Share this page : facebooktwitterlinkedinmailfacebooktwitterlinkedinmail
Install Squid
[[email protected] ~]#

yum -y install squid

 

This is general forward proxy settings.
[[email protected] ~]#

vi /etc/squid/squid.conf

acl CONNECT method CONNECT

# line 26: add ( define new ACL )
acl lan src 10.0.0.0/24

http_access allow localhost

# line 54: add ( allow defined ACL above )
http_access allow lan
#change default port from 8080 to 8080 ( just follow conversion)
http_port 8080
# add follows to the end

request_header_access Referer deny all
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all

# do not display IP address
forwarded_for off
[[email protected] ~]#

systemctl start squid
[[email protected] ~]#

systemctl enable squid

 

If Firewalld is running, allow Proxy service.
[[email protected] ~]#

firewall-cmd –add-service=squid –permanent

success

firewall-cmd –add-port=8080 –permanent

success

[[email protected] ~]#

firewall-cmd –reload

success

 

Blocking URL

In this scenario, we block some known bad URL, then allow all others, this is not the desired way only if you have a good end point protection software:

  • open this file /etc/squid/squid.conf
  • add these lines:
    acl bad_url dstdomain "/etc/squid/bad-sites.acl"
    http_access deny bad_url
    
  • then create and  go to /etc/squid/bad-sites.acl and add domains with this format
    .msn.com
    .app.facebook.com
Allowing URL (IP)

In this scenario, we allow some good URL, then blocking all others, this is a safer way, but may need more administrative efforts.

  • add following lines:
#IPs to bypass the trip
acl BYPASS_IP dst "C:\ClientSiteProxy\etc\IP_address_bypass.txt"
#TAG: always_direct
http_access allow BYPASS_IP
always_direct allow BYPASS_IP
#URLS to bypass the trip
acl BYPASS_DOMAIN dstdomain "C:\ClientSiteProxy\etc\hostname_bypass.txt"
#TAG: Bypass NTLM & Trip
http_access allow BYPASS_DOMAIN
always_direct allow BYPASS_DOMAIN
http_access deny all
  •  Create C:\ClientSiteProxy\etc\IP_address_bypass.txt and add the IP addresses; one each line, create C:\ClientSiteProxy\etc\hostname_bypass.txt and add the URLs, one each line.
  •  Restart the squid service
Authentication

The following configuration allows for authenticated access to the Squid proxy service using usernames and passwords.

  1. You will need the htpasswd utility. If you’ve installed Apache on your Linode, you will already have it. Otherwise run:
    1
    sudo yum install httpd-tools
    
  2. Create a file to store Squid users and passwords, and change ownership:
    1
    2
    sudo touch /etc/squid/squid_passwd
    sudo chown squid /etc/squid/squid_passwd
    
  3. Create a username password pair:
    1
    sudo htpasswd /etc/squid/squid_passwd user1
    

    Replace user1 with a username. You will be prompted to create a password for this user:

    1
    2
    3
    New password:
    Re-type new password:
    Adding password for user user1
    

    You can repeat this step at any time to create new users.

  4. Edit the Squid configuration file and add the following lines:
    /etc/squid/squid.conf
    1
    2
    3
    auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squid_passwd
    acl ncsa_users proxy_auth REQUIRED
    http_access allow ncsa_users
    
  5. Once you’ve saved and exited the file, restart Squid:
    1
    sudo service squid restart
    
  6. At this point, you can configure your local browser or operating system’s network settings to use your Linode as an HTTP proxy. You will need to specify that the server requires authentication, and provide the username and password. How to do this will depend on your choice of OS and browser. Once you’ve made the settings change, test the connection by pointing your browser at a website that tells you your IP address, such as ifconfig, What is my IP, or by Googling What is my ip.
  7. To remove a user’s access to the proxy, you must delete their entry in the squid_passwd file. Each user is represented in the file on a single line in the format of user:passwordhash :
    /etc/squid/squid_passwd
    1
    user1:gh48gfno user2:9b83v5hd
    

    If you are using Nano, the command Control+k will remove the entire line where the cursor rests. Once you’ve saved and exited the file, restart Squid:

    1
    sudo service squid restart
    
Authentication with AD

https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

Configure client

Assume that the proxy server’s IP address is 192.168.90.29

Linux(centOS):

on CentOS Client.
vi /etc/profile
# add follows to the end (set proxy settings to the environment variables)
MY_PROXY_URL=”http://192.168.90.29:8080/”
HTTP_PROXY=$MY_PROXY_URL
HTTPS_PROXY=$MY_PROXY_URL
FTP_PROXY=$MY_PROXY_URL
http_proxy=$MY_PROXY_URL
https_proxy=$MY_PROXY_URL
ftp_proxy=$MY_PROXY_URL
export HTTP_PROXY HTTPS_PROXY FTP_PROXY http_proxy https_proxy ftp_proxy
# Set proxy settings for each application like follows
# for yum

 

vi /etc/yum.conf
# add to the end

proxy=http://192.168.90.29:8080/

# for wget

 

vi /etc/wgetrc
# add to the end

http_proxy = http://192.168.90.29:8080/
https_proxy = http://192.168.90.29:8080/
ftp_proxy = http://192.168.90.29:8080/

 

Windows

Control panel > internet Options > Connections > LAN > proxy

enter 192.168.90.29 Port: 8080

Deploy setting via GPO:

Network connection setting

PAC file

Create a PAC file by text editor:

function FindProxyForURL(url, host) {
return "PROXY ip.of.proxy.server:8080; DIRECT";
}

Note in the internet Properties > connection >LAN setting > Use automatic configuration script: http://ip.to.the.IIS/proxy.pac

Http:// is mandatory.

Reference: http://findproxyforurl.com/deploying-pac/

Logs

/var/log/squid/ log file directory

The logs are a valuable source of information about Squid workloads and performance. The logs record not only access information, but also system configuration errors and resource consumption (eg, memory, disk space). There are several log file maintained by Squid. Some have to be explicitely activated during compile time, others can safely be deactivated during.

/var/log/squid/access.log (or .gz) : Most log file analysis program are based on the entries in access.log. You can use this file to find out who is using squid server and what they are doing etc
/var/log/squid/cache.log : The cache.log file contains the debug and error messages that Squid generates. If you start your Squid using the default RunCache script, or start it with the -s command line option, a copy of certain messages will go into your syslog facilities. It is a matter of personal preferences to use a separate file for the squid log data.
/var/log/squid/store.log : The store.log file covers the objects currently kept on disk or removed ones. As a kind of transaction log it is ususally used for debugging purposes. A definitive statement, whether an object resides on your disks is only possible after analysing the complete log file. The release (deletion) of an object may be logged at a later time than the swap out (save to disk).

Extract the gz file: Use command sudo gunzip -d access.log-20170827.gz to extract the log file.

Change the time format: the timestamp in the access file is unix format, use command perl -pe 's/\d+/localtime($&)/e' access.log > new_access.log to create a new file with human readable log.