In this tutorial,we will learn about how to install and configure transparent squid proxy server on RHEL/CentOS 6.x .In this practical,we will install Squid version 3.5.0 package in CentOS 6.5 / RHEL 6.5 . Squid server are designed to run in Unix like operating system. Up to version 2.7, Windows Operating System was supportive. Till the date of writing this post, no Windows Operating System supportive port has been developed in Squid version 3.x .
What is Squid Server
Squid is a web cache and web filtering server.It is based upon Harvest Cache Daemon.
Because Squid server has ability to do cacheing, it helps in improving the performance of web access. It can deliver the web content either static,dynamic or streaming way.It helps to speed up web browsing to its end clients.
Default port number use by Squid service
By-defualt port number 3128 is used by squid service
Squid : Transparent Web Proxy Server
Squid Server widely used for Web filtering and cacheing. It is also used as Transparent Web Proxy Server. Transparent Proxy is also known as Interception Caching.
Interception Caching is a process when a HTTP request from client ends redirected to Cache Server(Squid) without doing any configuration in end user clients. By this way,end user clients do not know the traffic has been redirected to cache server(Transparent Proxy)
Transparent Squid Proxy versus Ordinary Squid proxy
In Ordinary Squid Proxy Server, the end user client traffic is redirected to Squid proxy server but for this , we have to configure the web browser settings in each client machine.(We will also show,how to do settings in this tutorial)
In Transparent Squid Proxy, we do not have to do settings in web browser of each client machine.The traffic can be easily redirected to Squid Server. IPTABLES for NAT (Network Address Translation),play very crucial role to setup the Transparent Squid Proxy.(always remember this)
Install and Configure Squid Transparent Proxy Server
Follow the given below steps to install and configure the Squid Web Proxy Server.
Step 1: Create a yum client repo file in RHEL/CentOS. This step we are doing ,to get the latest Squid version.
vi /etc/yum.repos.d/squid.repo
Paste given below contents in file /etc/yum.repos.d/squid.repo
[squid] name=Squid repo for CentOS Linux 6 - $basearch #IL mirror baseurl=http://www1.ngtech.co.il/rpm/centos/6/$basearch failovermethod=priority enabled=1 gpgcheck=0
Step 2: Install EPEL repository in system (For getting Perl packages)
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Step 3: By using yum command install Squid and perl-Crypt-OpenSSL
yum install squid perl-Crypt-OpenSSL
Below given is reference.It shows the packages which will be installed on using command yum install squid perl-Crypt-OpenSSL
Dependencies Resolved ===================================================================================================== Package Arch Version Repository Size ===================================================================================================== Installing: squid x86_64 7:3.5.0.001-1.el6 squid 2.7 M Installing for dependencies: ksh x86_64 20120801-10.el6_5.3 updates 756 k libtool-ltdl x86_64 2.2.6-15.5.el6 base 44 k perl x86_64 4:5.10.1-136.el6 base 10 M perl-Crypt-OpenSSL-X509 x86_64 1.800.2-1.el6 epel 37 k perl-DBI x86_64 1.609-4.el6 base 705 k perl-Module-Pluggable x86_64 1:3.90-136.el6 base 40 k perl-Pod-Escapes x86_64 1:1.04-136.el6 base 32 k perl-Pod-Simple x86_64 1:3.13-136.el6 base 212 k perl-libs x86_64 4:5.10.1-136.el6 base 578 k perl-version x86_64 3:0.77-136.el6 base 51 k Transaction Summary ===================================================================================================== Install 11 Package(s) Total download size: 15 M Installed size: 47 M Is this ok [y/N]: y
Step 4: After installing squid package, all squid related configuration files will be located at /etc/squid .Explore these files
[root@localhost ~]# cd /etc/squid/ [root@localhost squid]# [root@localhost squid]# ls -l total 48 -rw-r--r--. 1 root squid 419 Jan 27 18:19 cachemgr.conf -rw-r--r--. 1 root root 419 Jan 27 18:19 cachemgr.conf.default -rw-r--r--. 1 root root 1547 Jan 27 18:18 errorpage.css -rw-r--r--. 1 root root 1547 Jan 27 18:18 errorpage.css.default -rw-r--r--. 1 root root 11954 Jan 27 18:19 mime.conf -rw-r--r--. 1 root root 11954 Jan 27 18:19 mime.conf.default -rw-r-----. 1 root squid 2315 Jan 27 18:19 squid.conf -rw-r--r--. 1 root root 2315 Jan 27 18:19 squid.conf.default [root@localhost squid]#
Step 5:Take the backup of squid.conf file.
cp -p /etc/squid/squid.conf /etc/squid/squid.conf.orig
Step 5: Disable the SELINUX . Edit the file /etc/sysconfig/selinux and change the value of SELINUX=disabled
vi /etc/sysconfig/selinux SELINUX=disabled
Now restart the system so that SELINUX can take effect permanently.
