Squid Proxy Server Installation RHEL7
squid proxy server is used to filter web traffic and reducing and fine tuning internet bandwidth.
Squid was originally developed as the Harvest object cache, part of the Harvest project at the University of Colorado Boulder. Further work on the program was completed at the University of California, San Diego and funded via two grants from the National Science Foundation. Duane Wessels forked the “last pre-commercial version of Harvest” and renamed it to Squid to avoid confusion with the commercial fork called Cached 2.0, which became NetCache. Squid version 1.0.0 was released in July 1996.
Squid is now developed almost exclusively through volunteer efforts.
Squid Proxy Server
- Packages : squid*
- Service Name: squid
- Default port : 3128
- Config File : /etc/squid/squid.conf
- Log file Path: /var/log/squid
- Environment : RHEL 7, Centos 7 and RHEL 6
Installation Required packages
# yum install squid*
Enable and start the Service
# systemctl enable squid # systemctl start squid
Allow firewall port of squid
[root@server ~]# firewall-cmd --permanent --add-port=3128/tcp success [root@server ~]# firewall-cmd --reload success
Default port of squid proxy is 3128 that’s why we have to allow port 3128.
Access Control List
Open the configuration file and write the ACL as per requirement in ACL we can do so many things
- Restricting un-wanted (BAD) URL’s
- Restrict access to internet based on time period
- Control Downloads
- Restrict file type downloads
- Allow Networks to enable Internet access
- Download speed control
[root@server ~]# vim /etc/squid/squid.conf
To allow Network we have to write below ACL lines
acl localnet src 192.168.4.0/24 http_access allow localnet
To allow ports using ACL
acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http http_access deny !Safe_ports
Block bad sites
acl badsites url_regex "/etc/squid/badsites" http_access deny badsites
write the bad sites in the file
# cat /etc/squid/badsites .facebook.com .twitter.com .youtube.com .linkedin .msn.com .myspace.com .flickr.com .google
Block File downloads
acl blockfiles urlpath_regex "/etc/squid/blockfiles.acl" http_access deny blockfiles
Block file type downloads, below is the example file to deny mp3, mp4, flv avi, 3gp, mpg and mpeg.
# cat /etc/squid/blockfiles.acl \.torrent$ \.mp3.*$ \.mp4.*$ \.3gp.*$ \.[Aa][Vv][Ii]$ \.[Mm][Pp][Gg]$ \.[Mm][Pp][Ee][Gg]$ \.[Mm][Pp]3$ \.[Ff][Ll][Vv].*$
Time based access, which deny internet access from morning 10 Hours to 19 Hours
acl work_hours time 10:00-19:00 http_access deny work_hours
restricting download speed ACL
acl speedcontrol src 192.168.4.0/24 delay_pools 1 delay_class 1 2 delay_parameters 1 524288/524288 52428/52428 delay_access 1 allow speedcontrol
Go to Client Side
Change the proxy address in your browser then try to access the website
IE Settings > Internet options > Connections > Lan Settings >
provide IP address and port number
Now see the logs watch the squid logs
/var/log/squid/ log file directory
The logs are a valuable source of information about Squid workloads and performance. The logs record not only access information, but also system configuration errors and resource consumption (eg, memory, disk space). There are several log file maintained by Squid. Some have to be explicitly activated during compile time, others can safely be deactivated during.
- /var/log/squid/access.log : Most log file analysis program are based on the entries in access.log. You can use this file to find out who is using squid server and what they are doing etc
- /var/log/squid/cache.log : The cache.log file contains the debug and error messages that Squid generates. If you start your Squid using the default RunCache script, or start it with the -s command line option, a copy of certain messages will go into your syslog facilities. It is a matter of personal preferences to use a separate file for the squid log data.
- /var/log/squid/store.log : The store.log file covers the objects currently kept on disk or removed ones. As a kind of transaction log it is ususally used for debugging purposes. A definitive statement, whether an object resides on your disks is only possible after analysing the complete log file. The release (deletion) of an object may be logged at a later time than the swap out (save to disk).
HOW DO I VIEW SQUID LOG FILES / LOGS?
You can use standard UNIX / Linux command such as grep / tail to view log files. You must login as root or sudo command to view log files.
Display log files in real time
Use tail command as follows:
~]# tail -f /var/log/squid/access.log OR ~]$ sudo tail -f /var/log/squid/access.log
Search log files
Use grep command as follows:
~]#grep 'string-to-search' /var/log/squid/access.log
That’s about squid proxy server installation and configuration
Related Articles
- Installation and configuration of FTP server in RHEL7
- Collect system information using shell script in second
- Time server installation and configuration
- Audit Linux Machine Extremely helpfull
- Network File system shares configuration NFS
- Maria DB installation alternate to MySQL
- Firewalld Installation and Configuration RHEL7
- Analyse server performance RHEL7
Search Strings
squid proxy server installation and configuration
squid proxy in rhel7
restricted internet access using proxy
control internet download speed
URL Filtering using Linux proxy server
Thanks for your wonderful Support and Encouragement
this topic is too good. if you write examples so it will be beneficial for us. thankyou
so usefull
yes this very much helpfull
I have problems in the configuration file ” /etc/squid/squid.conf ” when the line commented checklist
” Acl badsites url_regix ” / etc / squid / badsites ”
” Http_access deny badsites ” and create the path and add the addresses , and also add my network , I need help please when I restart the service will not start
I think you have denied your own network form accessing, remove your own network/subnet from config file then restart. Please post your error message from logs.
