Install and configure transparent squid proxy server : RHEL/CentOS 6.x

by

In this tutorial,we will learn about how to install and configure transparent squid proxy server on RHEL/CentOS 6.x .In this practical,we will install Squid version 3.5.0 package in CentOS 6.5 / RHEL 6.5 . Squid server are designed to run in Unix like operating system. Up to version 2.7, Windows Operating System was supportive. Till the date of writing this post, no Windows Operating System supportive port has been developed in Squid version 3.x .

What is Squid Server

Squid is a web cache and web filtering server.It is based upon Harvest Cache Daemon.
Because Squid server has ability to do cacheing, it helps in improving the performance of web access. It can deliver the web content either static,dynamic or streaming way.It helps to speed up web browsing to its end clients.

Default port number use by Squid service

By-defualt port number 3128 is used by squid service

Squid : Transparent Web Proxy Server

Squid Server widely used for Web filtering and cacheing. It is also used as Transparent Web Proxy Server. Transparent Proxy is also known as Interception Caching.

Interception Caching is a process when a HTTP request from client ends redirected to Cache Server(Squid) without doing any configuration in end user clients. By this way,end user clients do not know the traffic has been redirected to cache server(Transparent Proxy)

Transparent Squid Proxy versus Ordinary Squid proxy

In Ordinary Squid Proxy Server, the end user client traffic is redirected to Squid proxy server but for this , we have to configure the web browser settings in each client machine.(We will also show,how to do settings in this tutorial)

In Transparent Squid Proxy, we do not have to do settings in web browser of each client machine.The traffic can be easily redirected to Squid Server. IPTABLES for NAT (Network Address Translation),play very crucial role to setup the Transparent Squid Proxy.(always remember this)

Squid Proxy Server

Install and Configure Squid Transparent Proxy Server

Follow the given below steps to install and configure the Squid Web Proxy Server.

Step 1: Create a yum client repo file in RHEL/CentOS. This step we are doing ,to get the latest Squid version.

vi /etc/yum.repos.d/squid.repo

Paste given below contents in file /etc/yum.repos.d/squid.repo

[squid]
name=Squid repo for CentOS Linux 6 - $basearch
#IL mirror
baseurl=http://www1.ngtech.co.il/rpm/centos/6/$basearch
failovermethod=priority
enabled=1
gpgcheck=0

Step 2: Install EPEL repository in system (For getting Perl packages)

rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Step 3: By using yum command install Squid and perl-Crypt-OpenSSL

yum install squid  perl-Crypt-OpenSSL

Below given is reference.It shows the packages which will be installed on using command yum install squid perl-Crypt-OpenSSL

Dependencies Resolved

=====================================================================================================
 Package                         Arch           Version                        Repository       Size
=====================================================================================================
Installing:
 squid                           x86_64         7:3.5.0.001-1.el6              squid           2.7 M
Installing for dependencies:
 ksh                             x86_64         20120801-10.el6_5.3            updates         756 k
 libtool-ltdl                    x86_64         2.2.6-15.5.el6                 base             44 k
 perl                            x86_64         4:5.10.1-136.el6               base             10 M
 perl-Crypt-OpenSSL-X509         x86_64         1.800.2-1.el6                  epel             37 k
 perl-DBI                        x86_64         1.609-4.el6                    base            705 k
 perl-Module-Pluggable           x86_64         1:3.90-136.el6                 base             40 k
 perl-Pod-Escapes                x86_64         1:1.04-136.el6                 base             32 k
 perl-Pod-Simple                 x86_64         1:3.13-136.el6                 base            212 k
 perl-libs                       x86_64         4:5.10.1-136.el6               base            578 k
 perl-version                    x86_64         3:0.77-136.el6                 base             51 k

Transaction Summary
=====================================================================================================
Install      11 Package(s)

Total download size: 15 M
Installed size: 47 M
Is this ok [y/N]: y

Step 4: After installing squid package, all squid related configuration files will be located at /etc/squid .Explore these files