IMPORTANT NOTE : In case , you want to use SELINUX in ENFORCING mode, read this post .(You may have to use the same steps more than one times because of avc denial in SELINUX policy for Squid)
init 6
Step 6: Below given is default squid.conf file configuration settings.(You can use same settings for Ordinary Squid Proxy Server)
NOTE : egrep -v '^#|^$' will hide the lines starting with # and all blank lines.
[root@localhost ~]# egrep -v '^#|^$' /etc/squid/squid.conf acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all http_port 3128 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 20% 4320 [root@localhost ~]#
Step 7: To make Squid Proxy Server as Transparent Proxy Server. Add “accel vhost allow-direct” with line “http_port 3128” in /etc/squid/squid.conf file .
http_port 3128 accel vhost allow-direct
As per our network, we are using 172.16.0.0/255.255.0.0 inside LAN .Hence we will edit squid.conf file at acl localnet src
Now I will add the new local network acl line in squid.conf file and comment acl lines related to other local network(10.0.0.0/8 ,172.16.0.0/12, 192.168.0.0/16)
vi /etc/squid/squid.conf ## added this new line as per my network acl localnet src 172.16.0.0/16
Below given is complete configuration for Squid Transparent Proxy Server
vi /etc/squid/squid.conf
acl localnet src 172.16.0.0/16 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access deny blocksites http_access allow localnet http_access allow localhost http_access deny all http_port 3128 accel vhost allow-direct cache_dir ufs /var/spool/squid 100 16 256 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 20% 4320
Step 8 : Restart the Squid service
/etc/init.d/squid restart
Step 9 : Create a IPTABLES script . You can modify the script as per your requirement. (Test the script in staging machine before applying it to live server)
Create bash script file
vi /root/firewall.sh
Paste below given contents in file /root/firewall.sh. Save and close the file after this
#!/bin/bash # # # # Ethernet device name connected to LAN ETHERNET_LAN="eth2" # Ethernet device name connected to Internet ETHERNET_INTERNET="eth0" # Squid Server IP Address SQUID_SERVER_IP="172.16.15.1" # Squid port number SQUID_PORT="3128" ### Multiple Port Number - TCP based MULTI_PORT="22,20,21" #### Flush iptables iptables -F ##### Delete a user-defined chain iptables -X ### -t defines table ### #### Flush NAT Rules/user-defined NAT chain iptables -t nat -F iptables -t nat -X #### Flush Mangle Rules/user-defined NAT chain (mangle — Used for specific types of packet alteration. ) ##### iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack modprobe ip_conntrack modprobe ip_conntrack_ftp ##### Enable IP forwarding for IPV4 #### echo 1 > /proc/sys/net/ipv4/ip_forward ## iptables -P INPUT DROP iptables -P OUTPUT ACCEPT ## INPUT/OUTPUT rules for loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i $ETHERNET_INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT iptables --table nat --append POSTROUTING --out-interface $ETHERNET_INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $ETHERNET_LAN -j ACCEPT iptables -A INPUT -i $ETHERNET_LAN -j ACCEPT iptables -A OUTPUT -o $ETHERNET_LAN -j ACCEPT iptables -t nat -A PREROUTING -i $ETHERNET_LAN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER_IP:$SQUID_PORT iptables -t nat -A PREROUTING -i $ETHERNET_INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT ###### IPTABLE Allow rule for tcp based multiple port #### To disable - Use # in front of below given line iptables -A INPUT -p tcp -m multiport --dports $MULTI_PORT -j ACCEPT iptables -A INPUT -j LOG iptables -A INPUT -j DROP
Step 10 : Give execute permission to /root/firewall.sh and only to owner that is root
chmod 700 /root/firewall.sh
Step 11 : Execute the firewall.sh script
sh /root/firewall.sh
Client Side Configuration
Step 12: At client side,you do not have to configure Web browser.
The only requirement is, the IP Subnet of client should be allowed in Squid Proxy Server
Hey Sharad:
Very helpful post about Squid configuration. Pleas help me with below query.
I have Squid proxy 2.8 setup with 15 clients machines, all is working fine with SquidGuard,
My ISP Download and upload limit is 80GB per month but my setup always goes beyond 100GB per month.
1) Is it possible to limit each client with 5GB usage per month? if yes how to configure it.
2) Is it require to update to latest Squid 3.5 ? any advantages with latest version?
Awaiting for your reply
Best regards,
Thanks
Aniruddha
Hello Aniruddha,
I am happy to know the feedback that the post is helpful for you.
On same version 2.8 , you can work on this parameter called reply_body_max_size . This per month download is tricky, I think you can achieve this by Time based ACL .
Using any latest stable version of any paclage give you extra edge. The latest version has many bug,security fixes and many new features.
You should try with latest Squid version also.
Regards
Sharad
Hi Sharad,
Again This Comment by Mr. Aniruddha has got me ticking hehe… I have not really used squidguard in an extensive way. But what I understand is it works on the basis of url blacklists. Its great way to stop people from hitting spammy and pishing sites and preserve the sanity of the internal network. Please let me know if there are some more things that can be done using squidguard.
