In this guide, we are going to learn how to install and configure Squid proxy on Rocky Linux 8.
Squid is a full-featured web proxy cache server application which provides proxy and cache services for HTTP, FTP, SSL requests and DNS lookups. It also performs transparent caching that reduces bandwidth and improves response time by caching and reusing frequently requested web pages.
Install and Configure Squid Proxy on Rocky Linux 8
Run system update
Update your system package cache:
dnf update
Install Squid Proxy on Rocky Linux 8
Squid proxy is available on the default Rocky Linux 8 repositories and can be installed by running the command;
dnf install squid
Dependencies resolved. ============================================================================================================================================================================ Package Architecture Version Repository Size ============================================================================================================================================================================ Installing: squid x86_64 7:4.11-4.module+el8.4.0+404+316a0dc5.2 appstream 3.6 M Installing dependencies: libecap x86_64 1.0.1-2.module+el8.4.0+404+316a0dc5 appstream 28 k perl-DBI x86_64 1.641-3.module+el8.4.0+509+59a8d9b3 appstream 739 k perl-Digest-SHA x86_64 1:6.02-1.el8 appstream 65 k perl-Math-BigInt noarch 1:1.9998.11-7.el8 baseos 194 k perl-Math-Complex noarch 1.59-419.el8_4.1 baseos 108 k Enabling module streams: perl-DBI 1.641 squid 4 Transaction Summary ============================================================================================================================================================================ Install 6 Packages Total download size: 4.7 M Installed size: 14 M Is this ok [y/N]: y
Running Squid on Rocky Linux 8
Once the installation is done, start and enable Squid to run on system boot.
systemctl enable --now squid
Configuring Squid Proxy on Rocky Linux 8
/etc/squid/squid.conf
is the default Squid Proxy configuration file.
It ships with recommended minimum configuration settings.
Below is the content of this file, with comment lines removed;
grep -vE "^#|^$" /etc/squid/squid.conf
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all http_port 3128 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
Before you can begin to customize the Squid configuration to suite your needs, create the configuration file backup.
cp /etc/squid/squid.conf{,.bak}
Configure Squid Access Policies
Create an Access Control List to define your local networks that should use Squid as the proxy.
Each ACL consists of a name, type and value and is defined using the acl
option.
For example, to configure hosts in the network 192.168.60.0/24 to use Squid as the proxy server, you would use an ACL like;
acl mylocalnet src 192.168.60.0/24
Replace your networks accordingly.
This creates an ACL called mylocalnet
which specifies the hosts on the specified network.
After defining an ACL, you need to add a line that references the defined ACL to allow or deny access to a function of the cache.
For example, use http_access
to allow or deny web browsers access to the web-cache;
http_access allow mylocalnet
Squid reads the configuration from top to bottom and hence the order of configuration options is important.
You can comment the existing Network ACLS by adding hash (#) at the beginning of these lines and add your custom ACLs
... ### Adding Custom ACL ####### acl mylocalnet src 192.168.60.0/24 http_access allow mylocalnet # #acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) #acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) #acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) #acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines #acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) #acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) #acl localnet src fc00::/7 # RFC 4193 local private network range #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines ...
Blocking Specific Websites
Squid proxy can be used to restrict access to specific websites. For example to block access to youtube, facebook, netflix you would have to create a file that defines the domains of these websites as shown below;
vim /etc/squid/restricted-sites.squid
.youtube.com
.facebook.com
.netflix.com
After that, created an ACL for the restricted sites above in the squid configuration file and set the deny rule for the defined ACL.
...
### Adding Custom ACL #######
acl mylocalnet src 192.168.60.0/24
## Adding Sites to Block access to ###
acl blockedsites dstdomain "/etc/squid/restricted-sites.squid"
http_access deny blockedsites
http_access allow mylocalnet
...
Instead of using a file to define sites to block, you can put the domains in the squid.conf file space separated on an ACL statement.
acl blockedsites dstdomain youtube.com facebook.com netflix.com
Block Sites based on Specific Keywords
You can also restrict access to a website by the use of a keyword. Create a file with specific keywords as shown below;
vim /etc/squid/banned-keywords.squid
porn
ads
movie
gamble
Make the necessary changes on squid configuration file.
...
### Adding Custom ACL #######
acl mylocalnet src 192.168.100.0/24
## Adding Sites to Block access to ###
acl blockedsites dstdomain "/etc/squid/restricted-sites.squid"
acl keyword-ban url_regex "/etc/squid/keyword-ban.squid"
http_access deny blockedsites
http_access deny keyword-ban
http_access allow mylocalnet
...
Comment the line below, since we have commented the localnet networks ACLs.
Also comment the access rule for localnet.
