In this tutorial,we will learn about how to install and configure transparent squid proxy server on RHEL/CentOS 6.x .In this practical,we will install Squid version 3.5.0 package in CentOS 6.5 / RHEL 6.5 . Squid server are designed to run in Unix like operating system. Up to version 2.7, Windows Operating System was supportive. Till the date of writing this post, no Windows Operating System supportive port has been developed in Squid version 3.x .
What is Squid Server
Squid is a web cache and web filtering server.It is based upon Harvest Cache Daemon.
Because Squid server has ability to do cacheing, it helps in improving the performance of web access. It can deliver the web content either static,dynamic or streaming way.It helps to speed up web browsing to its end clients.
Default port number use by Squid service
By-defualt port number 3128 is used by squid service
Squid : Transparent Web Proxy Server
Squid Server widely used for Web filtering and cacheing. It is also used as Transparent Web Proxy Server. Transparent Proxy is also known as Interception Caching.
Interception Caching is a process when a HTTP request from client ends redirected to Cache Server(Squid) without doing any configuration in end user clients. By this way,end user clients do not know the traffic has been redirected to cache server(Transparent Proxy)
Transparent Squid Proxy versus Ordinary Squid proxy
In Ordinary Squid Proxy Server, the end user client traffic is redirected to Squid proxy server but for this , we have to configure the web browser settings in each client machine.(We will also show,how to do settings in this tutorial)
In Transparent Squid Proxy, we do not have to do settings in web browser of each client machine.The traffic can be easily redirected to Squid Server. IPTABLES for NAT (Network Address Translation),play very crucial role to setup the Transparent Squid Proxy.(always remember this)
Install and Configure Squid Transparent Proxy Server
Follow the given below steps to install and configure the Squid Web Proxy Server.
Step 1: Create a yum client repo file in RHEL/CentOS. This step we are doing ,to get the latest Squid version.
vi /etc/yum.repos.d/squid.repo
Paste given below contents in file /etc/yum.repos.d/squid.repo
[squid] name=Squid repo for CentOS Linux 6 - $basearch #IL mirror baseurl=http://www1.ngtech.co.il/rpm/centos/6/$basearch failovermethod=priority enabled=1 gpgcheck=0
Step 2: Install EPEL repository in system (For getting Perl packages)
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Step 3: By using yum command install Squid and perl-Crypt-OpenSSL
yum install squid perl-Crypt-OpenSSL
Below given is reference.It shows the packages which will be installed on using command yum install squid perl-Crypt-OpenSSL
Dependencies Resolved ===================================================================================================== Package Arch Version Repository Size ===================================================================================================== Installing: squid x86_64 7:3.5.0.001-1.el6 squid 2.7 M Installing for dependencies: ksh x86_64 20120801-10.el6_5.3 updates 756 k libtool-ltdl x86_64 2.2.6-15.5.el6 base 44 k perl x86_64 4:5.10.1-136.el6 base 10 M perl-Crypt-OpenSSL-X509 x86_64 1.800.2-1.el6 epel 37 k perl-DBI x86_64 1.609-4.el6 base 705 k perl-Module-Pluggable x86_64 1:3.90-136.el6 base 40 k perl-Pod-Escapes x86_64 1:1.04-136.el6 base 32 k perl-Pod-Simple x86_64 1:3.13-136.el6 base 212 k perl-libs x86_64 4:5.10.1-136.el6 base 578 k perl-version x86_64 3:0.77-136.el6 base 51 k Transaction Summary ===================================================================================================== Install 11 Package(s) Total download size: 15 M Installed size: 47 M Is this ok [y/N]: y
Step 4: After installing squid package, all squid related configuration files will be located at /etc/squid .Explore these files
[root@localhost ~]# cd /etc/squid/ [root@localhost squid]# [root@localhost squid]# ls -l total 48 -rw-r--r--. 1 root squid 419 Jan 27 18:19 cachemgr.conf -rw-r--r--. 1 root root 419 Jan 27 18:19 cachemgr.conf.default -rw-r--r--. 1 root root 1547 Jan 27 18:18 errorpage.css -rw-r--r--. 1 root root 1547 Jan 27 18:18 errorpage.css.default -rw-r--r--. 1 root root 11954 Jan 27 18:19 mime.conf -rw-r--r--. 1 root root 11954 Jan 27 18:19 mime.conf.default -rw-r-----. 1 root squid 2315 Jan 27 18:19 squid.conf -rw-r--r--. 1 root root 2315 Jan 27 18:19 squid.conf.default [root@localhost squid]#
Step 5:Take the backup of squid.conf file.
cp -p /etc/squid/squid.conf /etc/squid/squid.conf.orig
Step 5: Disable the SELINUX . Edit the file /etc/sysconfig/selinux and change the value of SELINUX=disabled
vi /etc/sysconfig/selinux SELINUX=disabled
Now restart the system so that SELINUX can take effect permanently.