As far as per month download limit for individual system is concerned, as you said, it is really tricky, (at least I have never managed to get this done). Again I totally agree with your suggestion of using a time based access control list.
What I was also trying to understand here is, would not this be a good option to block TORRENTS mp3 etc.. In a small environment, where we need to work with limited bandwidth, these torrents, online mp3 streaming, video streaming and online gaming are the real bandwidth killers.
Hi Sharad:
As per your suggestion I have installed Squid 3.5.1 latest version. I have compiled the source package to enable mac address filtering ( with –enable-arp and –enable-arp-acl ).
I have configured squid.conf as below to test if transparent proxy working.
http_port 3128 intercept
acl allowip src 192.168.1.201
http_access allow allowip
http_access deny all
With above config client is not able to browse and shows error connection refuse (111),
When i remove intercept word it works fine but I need to add Squid IP and port to browser settings.
Configured iptables properly to forward request from 8080 to 3128.
Please suggest why intercept/ transparent option is not working.
Thanks for your help.
Aniruddha
Hello Anirudh,
Check the logs and find the error. It will help you to troubleshoot.
Regards
Sharad
Good Afternoon Sharad,
No problem:
squid]
name=Squid repo for CentOS Linux 6 – $basearch
#IL mirror
baseurl=http://www1.ngtech.co.il/rpm/centos/6/$basearch
failovermethod=priority
enabled=1
gpgcheck=0
I am sorry to be a pain with this one.
Regards,
Anthony
Thankyou Anthony,
I will recheck
Regards
Sharad
Good Afternoon Sharad,
I have tried running the command but it failed as well:
[root@squid ~]# cd /
[root@squid /]# yum clean all
Loaded plugins: fastestmirror
Error: File contains no section headers.
file: file://///etc/yum.repos.d/squid.repo, line: 1
‘squid]n’
[root@squid /]#
As mentioned my os is Centos 6.5
Regards,
Anthony
Hello Anthony,
Can you share the content of /etc/yum.repos.d/squid.repo
Regards
Sharad
Hi Sharad,
I have not had chance to try this yet but I am running Centos 6.5
Thanks,
Anthony
Good Morning Sharad,
I have just started to work through this and after following your advice to backup what I have working now I started following your instructions.
Unfortunately I did not get very far before I got this message:
[root@squid /]# yum install squid perl-Crypt-OpenSSL
Loaded plugins: fastestmirror
Error: File contains no section headers.
file: file://///etc/yum.repos.d/squid.repo, line: 1
‘squid]n’
Have you come across this before?
As an extra I am just using ordinary Squid using a wpad.dat file to force the client PC’s to use Squid.
Thanks,
Anthony
Run the command –
If it does not work, may I know which O.S and its version you are using.
Regards
Sharad
Hi Sharad,
I’m a complete Linux noob and have been wrestling with Squid for months (I really am that much of a noob).
I found your post tonight and although I’m not using Squid as a transparent proxy (I’m actually reverse proxying an old Exchange 2003 system), the information you provided to update Squid to a non-broken version has finally meant that it all works now! WooHoo!
Thanks a billion for taking the tim to put the information together.
You sir, are an absolute star!
Mark
Awesome Mark !
Wow, this positive feedback really help to many readers.
I am very glad this tutorial works for our reader.
Thanks and Regards
Sharad
Hi,
I already have an older version of Squid on my Centos Server, will this upgrade or overwrite it?
If it overwrites it what files do I need to save to keep it working?
Thanks,
alamb200
Hello Anthony,
1. Before upgrade, best thing is always take backup of entire configuration directory.
2. Read the current running squid config file. Because it may lots of # commented lines. You can use below given command to read and understand your squid config file.
Now check in same file if any other file is not dependent. for eg. some system admin keep blacklisting website info in file , to restrict from squid.
Likewise, you have to check all parameters.
Step 7 has almost all latest parameters and syntax . Just compare with running config. do the change as per your requirement.
Suggest you to first test in staging or test machine.
Regards
Sharad
great post ! i’m looking for
http_port 3128 accel vhost allow-direct
and you save my day, thank you very much.
Welcome George,
I am very happy to see ,it works for you.
Thanks and Regards
Sharad
The transparency is possible with ubuntu 14.04? i tryed another tutorial without good results. I have to put hands on kernel for anything?
Hello Jaume,
Yes, it is possible with Ubuntu 14.04 LTS as well.
Regards
Sharad
Hi
sharad
Excellent post !
Is it possible to configure a transperant squid proxy server inside any one machine of the LAN say IP is 192.168.1.5. Now i have linksys wrtg router (192.168.1.1) which is connected to ISP and the linksys wrtg router is connected to switch where all the nodes are connected ..
Thanks
Hello Dwija,
In squid server, we have used two ethernet . One is for INTERNET and Second is for LAN .
As per in given practical, I have used NAT (Network Address Translation) in IPTABLES (Read Step 9)
As per your question, I assume in your Router, NAT is already set . If you can provide me the rough architecture of network, it will be helpful to understand
Regards
Sharad