounts department IP range
acl limitusercon maxconn 3 : Set 3 simultaneous web access from the same client IP
http_access deny ACCOUNTSDEPT limitusercon : Apply ACL
Mentioning Allowed Ports
========================
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
Adding User Autnetication to Squid
==================================
Check the ncsa_auth file under squid and enter the following line in squid.conf. The ncsa_auth can be in either lib or lib64 directory as per your OS architecture.
#Add Following Line in squid.conf#
auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squid_user
#Creating the User file and adding the user in to the List.#
touch /etc/squid/squid_user
htpasswd /etc/squid/squid_user <username>
#To enable the authentication in the current proxy add the following Line in squid.conf along another acl and http_access rules #
acl class proxy_auth REQUIRED
http_access allow clas
And finally deny all other access to this proxy
==============================================
http_access deny all
yum -y install squid
chkconfig squid on
IMPORTANT: First write all the ACLS and Later the http_access order. The Order in which the rules are written in having effect on the working of Proxy.
#Port to which squid listens
http_port 3128
Allowing the Know network/IP
============================
Declare all the known network and allow those network/IP
acl our_networks src 192.168.25.0/24 192.168.2.0/24 10.1.0.1
http_access allow our_networks
The same way we can deny the access using
http_access deny our_networks
Blocking Sites using proxy.
==========================
acl blocksite1 dstdomain www.yahoo.com .facebook.com
http_access deny blocksite1
Blocking List of Sites.
======================
acl blocksitelist dstdomain "/etc/squid/restricted_sites"
http_access deny blocksitelist
Blocking Sites with Specific Words using proxy.
==============================================
acl blockwords url_regex gmail
http_access deny blockwords
Blocking List of Words.
======================
acl blockwordlist url_regex "/etc/squid/restricted_words"
http_access deny blockwordlist
Display Custom message For Blocked Site.
========================================
deny_info <Error-Page-Name> <acl-name>
You can get the error page name from /usr/share/squid/errors/templates/ some of the error pages are as follow's.
ERR_ACCESS_DENIED ERR_FTP_FAILURE ERR_INVALID_URL ERR_SOCKET_FAILURE
ERR_CACHE_ACCESS_DENIED ERR_FTP_FORBIDDEN ERR_LIFETIME_EXP ERR_TOO_BIG
ERR_CACHE_MGR_ACCESS_DENIED ERR_FTP_NOT_FOUND ERR_NEW ERR_UNSUP_HTTPVERSION
ERR_CANNOT_FORWARD ERR_FTP_PUT_CREATED ERR_NO_RELAY ERR_UNSUP_REQ
ERR_CONNECT_FAIL ERR_FTP_PUT_ERROR ERR_ONLY_IF_CACHED_MISS ERR_URN_RESOLVE
ERR_DIR_LISTING ERR_FTP_PUT_MODIFIED ERR_PRECONDITION_FAILED ERR_WRITE_ERROR
ERR_DNS_FAIL ERR_FTP_UNAVAILABLE ERR_READ_ERROR ERR_ZERO_SIZE_OBJECT
ERR_ESI ERR_ICAP_FAILURE ERR_READ_TIMEOUT
ERR_FORWARDING_DENIED ERR_INVALID_REQ ERR_SECURE_CONNECT_FAIL
ERR_FTP_DISABLED ERR_INVALID_RESP ERR_SHUTTING_DOWN
If we need to input custom pages we need to create the page here and mention it in deny_info part. Theis can be mentioned just above corresponding http_access.
For example if we make a Error page as ERR_NEW the rules will be like.
acl blockwordlist url_regex "/etc/squid/restricted_words"
deny_info ERR_NEW blockwordlist
http_access deny blockwordlist
FOR HTTPS WE WILL GET A PROXY REFUSING MESSAGE DUE TO https://bugzilla.mozilla.org/show_bug.cgi?id=493699 .
Blocking and Allowing By Time
=============================
In second acl the time MTWHFA means the Monday to Saturday
Time 16:00-19:00 is the time frame in 24hr time frame
acl myip src 192.168.25.31
acl worktime time MTWHFA 16:00-19:00
http_access allow myip worktime
Setting up maxconn ACL
======================
acl ACCOUNTSDEPT 192.168.5.0/24
acl limitusercon maxconn 3
http_access deny ACCOUNTSDEPT limitusercon
acl ACCOUNTSDEPT 192.168.3.0/24 : Our accounts department IP range
acl limitusercon maxconn 3 : Set 3 simultaneous web access from the same client IP
http_access deny ACCOUNTSDEPT limitusercon : Apply ACL
Mentioning Allowed Ports
========================
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
Adding User Autnetication to Squid
==================================
Check the ncsa_auth file under squid and enter the following line in squid.conf. The ncsa_auth can be in either lib or lib64 directory as per your OS architecture.
#Add Following Line in squid.conf#
auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squid_user
#Creating the User file and adding the user in to the List.#
touch /etc/squid/squid_user
htpasswd /etc/squid/squid_user <username>
#To enable the authentication in the current proxy add the following Line in squid.conf along another acl and http_access rules #
acl class proxy_auth REQUIRED
http_access allow clas
And finally deny all other access to this proxy
==============================================
http_access deny all