In this tutorial,we will learn about how to install and configure transparent squid proxy server on RHEL/CentOS 6.x .In this practical,we will install Squid version 3.5.0 package in CentOS 6.5 / RHEL 6.5 . Squid server are designed to run in Unix like operating system. Up to version 2.7, Windows Operating System was supportive. Till the date of writing this post, no Windows Operating System supportive port has been developed in Squid version 3.x .

What is Squid Server

Squid is a web cache and web filtering server.It is based upon Harvest Cache Daemon.
Because Squid server has ability to do cacheing, it helps in improving the performance of web access. It can deliver the web content either static,dynamic or streaming way.It helps to speed up web browsing to its end clients.

Default port number use by Squid service

By-defualt port number 3128 is used by squid service

Squid : Transparent Web Proxy Server

Squid Server widely used for Web filtering and cacheing. It is also used as Transparent Web Proxy Server. Transparent Proxy is also known as Interception Caching.

Interception Caching is a process when a HTTP request from client ends redirected to Cache Server(Squid) without doing any configuration in end user clients. By this way,end user clients do not know the traffic has been redirected to cache server(Transparent Proxy)

Transparent Squid Proxy versus Ordinary Squid proxy

In Ordinary Squid Proxy Server, the end user client traffic is redirected to Squid proxy server but for this , we have to configure the web browser settings in each client machine.(We will also show,how to do settings in this tutorial)

In Transparent Squid Proxy, we do not have to do settings in web browser of each client machine.The traffic can be easily redirected to Squid Server. IPTABLES for NAT (Network Address Translation),play very crucial role to setup the Transparent Squid Proxy.(always remember this)

Squid Proxy Server

Install and Configure Squid Transparent Proxy Server

Follow the given below steps to install and configure the Squid Web Proxy Server.

Step 1: Create a yum client repo file in RHEL/CentOS. This step we are doing ,to get the latest Squid version.

vi /etc/yum.repos.d/squid.repo

Paste given below contents in file /etc/yum.repos.d/squid.repo

[squid]
name=Squid repo for CentOS Linux 6 - $basearch
#IL mirror
baseurl=http://www1.ngtech.co.il/rpm/centos/6/$basearch
failovermethod=priority
enabled=1
gpgcheck=0

Step 2: Install EPEL repository in system (For getting Perl packages)

rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Step 3: By using yum command install Squid and perl-Crypt-OpenSSL

yum install squid  perl-Crypt-OpenSSL

Below given is reference.It shows the packages which will be installed on using command yum install squid perl-Crypt-OpenSSL

Dependencies Resolved

=====================================================================================================
 Package                         Arch           Version                        Repository       Size
=====================================================================================================
Installing:
 squid                           x86_64         7:3.5.0.001-1.el6              squid           2.7 M
Installing for dependencies:
 ksh                             x86_64         20120801-10.el6_5.3            updates         756 k
 libtool-ltdl                    x86_64         2.2.6-15.5.el6                 base             44 k
 perl                            x86_64         4:5.10.1-136.el6               base             10 M
 perl-Crypt-OpenSSL-X509         x86_64         1.800.2-1.el6                  epel             37 k
 perl-DBI                        x86_64         1.609-4.el6                    base            705 k
 perl-Module-Pluggable           x86_64         1:3.90-136.el6                 base             40 k
 perl-Pod-Escapes                x86_64         1:1.04-136.el6                 base             32 k
 perl-Pod-Simple                 x86_64         1:3.13-136.el6                 base            212 k
 perl-libs                       x86_64         4:5.10.1-136.el6               base            578 k
 perl-version                    x86_64         3:0.77-136.el6                 base             51 k

Transaction Summary
=====================================================================================================
Install      11 Package(s)

Total download size: 15 M
Installed size: 47 M
Is this ok [y/N]: y

Step 4: After installing squid package, all squid related configuration files will be located at /etc/squid .Explore these files

[root@localhost ~]# cd /etc/squid/
[root@localhost squid]# 
[root@localhost squid]# ls -l
total 48
-rw-r--r--. 1 root squid   419 Jan 27 18:19 cachemgr.conf
-rw-r--r--. 1 root root    419 Jan 27 18:19 cachemgr.conf.default
-rw-r--r--. 1 root root   1547 Jan 27 18:18 errorpage.css
-rw-r--r--. 1 root root   1547 Jan 27 18:18 errorpage.css.default
-rw-r--r--. 1 root root  11954 Jan 27 18:19 mime.conf
-rw-r--r--. 1 root root  11954 Jan 27 18:19 mime.conf.default
-rw-r-----. 1 root squid  2315 Jan 27 18:19 squid.conf
-rw-r--r--. 1 root root   2315 Jan 27 18:19 squid.conf.default
[root@localhost squid]#

Step 5:Take the backup of squid.conf file.

cp -p /etc/squid/squid.conf /etc/squid/squid.conf.orig

Step 5: Disable the SELINUX . Edit the file /etc/sysconfig/selinux and change the value of SELINUX=disabled

vi /etc/sysconfig/selinux

SELINUX=disabled

Now restart the system so that SELINUX can take effect permanently.

