Mission

To configure squid for simple proxying without caching anything.

Use Cases

  1. When you want to have control on what people browse on your lan.
  2. When number of machine is more than the number of IP addresses you can afford to buy.
  3. When you want to help this holy world in saving some IPV4 addresses :P

Assumptions

  1. You have a machine connected directly to internet that you are going to use as a proxy server for other machines on your network.
  2. The machines on your network are using 192.168.0.0/16 as private address space. You can use anyone/multiple address spaces of the available but for this howto we assume 192.168.0.0/16 as the local network.
  3. The local IP address of the machine which will run squid proxy server is 192.168.36.204. You can have any IP, but for this howto we assume this.

How to proceed

First of all ensure that you have squid installed. After installing squid, you need to set access control in squid configuration file which resides in /etc/squid by default. Open /etc/squid/squid.conf and add/edit following lines according to your preferences. Few lines already exist in the configuration file, you can add the rest.

# The port on which squid will listen for requests
http_port 8080
# If 'cgi-bin' or '?' is in query, squid should not check with neighbours'/parents' cache
# and should go to target web-server.
hierarchy_stoplist cgi-bin ?
# If url contains 'cgi-bin' or '?', then it must not be cached
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
# Absolute path to squid access log.
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
# Access control list to control every IP address
acl all src 0.0.0.0/0.0.0.0
# Access control list for source machine in LAN
acl lan_src src 192.168.0.0/16
# Access control list for destination machine in LAN
acl lan_dst dst 192.168.0.0/16
# Access control list to manage squid cache
acl manager proto cache_object
# Access control list to define IP address allowed for source localhost
acl localhost src 127.0.0.1/255.255.255.255
# Access control list to define IP addresses allowed for localhost as destination
acl to_localhost dst 127.0.0.0/8
# Access control list to define Safe ports that should be allowed by default
acl SSL_ports port 443 563 1863 5190 5222 5050 6667
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
# Allow cache management only from localhost
http_access allow manager localhost
# Deny cache management from remote hosts
http_access deny manager
# Deny http access via all the ports which are not listed as safe
http_access deny !Safe_ports
# Deny all connections via all ports which are not listed as safe
http_access deny CONNECT !SSL_ports
# Allow http access from localhost
http_access allow localhost
# Allow http access from machines on LAN
http_access allow lan_src
http_access deny all
http_reply_access allow all
icp_access allow all
# Deny caching for everyone so that there is not caching at all
cache deny all
coredump_dir /var/spool/squid
# Never allow direct connection to machines on the internet
prefer_direct off
never_direct allow all
# Allow direct connetion if the destination machine is on LAN
always_direct allow lan_dst
# Delete this line if you don't have /etc/hosts file
hosts_file /etc/hosts
# Allow AIM connections
# Delete the following 9 lines if you don't want people to connect to AIM
acl AIM_ports port 5190 9898 6667
acl AIM_domains dstdomain .oscar.aol.com .blue.aol.com .freenode.net
acl AIM_domains dstdomain .messaging.aol.com .aim.com
acl AIM_hosts dstdomain login.oscar.aol.com login.glogin.messaging.aol.com toc.oscar.aol.com irc.freenode.net
acl AIM_nets dst 64.12.0.0/255.255.0.0
acl AIM_methods method CONNECT
http_access allow AIM_methods AIM_ports AIM_nets
http_access allow AIM_methods AIM_ports AIM_hosts
http_access allow AIM_methods AIM_ports AIM_domains
# Allow connections to Yahoo Messenger
# Delete the following 6 lines if you don't want people to connect to Yahoo Messenger
acl YIM_ports port 5050
acl YIM_domains dstdomain .yahoo.com .yahoo.co.jp
acl YIM_hosts dstdomain scs.msg.yahoo.com cs.yahoo.co.jp
acl YIM_methods method CONNECT
http_access allow YIM_methods YIM_ports YIM_hosts
http_access allow YIM_methods YIM_ports YIM_domains
# Allow connections to Google Talk
# Delete the following 6 lines if you don't want people to connect to Google Talk
acl GTALK_ports port 5222 5050
acl GTALK_domains dstdomain .google.com
acl GTALK_hosts dstdomain talk.google.com
acl GTALK_methods method CONNECT
http_access allow GTALK_methods GTALK_ports GTALK_hosts
http_access allow GTALK_methods GTALK_ports GTALK_domains
# Allow connections to MSN
# Delete the following 6 lines if you don't want people to connect to Google Talk
acl MSN_ports port 1863 443 1503
acl MSN_domains dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com
acl MSN_hosts dstdomain messenger.hotmail.com
acl MSN_nets dst 207.46.111.0/255.255.255.0
acl MSN_methods method CONNECT
http_access allow MSN_methods MSN_ports MSN_hosts