[root@localhost ~]# cd /etc/squid/
[root@localhost squid]# 
[root@localhost squid]# ls -l
total 48
-rw-r--r--. 1 root squid   419 Jan 27 18:19 cachemgr.conf
-rw-r--r--. 1 root root    419 Jan 27 18:19 cachemgr.conf.default
-rw-r--r--. 1 root root   1547 Jan 27 18:18 errorpage.css
-rw-r--r--. 1 root root   1547 Jan 27 18:18 errorpage.css.default
-rw-r--r--. 1 root root  11954 Jan 27 18:19 mime.conf
-rw-r--r--. 1 root root  11954 Jan 27 18:19 mime.conf.default
-rw-r-----. 1 root squid  2315 Jan 27 18:19 squid.conf
-rw-r--r--. 1 root root   2315 Jan 27 18:19 squid.conf.default
[root@localhost squid]#

Step 5:Take the backup of squid.conf file.

cp -p /etc/squid/squid.conf /etc/squid/squid.conf.orig

Step 5: Disable the SELINUX . Edit the file /etc/sysconfig/selinux and change the value of SELINUX=disabled

vi /etc/sysconfig/selinux

SELINUX=disabled

Now restart the system so that SELINUX can take effect permanently.

IMPORTANT NOTE : In case , you want to use SELINUX in ENFORCING mode, read this post .(You may have to use the same steps more than one times because of avc denial in SELINUX policy for Squid)

init 6

Step 6: Below given is default squid.conf file configuration settings.(You can use same settings for Ordinary Squid Proxy Server)

NOTE : egrep -v '^#|^$' will hide the lines starting with # and all blank lines.

[root@localhost ~]# egrep -v '^#|^$' /etc/squid/squid.conf 
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|?) 0	0%	0
refresh_pattern .		0	20%	4320
[root@localhost ~]#

Step 7: To make Squid Proxy Server as Transparent Proxy Server. Add “accel vhost allow-direct” with line “http_port 3128” in /etc/squid/squid.conf file .

http_port 3128 accel vhost allow-direct

As per our network, we are using 172.16.0.0/255.255.0.0 inside LAN .Hence we will edit squid.conf file at acl localnet src

Now I will add the new local network acl line in squid.conf file and comment acl lines related to other local network(10.0.0.0/8 ,172.16.0.0/12, 192.168.0.0/16)

vi /etc/squid/squid.conf 

## added this new line as per my network
acl localnet src 172.16.0.0/16

Below given is complete configuration for Squid Transparent Proxy Server

vi /etc/squid/squid.conf
acl localnet src 172.16.0.0/16	# RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny blocksites
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 accel vhost allow-direct
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|?) 0	0%	0
refresh_pattern .		0	20%	4320

Step 8 : Restart the Squid service

/etc/init.d/squid restart

Step 9 : Create a IPTABLES script . You can modify the script as per your requirement. (Test the script in staging machine before applying it to live server)

Create bash script file

vi /root/firewall.sh

Paste below given contents in file /root/firewall.sh. Save and close the file after this

 
#!/bin/bash
#
#
#

# Ethernet device name  connected to LAN
ETHERNET_LAN="eth2"

# Ethernet device name connected to Internet
ETHERNET_INTERNET="eth0"

# Squid Server IP Address
SQUID_SERVER_IP="172.16.15.1"

# Squid port number
SQUID_PORT="3128"

### Multiple Port Number - TCP based
MULTI_PORT="22,20,21"

#### Flush iptables
iptables -F

##### Delete a user-defined chain
iptables -X

### -t defines table ###

#### Flush NAT Rules/user-defined NAT chain
iptables -t nat -F
iptables -t nat -X

#### Flush Mangle Rules/user-defined NAT chain (mangle — Used for specific types of packet alteration. ) #####
iptables -t mangle -F
iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack
modprobe ip_conntrack
modprobe ip_conntrack_ftp

##### Enable IP forwarding for IPV4 ####
echo 1 > /proc/sys/net/ipv4/ip_forward

##
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

## INPUT/OUTPUT rules for loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -i $ETHERNET_INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables --table nat --append POSTROUTING --out-interface $ETHERNET_INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $ETHERNET_LAN -j ACCEPT

iptables -A INPUT -i $ETHERNET_LAN -j ACCEPT
iptables -A OUTPUT -o $ETHERNET_LAN -j ACCEPT

iptables -t nat -A PREROUTING -i $ETHERNET_LAN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER_IP:$SQUID_PORT

iptables -t nat -A PREROUTING -i $ETHERNET_INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