#http_access allow localnet
Masking Outgoing Traffic
To prevent proxy servers from a possibility of exposing your IP addresses on the outgoing HTTP requests, include the following directives at the end of your squid configuration file.
... refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # Anonymize Traffic via off forwarded_for off request_header_access From deny all request_header_access Server deny all request_header_access WWW-Authenticate deny all request_header_access Link deny all request_header_access Cache-Control deny all request_header_access Proxy-Connection deny all request_header_access X-Cache deny all request_header_access X-Cache-Lookup deny all request_header_access Via deny all request_header_access X-Forwarded-For deny all request_header_access Pragma deny all request_header_access Keep-Alive deny all
Change Squid Default Port
Squid proxy listens on TCP port 3128
by default. If you want to change this port, you would simply open the /etc/squid/squid.conf
configuration file and replace the value of the http_port
with your desired port number.
For example, to change the default port to 8888, as long as no other application is listening on the same port;
...
# Squid normally listens to port 3128
# http_port 3128 << Comment the line by adding #
http_port 8888
...
You can also set it to listen on a specific IP (Replace the IP address accordingly)
http_port 192.168.60.19.50:8888
In general, this is how our configuration looks like;
grep -vE "^#|^$" /etc/squid/squid.conf
acl mylocalnet src 192.168.60.0/24 acl blockedsites dstdomain "/etc/squid/restricted-sites.squid" http_access deny blockedsites http_access allow mylocalnet acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localhost http_access deny all http_port 8888 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 via off forwarded_for off request_header_access From deny all request_header_access Server deny all request_header_access WWW-Authenticate deny all request_header_access Link deny all request_header_access Cache-Control deny all request_header_access Proxy-Connection deny all request_header_access X-Cache deny all request_header_access X-Cache-Lookup deny all request_header_access Via deny all request_header_access X-Forwarded-For deny all request_header_access Pragma deny all request_header_access Keep-Alive deny all
Verify the Squid configuration for any errors;
squid -k parse
2021/10/20 13:42:46| Startup: Initializing Authentication Schemes ... 2021/10/20 13:42:46| Startup: Initialized Authentication Scheme 'basic' 2021/10/20 13:42:46| Startup: Initialized Authentication Scheme 'digest' 2021/10/20 13:42:46| Startup: Initialized Authentication Scheme 'negotiate' 2021/10/20 13:42:46| Startup: Initialized Authentication Scheme 'ntlm' 2021/10/20 13:42:46| Startup: Initialized Authentication. 2021/10/20 13:42:46| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2021/10/20 13:42:46| Processing: acl mylocalnet src 192.168.58.0/24 2021/10/20 13:42:46| Processing: acl blockedsites dstdomain "/etc/squid/restricted-sites.squid" 2021/10/20 13:42:46| Processing: http_access deny blockedsites 2021/10/20 13:42:46| Processing: http_access allow mylocalnet 2021/10/20 13:42:46| Processing: acl SSL_ports port 443 2021/10/20 13:42:46| Processing: acl Safe_ports port 80 # http 2021/10/20 13:42:46| Processing: acl Safe_ports port 21 # ftp 2021/10/20 13:42:46| Processing: acl Safe_ports port 443 # https 2021/10/20 13:42:46| Processing: acl Safe_ports port 70 # gopher 2021/10/20 13:42:46| Processing: acl Safe_ports port 210 # wais 2021/10/20 13:42:46| Processing: acl Safe_ports port 1025-65535 # unregistered ports 2021/10/20 13:42:46| Processing: acl Safe_ports port 280 # http-mgmt 2021/10/20 13:42:46| Processing: acl Safe_ports port 488 # gss-http 2021/10/20 13:42:46| Processing: acl Safe_ports port 591 # filemaker 2021/10/20 13:42:46| Processing: acl Safe_ports port 777 # multiling http 2021/10/20 13:42:46| Processing: acl CONNECT method CONNECT 2021/10/20 13:42:46| Processing: http_access deny !Safe_ports 2021/10/20 13:42:46| Processing: http_access deny CONNECT !SSL_ports 2021/10/20 13:42:46| Processing: http_access allow localhost manager 2021/10/20 13:42:46| Processing: http_access deny manager 2021/10/20 13:42:46| Processing: http_access allow localhost 2021/10/20 13:42:46| Processing: http_access deny all 2021/10/20 13:42:46| Processing: http_port 8888 2021/10/20 13:42:46| Processing: coredump_dir /var/spool/squid 2021/10/20 13:42:46| Processing: refresh_pattern ^ftp: 1440 20% 10080 2021/10/20 13:42:46| Processing: refresh_pattern ^gopher: 1440 0% 1440 2021/10/20 13:42:46| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 2021/10/20 13:42:46| Processing: refresh_pattern . 0 20% 4320 2021/10/20 13:42:46| Processing: via off 2021/10/20 13:42:46| Processing: forwarded_for off 2021/10/20 13:42:46| Processing: request_header_access From deny all 2021/10/20 13:42:46| Processing: request_header_access Server deny all 2021/10/20 13:42:46| Processing: request_header_access WWW-Authenticate deny all 2021/10/20 13:42:46| Processing: request_header_access Link deny all 2021/10/20 13:42:46| Processing: request_header_access Cache-Control deny all 2021/10/20 13:42:46| Processing: request_header_access Proxy-Connection deny all 2021/10/20 13:42:46| Processing: request_header_access X-Cache deny all 2021/10/20 13:42:46| Processing: request_header_access X-Cache-Lookup deny all 2021/10/20 13:42:46| Processing: request_header_access Via deny all 2021/10/20 13:42:46| Processing: request_header_access X-Forwarded-For deny all 2021/10/20 13:42:46| Processing: request_header_access Pragma deny all 2021/10/20 13:42:46| Processing: request_header_access Keep-Alive deny all 2021/10/20 13:42:46| WARNING: HTTP requires the use of Via 2021/10/20 13:42:46| Initializing https:// proxy context
Restart Squid
Reconfigure Squid either by running the command below;
squid -k reconfigure
or by restarting its service.
