Install and configure Squid proxy on CentOS 8

In this guide, we will learn how to install and configure Squid agent on CentOS 8.

squid Is a full-featured web proxy caching server application that provides proxy and caching services for HTTP, FTP, SSL requests and DNS lookups. It also performs transparent caching by caching and reusing frequently requested web pages to reduce bandwidth and response time.

Install and configure Squid proxy on CentOS 8

Run system update

First, make sure your system packages are up-to-date.

sudo dnf update

Install Squid Agent on CentOS 8

Squid agent is available in the default CentOS 8 repository and can be installed by running commands.

sudo dnf install squid
=======================================================================================================================================================
 Package                             Arch                     Version                                                Repository                   Size
=======================================================================================================================================================
Installing:
 squid                               x86_64                   7:4.4-5.module_el8.0.0+182+b6dc903f                    AppStream                   3.6 M
Installing dependencies:
 libecap                             x86_64                   1.0.1-2.module_el8.0.0+182+b6dc903f                    AppStream                    29 k
 perl-DBI                            x86_64                   1.641-2.module_el8.0.0+66+fe1eca09                     AppStream                   740 k
 perl-Digest-SHA                     x86_64                   1:6.02-1.el8                                           AppStream                    66 k
 perl-Math-BigInt                    noarch                   1:1.9998.11-5.el8                                      BaseOS                      195 k
 perl-Math-Complex                   noarch                   1.59-416.el8                                           BaseOS                      108 k
Enabling module streams:
 perl-DBI                                                     1.641                                                                                   
 squid                                                        4                                                                                       

Transaction Summary
=======================================================================================================================================================
Install  6 Packages

Total download size: 4.7 M
Installed size: 16 M
Is this ok [y/N]: y

Running Squid on CentOS 8

After installation is complete, start and enable Squid to run at system startup.

sudo systemctl enable --now squid

Configure Squid proxy on CentOS 8

Squid agent is installed and running. Configure to fit your environment needs.

First of all, /etc/squid/squid.conf Is the default Squid proxy configuration with the recommended minimum configuration settings.

By default, the Squid configuration file looks like the following (removed comments);

acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|?) 0     0%      0
refresh_pattern .

Before you start customizing your Squid configuration to suit your needs, create a configuration file backup.

cp /etc/squid/squid.conf /etc/squid/squid.conf.bak

Configure squid access policy

Create an access control list to define a local network that should use Squid as a proxy. Each ACL consists of name, type, and value, and uses acl Options.

For example, to configure hosts in network 192.168.100.0/24 to use Squid as a proxy server, you can use ACLs similarly;

acl mylocalnet src 192.168.100.0/24

Replace the network accordingly.

This will create a file called mylocalnet Specify a host on the specified network.

After defining the ACL, you can now add lines that reference the defined ACL to allow or deny access to the cache function. E.g. using http_access Allow or deny web browsers to access the web cache.

http_access allow mylocalnet

Squid reads the configuration from top to bottom, so the order of configuration options is important. The above lines can be added to the configuration file;

#
### Adding Custom ACL #######
acl mylocalnet src 192.168.100.0/24
http_access allow mylocalnet

# Recommended minimum configuration:
#
 
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
...

Block specific websites

Squid proxy can be used to restrict access to specific websites. For example, to block access to youtube, facebook, netflix, you will have to create a file to define the domains of these websites as shown below;

vim /etc/squid/restricted-sites.squid
.youtube.com
.facebook.com
.netflix.com

After that, create an ACL for the above restricted sites in the squid configuration file and then set Refuse Defined ACL rules.

#
### Adding Custom ACL #######
acl mylocalnet src 192.168.100.0/24

## Adding Sites to Block access to ###
acl blockedsites dstdomain "/etc/squid/restricted-sites.squid"

http_access deny blockedsites
http_access allow mylocalnet
...

You can also put domains commands on ACL statements.

acl blockedsites dstdomain youtube.com facebook.com netflix.com

Block websites based on specific keywords

You can also restrict access to your website by using keywords. Create a file with specific keywords as shown below;

vim /etc/squid/banned-keywords.squid
porn
ads
movie
gamble

Make the necessary changes on the squid configuration file.

#
### Adding Custom ACL #######
acl mylocalnet src 192.168.100.0/24

## Adding Sites to Block access to ###
acl blockedsites dstdomain "/etc/squid/restricted-sites.squid"
acl keyword-ban url_regex "/etc/squid/keyword-ban.squid"

http_access deny blockedsites
http_access deny keyword-ban
http_access allow mylocalnet
...

Comment out other network ACLs.