###### IPTABLE Allow rule for tcp based multiple port 
#### To disable - Use # in front of below given line
iptables -A INPUT -p tcp -m multiport --dports $MULTI_PORT -j ACCEPT

iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Step 10 : Give execute permission to /root/firewall.sh and only to owner that is root

chmod 700 /root/firewall.sh

Step 11 : Execute the firewall.sh script

sh /root/firewall.sh

Client Side Configuration

Step 12: At client side,you do not have to configure Web browser.
The only requirement is, the IP Subnet of client should be allowed in Squid Proxy Server

Related posts:

  1. Squid proxy server to block websites listed in file
  2. SELINUX : squid service failed to start/restart
  3. Install and configure Varnish Cache server on CentOS/RHEL 6.x
  4. How to install mod_proxy and setup reverse proxy in Apache Ubuntu
  5. How to install and configure DHCP server on RHEL 5
  6. How to configure FTP server in CentOS 6.3 – vsftpd server
  7. Setup Nginx as proxy to serve ghost blog on port 80
  8. How to install and configure samba server in CentOS 6.3
  9. Install and configure rsyslog Centralized logging server in CentOS 6.5
  10. How to configure vsftpd server with virtual user mysql authentication in CentOS 6

50 thoughts on “Install and configure transparent squid proxy server : RHEL/CentOS 6.x”

  1. Hello Sir, can you advise how can we configure Squid video caching and what will be the extra requirements based on your setup above?

    Thank you.

    Reply

      • Sir

        First of all Happy new Year 2016. ☺

        i am talking about Squid video caching for youtube dailymotion and other video sites.

        Please advise accordingly.

        Reply

        • Hello Ravi,

          Happy New Year to you also. Youtube complete single video may give issue because youtube has done multiple framing with videos.
          I have not checked with DailyMotion yet.
          Currently I have no Squid setup but I will try if I can provide you the good tutorial.

          Regards
          Sharad

          Reply

          • I have resd about example.com they do an example.com Cachebox which runs Squid as service and does various content and video caching like youtube dailymotion etc.

          • Sorry for the typing mistake as I am using mobile. Search on Google for CacheBox. Cant paste full url here.

  4. Hello Sharad,

    I am very new to squid, Right now I am trying to configure squid as proxy to Apache HTTP web server
    on windows 7 machine could you please help me out here how to configure squid as proxy.
    In Apache some images are place in htdcos folder and i need to access through squid.
    Apache is running on prot:80
    Squid is running on port:3218
    when i try to access this http://localhost:80/images/51.jpg is wokring fine and getting it from apache only.
    when i try to access this http://localhost:3128/images/51.jpg is not working and giving the error message like this Access denied.

    And I will mail my squid config file to admin@sharadchhetri.com
    Could you please help out to figure it.
    Squid version is 3.5.6

    Thanks
    MastanRao.

    Reply

  5. Hi Sharad,

    Thanks for the post, it works for me and help me, I was looking for “vhost allow-direct”

    I am running an ISP with AAA server installed in the network, I have placed the Squid in Transparent mode. and Squid installed parallel to the core router . Could u pls suggest if the deployment is correct or wrong. and If any change in network setup is needed then suggestion are welcome.
    awaiting for your revert.

    Regards
    Nitish Patni

    Reply

  6. Thanks for your replay.

    I face another problem in lan interface. How can i connect my local network through lan.
    It’s need DHCP! or need configure proxy server lan interface. I didn’t configure Server lan interface.
    For example,
    I use localnet 172.16.0.0/16, i configure client machine this sires ip but no internet.

    Reply

  7. I found a error on this command in firewall.sh .. why

    [root@admin ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
    [1] 3492
    1
    -bash: gt: command not found
    [1]+ Done echo 1
    -bash: /proc/sys/net/ipv4/ip_forward: Permission denied

    Reply

  8. Hi Sharad,

    Is there any way to block https sites like facebook.com through squid or iptables, before that i was try to block it through iptables with this command “-A FORWARD ! -s 10.4.0.0/255.255.252.0 -m string –string “facebook.com” –algo bm –to 65535 -j DROP” it’s working but issue is that its block some other site as well like dubai.dubizzle.com or some other sites as well.

    Need urgent help.

    Waiting for response.

    Regards
    Muzamil

    Reply

  9. Hy ,

    Its possible to block url https for transparent´s proxy, i don´t know how to configure it, i´ll already try redirect port 443 to other port in firewall to block, but its don´t work, Do you Know any form to do it?
    Thank You Very Much.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.