Now, start the squid proxy server as

service squid start

Also, if you want squid to be started every time you boot the machine, execute the following command

chkconfig --level 345 squid on

You have a squid proxy server running now. You can ask clients to configure there browsers to use 192.168.36.204 as a proxy server with 8080 as proxy port. Command line utilities like elinks, lynx, yum, wget etc. can be asked to use proxy by exporting http_proxy variable as below. Users can also add these lines to ~/.bashrc file to avoid exporting every-time.

export http_proxy='http://192.168.36.204:8080'
export ftp_proxy='http://192.168.36.204:8080'

I highly recommend the book “Squid Proxy Server 3.1: Beginner’s Guide (Paperback)” for further reading.

Related Posts

{ 1 trackback }

A problen with iptables and proxy server
July 1, 2010 at 1:57 PM

{ 84 comments }

1 peyank April 27, 2010 at 5:09 PM

how to cache for dinamic content like video from youtube

2 Adnan May 31, 2010 at 11:13 AM

Hi ,
i have configured squid proxy server with two NIC in fedora 12.
Network configuration scenario:
Router-> proxy server-> switch -> clients(LAN)
where
Router = 172.15.0.1

Porxy server:
eth0:
ip= 172.15.0.2
mask=255.255.0.0
gateway=172.15.0.1

eth1:
ip= 172.16.1.1
mask=255.255.0.0
gateway= 172.15.0.2

clients:
ip= 172.16.1.10
mask=255.255.0.0
gateway= 172.16.1.1

proxy ip address= 172.16.1.1
port number= 8080

iptables:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -m state –state NEW,ESTABLISHED,RELATED -m tcp -p tcp –dport 8080 -j ACCEPT
COMMIT

my problem is that i cannot open websites from Client. Did I miss something or wrong config? any idea?
thanks

3 subhod September 26, 2011 at 7:53 AM

in fedora our clg is banned that exe format apps we cant download access denied is coming what any trick is there for this

4 Ali November 14, 2011 at 1:36 PM

You need to create a bridge for eth0 and eth1, so then it will work…

5 Nouman January 26, 2012 at 11:40 AM

proxy ip address= 172.16.1.1

your proxy ip address is 172.16.0.2

6 Kennedy Mwanza September 19, 2010 at 2:03 PM

How can I use a Proxy server to connect other people world wide with my internet connection on my ubuntu lucid 10.04 server.

7 Parashuram December 21, 2010 at 5:07 AM

hello,

My requirment is to use squid proxy for wireless sensor nodes, here squid should collect data from wireless sensor nodes and store it in cache and provide it to external internet world when requested, how do i do it???
I want to setup this configuration on blackfin BF537 STAMP BOARD… HOW TO DO THIS ANY HELP WILL BE GREATLY APPRICIATED

THANKS,,
PARASHURAM

8 Imran Sattar December 30, 2010 at 9:38 AM

how do i access messenger service (e.g msn and yahoo messenger) using squid server. i have running squid on my server, but the messengers cannot run on my clints.

9 usman khalid February 15, 2011 at 5:26 AM

i want to know about squid proxy installation in fedora 12 , also squid is working in 02 lan cards ? well may be it is 01 external for internet and 02 for internal network , through which i give my clients internet but what is the configuration and installation ? can anyone send me pleaseeeeeeeeeee ?