systemctl restart squid
Check that Squid is listening on the new port;
ss -altnp | grep 8888
LISTEN 0 1024 *:8888 *:* users:(("squid",pid=37669,fd=13))
Allow Squid Port on Firewall
If firewall is enabled, allow the Squid
port. Replace the port if you have changed the default.
firewall-cmd --add-port=8888/tcp --permanent
firewall-cmd --reload
Configure Proxy Clients to connect to the Proxy server
To configure client to connect to the Squid proxy server, you can either set system wide proxy configurations, configure client to use the Squid proxy as the gateway or set the proxy settings on the browser.
System Wide proxy configuration
To set system wide proxy configurations, create a configuration file under /etc/profile.d
with environment variables defining squid proxy server details as follows;
vim /etc/profile.d/squid.sh
Replace the IP address of the Squid server accordingly.
PROXY_URL="192.168.60.19:8888" HTTP_PROXY=$PROXY_URL HTTPS_PROXY=$PROXY_URL FTP_PROXY=$PROXY_URL http_proxy=$PROXY_URL https_proxy=$PROXY_URL ftp_proxy=$PROXY_URL export HTTP_PROXY HTTPS_PROXY FTP_PROXY http_proxy https_proxy ftp_proxy
After that, source the new configuration file.
source /etc/profile.d/squid.sh
To test this, try to download anything from the clients terminal while tailing access logs on squid proxy server.
On the client’s terminal, run;
wget google.com
--2021-10-20 13:47:46-- http://google.com/ Connecting to 192.168.60.19:8888... connected. Proxy request sent, awaiting response... 301 Moved Permanently Location: http://www.google.com/ [following] --2021-10-20 13:47:47-- http://www.google.com/ Reusing existing connection to 192.168.60.19:8888. Proxy request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.html’ index.html [ <=> ] 14.58K --.-KB/s in 0s 2021-10-20 13:47:47 (45.7 MB/s) - ‘index.html’ saved [14933]
On the Squid proxy server;
tail -f /var/log/squid/access.log
...
1634726867.006 626 192.168.60.19 TCP_MISS/301 618 GET http://google.com/ - HIER_DIRECT/172.217.170.206 text/html
1634726867.537 530 192.168.60.19 TCP_MISS/200 15804 GET http://www.google.com/ - HIER_DIRECT/216.58.223.68 text/html
Try to access blocked sites;
wget youtube.com
--2021-10-20 13:48:50-- http://youtube.com/
Connecting to 192.168.60.19:8888... connected.
Proxy request sent, awaiting response... 403 Forbidden
2021-10-20 13:48:50 ERROR 403: Forbidden.
tail -f /var/log/squid/access.log
1634726930.663 0 192.168.60.19 TCP_DENIED/403 3903 GET http://youtube.com/ - HIER_NONE/- text/html
You can as well set your Squid server as the default gateway.
On your Firefox, configure it to connect t external network via your Squid server. Preferences > General > Network Settings > Manual Proxy Configuration. Check Use this proxy server for all protocols.
That marks the end of our tutorial on how to install and configure Squid Proxy on Rocky Linux 8.
Read More
Read more on Squid wiki.
Related Tutorials
Install and Setup Squid Proxy on Debian 11/Debian 10
Configure Squid Proxy OpenLDAP Authentication on pfSense
Install and Setup Squid Proxy on Ubuntu 20.04