IMPORTANT NOTE : In case , you want to use SELINUX in ENFORCING mode, read this post .(You may have to use the same steps more than one times because of avc denial in SELINUX policy for Squid)

init 6

Step 6: Below given is default squid.conf file configuration settings.(You can use same settings for Ordinary Squid Proxy Server)

NOTE : egrep -v '^#|^$' will hide the lines starting with # and all blank lines.

[root@localhost ~]# egrep -v '^#|^$' /etc/squid/squid.conf 
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|?) 0	0%	0
refresh_pattern .		0	20%	4320
[root@localhost ~]#

Step 7: To make Squid Proxy Server as Transparent Proxy Server. Add “accel vhost allow-direct” with line “http_port 3128” in /etc/squid/squid.conf file .

http_port 3128 accel vhost allow-direct

As per our network, we are using 172.16.0.0/255.255.0.0 inside LAN .Hence we will edit squid.conf file at acl localnet src

Now I will add the new local network acl line in squid.conf file and comment acl lines related to other local network(10.0.0.0/8 ,172.16.0.0/12, 192.168.0.0/16)

vi /etc/squid/squid.conf 

## added this new line as per my network
acl localnet src 172.16.0.0/16

Below given is complete configuration for Squid Transparent Proxy Server

vi /etc/squid/squid.conf
acl localnet src 172.16.0.0/16	# RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny blocksites
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 accel vhost allow-direct
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|?) 0	0%	0
refresh_pattern .		0	20%	4320

Step 8 : Restart the Squid service

/etc/init.d/squid restart

Step 9 : Create a IPTABLES script . You can modify the script as per your requirement. (Test the script in staging machine before applying it to live server)

Create bash script file

vi /root/firewall.sh

Paste below given contents in file /root/firewall.sh. Save and close the file after this

 
#!/bin/bash
#
#
#

# Ethernet device name  connected to LAN
ETHERNET_LAN="eth2"

# Ethernet device name connected to Internet
ETHERNET_INTERNET="eth0"

# Squid Server IP Address
SQUID_SERVER_IP="172.16.15.1"

# Squid port number
SQUID_PORT="3128"

### Multiple Port Number - TCP based
MULTI_PORT="22,20,21"

#### Flush iptables
iptables -F

##### Delete a user-defined chain
iptables -X

### -t defines table ###

#### Flush NAT Rules/user-defined NAT chain
iptables -t nat -F
iptables -t nat -X

#### Flush Mangle Rules/user-defined NAT chain (mangle — Used for specific types of packet alteration. ) #####
iptables -t mangle -F
iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack
modprobe ip_conntrack
modprobe ip_conntrack_ftp

##### Enable IP forwarding for IPV4 ####
echo 1 > /proc/sys/net/ipv4/ip_forward

##
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

## INPUT/OUTPUT rules for loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -i $ETHERNET_INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables --table nat --append POSTROUTING --out-interface $ETHERNET_INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $ETHERNET_LAN -j ACCEPT

iptables -A INPUT -i $ETHERNET_LAN -j ACCEPT
iptables -A OUTPUT -o $ETHERNET_LAN -j ACCEPT

iptables -t nat -A PREROUTING -i $ETHERNET_LAN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER_IP:$SQUID_PORT

iptables -t nat -A PREROUTING -i $ETHERNET_INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

###### IPTABLE Allow rule for tcp based multiple port 
#### To disable - Use # in front of below given line
iptables -A INPUT -p tcp -m multiport --dports $MULTI_PORT -j ACCEPT

iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Step 10 : Give execute permission to /root/firewall.sh and only to owner that is root

chmod 700 /root/firewall.sh

Step 11 : Execute the firewall.sh script

sh /root/firewall.sh

Client Side Configuration

Step 12: At client side,you do not have to configure Web browser.
The only requirement is, the IP Subnet of client should be allowed in Squid Proxy Server

Read Some More Articles

50 Comments

  1. This tutorial looks very nice. Can We achieve the same using the firewall-cmd commands.
    i.e mask iptables and use only firewalld to configure squid as transparent proxy.

    I am about the build my network with squid , your detailed and urgent response will highly be appreciated
    Thanks for replying back with the details.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.