What is Squid Server?
SQUID is a Proxy server and also used for web filtering. Its widely used for increasing web server speed by caching repeated data.
This article will help you to Install and Configure SQUID Proxy Server on CentOS/RHEL Linux systems.
Squid Proxy Server quick key points
- Packages – squid*.rpm
- Port Numbers – 3128 (default)
- Configuration File – /etc/squid/squid.conf
- Service / Daemon – squid
1. Install Squid
Squid can be easily install using yum command line tool.# yum install squid
check the previous tutorial for yum Installation
2. Setup Port and Start Service
Squid by default run on port 3128. If you want to start squid on different port, Edit squid configuration file and change http_port value. For example we are changing squid to run on port 8080.# vim /etc/squid/squid.conf
http_port 8080
Start/Restart Squid service.
# service squid restart
3. Configure SQUID to Block Specific Website
Add below rules to block specific website before any allow all rules. Below example will block yahoo.com and www.rediff.com.
acl blocksite1 dstdomain yahoo.com acl blocksite2 dstdomain www.rediff.com http_access deny blocksite1 http_access deny blocksite2If you have a long list of domain names,
Create a file /etc/squid/blockwebsites.lst and put domain names one per line and add below rule in squid configuration file.
acl blocksitelist dstdomain "/etc/squid/blockwebsites.lst" http_access deny blocksitelist
blockwebsites.lst file content example:
# cat /etc/squid/blockwebsites.lst yahoo.com www.rediff.com
4. Configure Squid to Block Specific Keyword
Add below rules to block specific website before any allow all rules. Below example will block all pages having keyword yahoo or gmail.acl blockkeyword1 url_regex yahoo acl blockkeyword2 url_regex gmail http_access deny blockkeyword1 http_access deny blockkeyword2If you have a long list of keywords, Create a file /etc/squid/blockkeywords.lst and put keywords one per line and add below rule in squid configuration file.
acl blockkeywordlist url_regex "/etc/squid/blockkeywords.lst" http_access deny blockkeywordlistblockkeywords.lst file content example:
# cat /etc/squid/blockkeywords.lst yahoo gmail facebookCongratulation’s you have successfully install and configured Squid proxy server.
Setting Maximum Download Size
Squid can be used to control the maximum downloadable file size. We want to restrict maximum download size to 50 MB for hosts 10.10.10.200 and 10.10.10.201. We have already created the ACL 'custom-denied-list' previously to isolate the traffic from these sources. Now we will use the same access list to restrict download size.
# vim /etc/squid/squid.conf
1
| reply_body_max_size 50 MB custom-denied-list |
# squid -k reconfigure
MAC based filtering is useful for networks using DHCP to assign ip addresses to systems. As we know MAC is hard coded on NIC and can’t be changed but IP addresses assigned by DHCP may change on next ip assignment. This tutorial will help you to how to Configure Squid Proxy Server Mac Address Based Filtering.
If you do not have Squid installed, Go to below link for installing squid on CentOS/RHEL/Fedora systems.Install and Configure SQUID Proxy Server on CentOS/RHEL Linux
ACL rules are need to add in squid configuration file /etc/squid/squid.conf. Remember that squid Squid always applied first matching rules from top to down order and ignore other after matching any rule
1. Block All Sites For Single MAC Address
Following configuration will block all the sites to system having MAC address 01:23:45:AB:CD:EF.Squid ACL Rule:
acl pcmac1 arp 01:23:45:AB:CD:EF http_access deny pcmac1
2. Block Single Site for Single MAC Address
Following configuration will block www.example.com site to system having MAC address 01:23:45:AB:CD:EF.Squid ACL Rule:
acl blocksite1 dstdomain www.example.com acl pcmac1 arp 01:23:45:AB:CD:EF http_access deny blocksite1 pcmac1
3. Block All Sites for Multiple MAC Addresses
Following configuration will block all the sites to systems having MAC addresses 01:23:45:AB:CD:EF and AB:CD:EF:01:23:45.MAC Addresses List
# cat /etc/squid/mac-addrs.lst 01:23:45:AB:CD:EF AB:CD:EF:01:23:45Squid ACL Rule:
acl pcmacs arp "/etc/squid/mac-addrs.lst" http_access deny pcmacs
4. Block Single Site for Multiple MAC Addresses
Following configuration will block www.example.com to systems having MAC addresses 01:23:45:AB:CD:EF and AB:CD:EF:01:23:45.MAC Addresses List
# cat /etc/squid/mac-addrs.lst 01:23:45:AB:CD:EF AB:CD:EF:01:23:45Squid ACL Rule:
acl blocksite1 dstdomain www.example.com acl pcmacs arp "/etc/squid/mac-addrs.lst" http_access deny blocksite1 pcmacs
5. Allow Specific Site for Single MAC Address
Following configuration will allow www.example.com to system having MAC address 01:23:45:AB:CD:EF and deny other sites.Squid ACL Rule:
acl pcmac1 arp 01:23:45:AB:CD:EF acl allowsite1 dstdomain www.example.in http_access allow allowsite1 pcmac1 http_access deny pcmac1
6. Allow Multiple Sites for Single MAC Address
Following configuration will allow all sites added in /etc/squid/allowsites.lst to system having MAC address 01:23:45:AB:CD:EF and deny other sites.Allowed Sites List
# cat /etc/squid/allowsites.lst www.google.co.in yahoo.com in.yahoo.comSquid ACL Rule:
acl pcmac1 arp 01:23:45:AB:CD:EF acl allowsite1 dstdomain "/etc/squid/allowsites.lst" http_access allow allowsite1 pcmac1 http_access deny pcmac1
7. Allow Specific Site for Multiple MAC Addresses
Following configuration will allow www.example.com to systems having MAC address 01:23:45:AB:CD:EF and and AB:CD:EF:01:23:45 and deny other sites.MAC Addresses List
# cat /etc/squid/mac-addrs.lst 01:23:45:AB:CD:EF AB:CD:EF:01:23:45Squid ACL Rule:
acl blocksite1 dstdomain www.example.com acl pcmacs arp "/etc/squid/mac-addrs.lst" http_access allow blocksite1 pcmacs http_access deny pcmacs
8. Allow Multiple Sites for Multiple MAC Addresses
Following configuration will allow all the sites listed in /etc/squid/allowsites.lst to all systems having MAC address listed in /etc/squid/mac-addrs.lst and deny other sites.MAC Addresses List
# cat /etc/squid/mac-addrs.lst 01:23:45:AB:CD:EF AB:CD:EF:01:23:45Allowed Sites List
# cat /etc/squid/allowsites.lst www.google.co.in yahoo.com in.yahoo.comSquid ACL Rule:
acl pcmacs arp "/etc/squid/mac-addrs.lst" acl allowsites dstdomain "/etc/squid/allowsites.lst" http_access allow allowsites pcmacs http_access deny pcmacs
Squid Acl options
1> src : source Ip Address
2> url_regx : Words in a Destination Web Address
3> dstdomain: Destination Web Address
Squid restart vs. Squid reconfigure
Whenever Squid configuration is modified, Squid service needs to be restarted. Depending on the number of active connections, restarting the service may take a a while, sometimes several minutes. LAN users will not be able to access the Internet during this time. To avoid such service interruption, we can use the following command instead of"service squid restart".
# squid -k reconfigure
This command will allow Squid to run with updated parameters without restarting itself.