/var/log/messages
Jul 18 21:19:48 defqon squid: Bungled /etc/squid/squid.conf line 27: acl badsite s url_regix “/etc/squid/badsite”
Jul 18 21:19:48 defqon squid: 2016/07/18 21:19:48| WARNING: (B) ‘192.168.0.0/16’ is a subnetwork of (A) ‘192.168.0.0/24’
Jul 18 21:19:48 defqon squid: 2016/07/18 21:19:48| WARNING: because of this ‘192 .168.0.0/24’ is ignored to keep splay tree searching predictable
Jul 18 21:19:48 defqon squid: 2016/07/18 21:19:48| WARNING: You should probably remove ‘192.168.0.0/16’ from the ACL named ‘localnet’
Jul 18 21:19:48 defqon squid: 2016/07/18 21:19:48| FATAL: Invalid ACL type ‘url_ regix’
Jul 18 21:19:48 defqon squid: FATAL: Bungled /etc/squid/squid.conf line 27: acl badsites url_regix “/etc/squid/badsite”
Jul 18 21:19:48 defqon squid: Squid Cache (Version 3.3.8): Terminated abnormally .
Jul 18 21:19:48 defqon squid: CPU Usage: 0.009 seconds = 0.005 user + 0.003 sys
Jul 18 21:19:48 defqon squid: Maximum Resident Size: 24848 KB
Jul 18 21:19:48 defqon squid: Page faults with physical i/o: 0
Jul 18 21:19:48 defqon systemd: squid.service: control process exited, code=exit ed status=1
Jul 18 21:19:48 defqon systemd: Failed to start Squid caching proxy.
Jul 18 21:19:48 defqon systemd: Unit squid.service entered failed state.
Log itself is saying remove “”” WARNING: You should probably remove ‘192.168.0.0/16’ from the ACL named ‘localnet’ “””
please remove that rule from config and try
Look this is the new error , I mentioned the lines of the error and start the service
Jul 19 20:47:00 defqon squid: Bungled /etc/squid/squid.conf line 27: acl badsites url_regix “/etc/squid/badsite”
Jul 19 20:48:24 defqon squid: Bungled /etc/squid/squid.conf line 40: http_access deny badsites
By creating a file on the path “/ etc / squid / badsite ” is where the error occurs : /
hi can you please write a brief note on transparent proxy integrated with webmin and squid server
is there any way i can create new port and block some sites on that port? if possible please tell me how to set only one site for a port(i mean if i created a port for ex:5678 and give access to facebook.com only and deny for all other sites? means he/she only get facebook.com )
Yes That is possible, instead of 8080 or 3128 you can set whatever the port number you want. Port number should be Greater than 1000. Than write an rule saying that deny all URL except particular site.
ok thanks also is it possible to create multiple ports? because i need to block sites for specific employee?for example if marketing dept need facebook.com and accounts dept dont eventually i need to create mutilple ports right? so is this possible in squid? please reply….
@jithin, No need of creating multiple ports, we can restrict sites using proxy based on users and IP addresses. Example if finance dept IP series 192.168.2.x then restrict entire IP series by writing rule in proxy, If your marketing dept IP series 192.168.3.x then allow internet to that series. Or else create user authentication based on users we can restrict.
ok i will try that if i have any doubt can i reply here?
@jithin, Always your wel come until your comfortable.
ok i can do that but just curious to know is it possible to create multiple ports and block sites for these ports?
@Jithin, As per my knowledge one service will not listen to multiple ports.!!
But we can do port masking to redirect traffic from one port to other port
ok thanks for information bhai
Nice article, very useful
Mr. Ravi,
This is Suman Sen from Bangladesh. The post is very good. But I am facing different problem. Please help me.
My problem is like
I have two different network, net1 and net2
net1 can access facebook and youtube 13:00-14:00 and 15:00-16:00
net2 can access facebook and youtube 12:00- 13:00 and 15:00-16:00
what will be the solution, Please help
Write the rule with specified time and Network Range..!!
two small spelling error in the # vim /etc/squid/squid.conf urlpath_regix & url_regix – > here is a spelling mistake -> write as a urlpath_regex and url_regex
Thanks for valuable feedback corrected.!
Hi Ravi…
Great tutorial and easy to implement.
But how can we authenticate users from LDAP using SSL(port 636).
Is there any plugin or script for that.
hi guyz please help me
how to block access proxy by passing application but i tried with sonicwall nsa it is not success full
Very useful!