IMPORTANT NOTE : In case , you want to use SELINUX in ENFORCING mode, read this post .(You may have to use the same steps more than one times because of avc denial in SELINUX policy for Squid)
init 6
Step 6: Below given is default squid.conf file configuration settings.(You can use same settings for Ordinary Squid Proxy Server)
NOTE : egrep -v '^#|^$' will hide the lines starting with # and all blank lines.
[root@localhost ~]# egrep -v '^#|^$' /etc/squid/squid.conf acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all http_port 3128 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 20% 4320 [root@localhost ~]#
Step 7: To make Squid Proxy Server as Transparent Proxy Server. Add “accel vhost allow-direct” with line “http_port 3128” in /etc/squid/squid.conf file .
http_port 3128 accel vhost allow-direct
As per our network, we are using 172.16.0.0/255.255.0.0 inside LAN .Hence we will edit squid.conf file at acl localnet src
Now I will add the new local network acl line in squid.conf file and comment acl lines related to other local network(10.0.0.0/8 ,172.16.0.0/12, 192.168.0.0/16)
vi /etc/squid/squid.conf ## added this new line as per my network acl localnet src 172.16.0.0/16
Below given is complete configuration for Squid Transparent Proxy Server
vi /etc/squid/squid.conf
acl localnet src 172.16.0.0/16 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access deny blocksites http_access allow localnet http_access allow localhost http_access deny all http_port 3128 accel vhost allow-direct cache_dir ufs /var/spool/squid 100 16 256 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 20% 4320
Step 8 : Restart the Squid service
/etc/init.d/squid restart
Step 9 : Create a IPTABLES script . You can modify the script as per your requirement. (Test the script in staging machine before applying it to live server)
Create bash script file
vi /root/firewall.sh
Paste below given contents in file /root/firewall.sh. Save and close the file after this
#!/bin/bash # # # # Ethernet device name connected to LAN ETHERNET_LAN="eth2" # Ethernet device name connected to Internet ETHERNET_INTERNET="eth0" # Squid Server IP Address SQUID_SERVER_IP="172.16.15.1" # Squid port number SQUID_PORT="3128" ### Multiple Port Number - TCP based MULTI_PORT="22,20,21" #### Flush iptables iptables -F ##### Delete a user-defined chain iptables -X ### -t defines table ### #### Flush NAT Rules/user-defined NAT chain iptables -t nat -F iptables -t nat -X #### Flush Mangle Rules/user-defined NAT chain (mangle — Used for specific types of packet alteration. ) ##### iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack modprobe ip_conntrack modprobe ip_conntrack_ftp ##### Enable IP forwarding for IPV4 #### echo 1 > /proc/sys/net/ipv4/ip_forward ## iptables -P INPUT DROP iptables -P OUTPUT ACCEPT ## INPUT/OUTPUT rules for loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i $ETHERNET_INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT iptables --table nat --append POSTROUTING --out-interface $ETHERNET_INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $ETHERNET_LAN -j ACCEPT iptables -A INPUT -i $ETHERNET_LAN -j ACCEPT iptables -A OUTPUT -o $ETHERNET_LAN -j ACCEPT iptables -t nat -A PREROUTING -i $ETHERNET_LAN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER_IP:$SQUID_PORT iptables -t nat -A PREROUTING -i $ETHERNET_INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT ###### IPTABLE Allow rule for tcp based multiple port #### To disable - Use # in front of below given line iptables -A INPUT -p tcp -m multiport --dports $MULTI_PORT -j ACCEPT iptables -A INPUT -j LOG iptables -A INPUT -j DROP
Step 10 : Give execute permission to /root/firewall.sh and only to owner that is root
chmod 700 /root/firewall.sh
Step 11 : Execute the firewall.sh script
sh /root/firewall.sh
Client Side Configuration
Step 12: At client side,you do not have to configure Web browser.
The only requirement is, the IP Subnet of client should be allowed in Squid Proxy Server
This tutorial looks very nice. Can We achieve the same using the firewall-cmd commands.
i.e mask iptables and use only firewalld to configure squid as transparent proxy.
I am about the build my network with squid , your detailed and urgent response will highly be appreciated
Thanks for replying back with the details.
Hello Bilal,
You can use firewalld without any issue. It will work.
Regards
Sharad
can you please write firewall commands to be used to this setup .
Thanks
Perfect! Very nice. Thanks!
You are welcome Wellington,
Regards
Sharad