Install and Configure Squid Proxy on CentOS 8

|
Last Updated:
|
|

In this guide, we are going to learn how to install and configure Squid proxy on CentOS 8.

Squid is a full-featured web proxy cache server application which provides proxy and cache services for HTTP, FTP, SSL requests and DNS lookups. It also performs transparent caching that reduces bandwidth and improves response time by caching and reusing frequently requested web pages.

Installing Squid Proxy on CentOS 8

Run system update

To begin with, ensure that your system packages are up-to-date.

sudo dnf update

Install Squid Proxy on CentOS 8

Squid proxy is available on the default CentOS 8 repositories and can be installed by running the command;

sudo dnf install squid

=======================================================================================================================================================
 Package                             Arch                     Version                                                Repository                   Size
=======================================================================================================================================================
Installing:
 squid                               x86_64                   7:4.4-5.module_el8.0.0+182+b6dc903f                    AppStream                   3.6 M
Installing dependencies:
 libecap                             x86_64                   1.0.1-2.module_el8.0.0+182+b6dc903f                    AppStream                    29 k
 perl-DBI                            x86_64                   1.641-2.module_el8.0.0+66+fe1eca09                     AppStream                   740 k
 perl-Digest-SHA                     x86_64                   1:6.02-1.el8                                           AppStream                    66 k
 perl-Math-BigInt                    noarch                   1:1.9998.11-5.el8                                      BaseOS                      195 k
 perl-Math-Complex                   noarch                   1.59-416.el8                                           BaseOS                      108 k
Enabling module streams:
 perl-DBI                                                     1.641                                                                                   
 squid                                                        4                                                                                       

Transaction Summary
=======================================================================================================================================================
Install  6 Packages

Total download size: 4.7 M
Installed size: 16 M
Is this ok [y/N]: y

Running Squid on CentOS 8

Once the installation is done, start and enable Squid to run on system boot.

sudo systemctl enable --now squid

Configuring Squid Proxy on CentOS 8

The Squid proxy is installed and running. Proceed to configure it to suite your environment needs.

First off, /etc/squid/squid.conf is the default Squid Proxy configuration with recommended minimum configuration settings.

By default, the Squid configuration file looks like (with comments removed);


acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .

Before you can begin to customize the Squid configuration to suite your needs, create the configuration file backup.

cp /etc/squid/squid.conf /etc/squid/squid.conf.bak

Configure Squid Access Policies

Create an Access Control List to define your local networks that should use Squid as the proxy. Each ACL consists of a name, type and value and is defined using the acl option.

For example, to configure hosts in the network 192.168.100.0/24 to use Squid as the proxy server, you would use an ACL like;

acl mylocalnet src 192.168.100.0/24

Replace your networks accordingly.

This creates an ACL called mylocalnet which specifies the hosts on the specified network.

Once you have defined an ACL, you can now add a line that references the defined ACL to allow or deny access to a function of the cache. For example, use http_access to allow or deny web browsers access to the web-cache.

http_access allow mylocalnet

Squid reads the configuration from top to bottom and hence the order of configuration options is important. There, the above lines can be added to the configuration file as;

#
### Adding Custom ACL #######
acl mylocalnet src 192.168.100.0/24
http_access allow mylocalnet

# Recommended minimum configuration:
#
 
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
...

Blocking Specific Websites

Squid proxy can be used to restrict access to specific websites. For example to block access to youtube, facebook, netflix you would have to create a file that defines the domains of these websites as shown below;

vim /etc/squid/restricted-sites.squid
.youtube.com
.facebook.com
.netflix.com

After that, created an ACL for the restricted sites above in the squid configuration file and set the deny rule for the defined ACL.

#
### Adding Custom ACL #######
acl mylocalnet src 192.168.100.0/24

## Adding Sites to Block access to ###
acl blockedsites dstdomain "/etc/squid/restricted-sites.squid"

http_access deny blockedsites
http_access allow mylocalnet
...

You can as well put the domains command separated on an ACL statement.

acl blockedsites dstdomain youtube.com facebook.com netflix.com

Block Sites based on Specific Keywords

You can also restrict access to a website by the use of a keyword. Create a file with specific keywords as shown below;

vim /etc/squid/banned-keywords.squid
porn
ads
movie
gamble

Make the necessary changes on squid configuration file.


#
### Adding Custom ACL #######
acl mylocalnet src 192.168.100.0/24

## Adding Sites to Block access to ###
acl blockedsites dstdomain "/etc/squid/restricted-sites.squid"
acl keyword-ban url_regex "/etc/squid/keyword-ban.squid"

http_access deny blockedsites
http_access deny keyword-ban
http_access allow mylocalnet 
...

Comment the other networks ACLs.