...
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
## should be allowed
#acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
#acl localnet src 10.0.0.0/8            # RFC 1918 local private network (LAN)
#acl localnet src 100.64.0.0/10         # RFC 6598 shared address space (CGN)
#acl localnet src 169.254.0.0/16        # RFC 3927 link-local (directly plugged) machines
#acl localnet src 172.16.0.0/12         # RFC 1918 local private network (LAN)
#acl localnet src 192.168.0.0/16                # RFC 1918 local private network (LAN)
#acl localnet src fc00::/7              # RFC 4193 local private network range
#acl localnet src fe80::/10             # RFC 4291 link-local (directly plugged) machines
...

Also comment on the access rules for localnet.

#http_access allow localnet

Shield outbound traffic

By using a proxy server to provide the proxy IP address to other web servers to anonymize the IP address, the proxy server may expose your IP address in outgoing HTTP requests. However, you can disable this feature by including the following directive at the end of the squid configuration file.

...
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|?) 0     0%      0
refresh_pattern .               0       20%     4320
# Anonymize Traffic
via off
forwarded_for off

request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all

Change squid default port

Squid agent listening TCP port 3128 by default. If you want to change this port, just open /etc/squid/squid.conf Profile and replace http_port With your desired port number.

For example, as long as no other application is listening on the same port, you can change the default port to 8888.

...
# Squid normally listens to port 3128
# http_port 3128                 << Comment the line by adding #
http_port 8888
...

You can also set it to listen on a specific IP (Replace IP address accordingly)

http_port 192.168.100.50:8888

Restart squid

After completing the configuration, save the file and restart Squid.

systemctl restart squid

Check that Squid is listening on the new port;

ss -altnp | grep 8888
LISTEN   0         128           192.168.100.50:8888            0.0.0.0:*        users:(("squid",pid=4321,fd=15))

Allow squid ports on the firewall

If firewall is enabled, allow Squid port. If you changed the default port, replace the port.

firewall-cmd --add-port=3128/tcp --permanent
firewall-cmd --reload

Configuring a proxy client to connect to a proxy server

To configure clients to connect to the Squid proxy server, you can set up a system-wide proxy configuration, configure the client to use Squid proxy as a gateway, or set proxy settings on the browser.

System-wide proxy configuration

To set up a system-wide proxy configuration, create a configuration file below /etc/profile.d The environment variables define the details of the squid proxy server as shown below;

vim /etc/profile.d/squid.sh

Replace the IP address of the Squid server accordingly.

PROXY_URL="192.168.100.50:3128"
HTTP_PROXY=$PROXY_URL
HTTPS_PROXY=$PROXY_URL
FTP_PROXY=$PROXY_URL
http_proxy=$PROXY_URL
https_proxy=$PROXY_URL
ftp_proxy=$PROXY_URL
export HTTP_PROXY HTTPS_PROXY FTP_PROXY http_proxy https_proxy ftp_proxy

After that, get the new configuration file.

source /etc/profile.d/squid.sh

To test this, try downloading anything from the client while logging access logs on the squid proxy server.

Run on the client terminal;

wget google.com
--2019-11-21 20:26:04--  http://google.com/
Connecting to 192.168.100.50:8888... connected.
Proxy request sent, awaiting response... 301 Moved Permanently
Location: http://www.google.com/ [following]
--2019-11-21 20:26:04--  http://www.google.com/
Reusing existing connection to 192.168.100.50:8888.
Proxy request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html.4’

index.html.4                              [                                                                      ]  12.16K  --.-KB/s    in 0.01s   

2019-11-21 20:26:04 (914 KB/s) - ‘index.html.4’ saved [12449]

On Squid proxy server;

tail -f /var/log/squid/access.log 
1574357161.958    294 192.168.100.51 TCP_MISS/301 664 GET http://google.com/ - HIER_DIRECT/216.58.223.110 text/html
1574357162.217    255 192.168.100.51 TCP_MISS/200 13350 GET http://www.google.com/ - HIER_DIRECT/216.58.223.68 text/html
...

Try to access a blocked site;

wget youtube.com
--2019-11-21 20:27:24--  http://youtube.com/
Connecting to 192.168.100.50:8888... connected.
Proxy request sent, awaiting response... 403 Forbidden
2019-11-21 20:27:24 ERROR 403: Forbidden.
tail -f /var/log/squid/access.log
1574357241.664      0 192.168.100.51 TCP_DENIED/403 3994 GET http://youtube.com/ - HIER_NONE/- text/html

You can also set the Squid server as the default gateway.

On Firefox, configure it to connect to an external network through the Squid server. priority > Genusl> Network Settings> Manual Proxy Configuration. Check Use this proxy server for all protocols.

This marks the end of this tutorial on how to install and configure the Squid agent on CentOS 8.

read more

read more Squid Wiki.

.

Sidebar