In this post we will see how to configure SQUID Proxy server on CentOS.
Operating system - CentOS 6.7
Do the minimal installation of CentOS.
Install squid package
#yum install squidif internet is not working on this system, you can install squid rpm from installation dvd/iso.
once squid installation gets completed, edit the squid.conf file.
LAN Subnet - 192.168.1.0/23
LAN Ethernet - eth0
WAN Ethernet - eth1
Edit squid.conf file add below lines.
You can define ACL and allow/deny access to LAN computers to websites as per your requirements.
Below is my working squid.conf file, you adjust configuration as per your requirements.
#####################
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
#Configure ACL in SQUID
#My Access List#ACL for FTP Protocol
acl FTP proto FTP
#ACL for my LOCAL Subnet
acl localnet src 192.168.1.0/24
#ACL for manager's who need full access. This ACL usages MAC address.
acl master1 arp "/etc/squid/acl/master-arp.lst"
#ACL for specific Computers.
acl searchpc arp "/etc/squid/acl/search-arp.lst"
#ACL for Support Team's PC
acl supportpc src "/etc/squid/acl/support-ip.lst"
#ACL for specific IP
acl masterip src 192.168.1.9
#ACL to allow internet access based on time.
acl evening time 16:00-18:00
#ACL to bloack websites.
acl badsites dstdomain "/etc/squid/acl/badsites.lst"
#ACL to allow specific sites for Support Users.
acl supportsites dstdomain "/etc/squid/acl/supportsites.lst"
#ACL to allow specific sites to ALL LAN users.
acl opentoall dstdomain "/etc/squid/acl/open-to-all.lst"
acl all1 src all
no_cache deny all1
icp_port 0
htcp_port 0
icp_access deny all1
htcp_access deny all1
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 20 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localhost
always_direct allow FTP
# And finally deny all other access to this proxy
#Allow or deny configured ACL in squid
#Allow/deny Access List#
#Allow FULL Access PC/Systems added master1 ACL
http_access allow master1
#Blocked 'badsites' to all
http_access deny badsites
#Allow Full internet access to 'searchPC' during evening 4 PM to 6 PM.
http_access allow evening searchpc
#Allow Specific SupportSites to Support PC.
http_access allow supportsites supportpc
#Allow Specific sites to all LAN, all the time.
http_access allow opentoall localnet
#Deny everything to LAN systems
http_access deny localnet
http_access deny all
# Change default squid port to 8080
http_port 8080
cache_mem 512 MB
maximum_object_size_in_memory 56 MB
logfile_rotate 20
cache_mgr SystemAdmin@vprh.org
visible_hostname proxyrouter.vprh.blogspot.com
#Add your DNS servers here.
dns_nameservers 8.8.8.8 8.8.4.4 192.168.1.100
#Download restriction based on ACL
#Allow download up to 10GB to masterip
reply_body_max_size 10240 MB masterip
#Limit download to 20 MB to all other LAN PC
reply_body_max_size 20 MB
#cahce size
cache_dir aufs /var/spool/squid 4000 16 256
coredump_dir /var/spool/squid
cache_swap_low 90
cache_swap_high 95
#Limit file upload
request_body_max_size 10240 MB masterip
request_body_max_size 20 MB localnet
# And finally deny all other access to this proxy
http_access deny all
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#####################
Save the squid configuration file by adding/updating ACL as per your network requirements.
Create squid configuration files as defined in ACL
#mkdir /etc/squid/acl
#cd /etc/squid/acl
In this file add Ethernet MAC of systems which need full Internet Access ( physical address of LAN Card)
#vi master-arp.lst
ee:xx:rr:44:55:cc #mac of manager PC
Add MAC of searchPC which need full access during evening 4 - 6 PM
#vi search-arp.lst
ee:xx:rr:44:55:cd #mac of search user pc
Add list of support sites, which are accessed by SupportTeam.
#vi supportsites.lst
.teamviewer.com
.ShowMyPC.com
Add IP address of support users system
#vi support-ip.lst
192.168.1.100
Add websites which are allowed to everyone and all the time.
#vi open-to-all.lst
.google.com
.example.com
#vi badsites.lst
#add sites which you want to block all the time.
.youtube.com
.video.com
.xyz.com
Start squid service
#service squid start
Later on if you make any changes in squid configuration or any other squid acl files, then you have to restart squid service to take affect new configuration.
#service squid restart
If the squid service do not end with OK status, then review the error message or undo your last changes and restart squid service.
IPTABLES configuration for squid.
#Accept Connections on squid port 8080
iptables -I INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 8080 -j ACCEPT
#Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Read my post on IPTABLES to configure iptables firewall rules for squid and systems which are in befind proxy/Linux firewall.
-
vPRH
No comments:
Post a Comment