...
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
## should be allowed
#acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
#acl localnet src 10.0.0.0/8            # RFC 1918 local private network (LAN)
#acl localnet src 100.64.0.0/10         # RFC 6598 shared address space (CGN)
#acl localnet src 169.254.0.0/16        # RFC 3927 link-local (directly plugged) machines
#acl localnet src 172.16.0.0/12         # RFC 1918 local private network (LAN)
#acl localnet src 192.168.0.0/16                # RFC 1918 local private network (LAN)
#acl localnet src fc00::/7              # RFC 4193 local private network range
#acl localnet src fe80::/10             # RFC 4291 link-local (directly plugged) machines
...

Also comment the access rule for localnet.

#http_access allow localnet

Masking Outgoing Traffic

As much as you use proxy server to anonymize your IP addresses by presenting the IP address of the proxy to other web servers, proxy servers may expose your IP addresses on the outgoing HTTP requests. You can however disable this by including the following directives at the end of your squid configuration file.


...
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
# Anonymize Traffic
via off
forwarded_for off

request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all

Change Squid Default Port

Squid proxy listens on TCP port 3128 by default. If you want to change this port, you would simply open the /etc/squid/squid.conf configuration file and replace the value of the http_port with your desired port number.

For example, to change the default port to 8888, as long as no other application is listening on the same port;

...
# Squid normally listens to port 3128
# http_port 3128                 << Comment the line by adding #
http_port 8888
...

You can also set it to listen on a specific IP (Replace the IP address accordingly)

http_port 192.168.100.50:8888

Restart Squid

Once you are done with the configuration, save the file and restart squid.

systemctl restart squid

Check that Squid is listening on the new port;

ss -altnp | grep 8888
LISTEN   0         128           192.168.100.50:8888            0.0.0.0:*        users:(("squid",pid=4321,fd=15))

Allow Squid Port on Firewall

If firewall is enabled, allow the Squid port. Replace the port if you have changed the default.

firewall-cmd --add-port=3128/tcp --permanent
firewall-cmd --reload

Configure Proxy Clients to connect to the Proxy server

To configure client to connect to the Squid proxy server, you can either set system wide proxy configurations, configure client to use the Squid proxy as the gateway or set the proxy settings on the browser.

System Wide proxy configuration

To set system wide proxy configurations, create a configuration file under /etc/profile.d with environment variables defining squid proxy server details as follows;

vim /etc/profile.d/squid.sh

Replace the IP address of the Squid server accordingly.

PROXY_URL="192.168.100.50:3128"
HTTP_PROXY=$PROXY_URL
HTTPS_PROXY=$PROXY_URL
FTP_PROXY=$PROXY_URL
http_proxy=$PROXY_URL
https_proxy=$PROXY_URL
ftp_proxy=$PROXY_URL
export HTTP_PROXY HTTPS_PROXY FTP_PROXY http_proxy https_proxy ftp_proxy

After that, source the new configuration file.

source /etc/profile.d/squid.sh

To test this, try to download anything from the clients terminal while tailing access logs on squid proxy server.

On the client’s terminal, run;

wget google.com
--2019-11-21 20:26:04--  http://google.com/
Connecting to 192.168.100.50:8888... connected.
Proxy request sent, awaiting response... 301 Moved Permanently
Location: http://www.google.com/ [following]
--2019-11-21 20:26:04--  http://www.google.com/
Reusing existing connection to 192.168.100.50:8888.
Proxy request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html.4’

index.html.4                              [ <=>                                                                     ]  12.16K  --.-KB/s    in 0.01s   

2019-11-21 20:26:04 (914 KB/s) - ‘index.html.4’ saved [12449]

On the Squid proxy server;

tail -f /var/log/squid/access.log 
1574357161.958    294 192.168.100.51 TCP_MISS/301 664 GET http://google.com/ - HIER_DIRECT/216.58.223.110 text/html
1574357162.217    255 192.168.100.51 TCP_MISS/200 13350 GET http://www.google.com/ - HIER_DIRECT/216.58.223.68 text/html
...

Try to access blocked sites;

wget youtube.com
--2019-11-21 20:27:24--  http://youtube.com/
Connecting to 192.168.100.50:8888... connected.
Proxy request sent, awaiting response... 403 Forbidden
2019-11-21 20:27:24 ERROR 403: Forbidden.
tail -f /var/log/squid/access.log
1574357241.664      0 192.168.100.51 TCP_DENIED/403 3994 GET http://youtube.com/ - HIER_NONE/- text/html

You can as well set your Squid server as the default gateway.

On your Firefox, configure it to connect t external network via your Squid server. Preferences > General > Network Settings > Manual Proxy Configuration. Check Use this proxy server for all protocols.

Read More

Read more on Squid wiki.

Related Tutorials

Setup Squid Proxy Authentication on Ubuntu 18.04/Fedora 29/28/CentOS 7

How to Install and Configure Squid Proxy on Fedora 29/Fedora 28/CentOS 7

How to Set System Wide Proxy in Ubuntu 18.04

Configure APT Proxy on Debian 10 Buster

Setup HAProxy Load Balancer on Fedora 30/Fedora 29

Install Grafana Plugins Behind a Proxy server

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
koromicha
I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

Leave a Comment