10 vaibhav February 23, 2011 at 1:02 PM

Dear all,

solution required for (104) connection reset by peer .
kindly note we are using squid 2.5 stable1

Vaibhav

11 abdullahi March 22, 2011 at 8:50 AM

My squid proxy not opening Skype and hotmails

12 kb May 10, 2011 at 11:55 AM

dd u open the skype port in the firewall?

13 senthilkumar March 22, 2011 at 8:57 AM

Hello,
I have configured in my network fedora 10 with squid proxy. I have configured url as well as content filtering in my squid. I have created two users one is sysadmin and another user student. In the client host if you open the browser it will ask the user name and password to login and surf the net. If you login into the student user you are not able to access the url filtering as well as content filtering access controls but in the same host you will login as sysadmin you can get all the access.
I am going to configure as a time based internet access for the student user.
How to configure this if any one has already configured this please give your configuration for the above said.

thanks,
PB.SENTHIL KUMAR.

14 m.usman khalid April 16, 2011 at 4:48 AM

dear ,
i have restricted some websites as company policy but my owner and general manager wants to access those blocked websites , how can it possible ? please i am in very bad condition at the moments.

m.usman khalid

15 m.usman khalid April 18, 2011 at 3:57 AM

well if anyone know about my users access (limited) and high management(full) access and also if i block any website then the blocked website open on my high management pc kindly please if anyone have solution then give me or e-mail me i am waiting for your replies friends

usman

16 LLMag May 3, 2011 at 12:44 PM

good

17 kb May 10, 2011 at 11:52 AM

why do you have to change the port squid use’s 3128?

18 Nouman January 26, 2012 at 11:42 AM

http_port 8080

in squid.conf

19 kb May 10, 2011 at 12:00 PM

how do you configure dhcp server on fedora 11

20 pankaj kumar May 26, 2011 at 6:11 AM

dear sir how to configuration VNC Server in linux and windos pc to linux pc how to desktop maneges….

reply me its urgent.

21 Pravin July 12, 2011 at 9:59 AM

Dear sir,

I want to know about installation of audio streaming server in linux fedora or Debian. If any one knows please tell me step by step in details. & how do you configure Audio streaming server…
Reply me its urgent………

22 anjan August 7, 2011 at 8:05 AM

i have configured squid on server 2003 and squid is running well. but clients pc can browse internet with out configuring proxy server on browsers.so i want to stop acess internet on users pc. how to do this ?????

23 Dhananjaya September 30, 2011 at 4:48 AM

for my use

24 Dhananjaya September 30, 2011 at 4:50 AM

“for my use”

25 Cole Mcbride October 10, 2011 at 5:49 AM

Thanks for ones marvelous posting! I seriously enjoyed reading it, you might be a great author.I will remember to bookmark your blog and will often come back later on. I want to encourage you continue your great job, have a nice evening!
I absolutely love your blog and find a lot of your post’s to be precisely what I’m looking for. Does one offer guest writers to write content to suit your needs? I wouldn’t mind producing a post or elaborating on a lot of the subjects you write in relation to here. Again, awesome site!

26 ZSaad October 10, 2011 at 11:13 AM

liked ur post..btw!
I am using RHEL 6, squid 3:
my isp is 10.3.0.1/24 :8080 , proxy settings are required to connect to internet
my internal network is 192.168.0.0/24
clients are unable to connect to internet through squid
i have tried using http_port 8080 and 3128
and tried looking out at forums but no luck
any solution or advice will be appreciated.!

27 suraj bhure November 16, 2011 at 1:44 PM

pls, i have install proxy but is not access to network, sent me step by step proxy-fedora, linux 6.0 ver

28 hailu alemu January 4, 2012 at 6:07 AM

hi mr i want to see the whole configuration file including commands would you show it to me?

29 palanivel November 25, 2012 at 11:47 AM

Hello

We are using redhat linux proxy server in my office .we have configured the Airtel Internet public ip in internal either net port and private ip configured in external lan .but public ips only is ping in server system and private ips not ping server system.
if any body knows to resolve the problem .kindly help us .

30 Ussy January 2, 2013 at 1:35 PM

I have successful installed squid on fedora linux (SQUID 2.6 STABLE12) and working fine on the server itself using the proxy. However, my clients running windows ( win 7 and win xp) can’t browse using the proxy. The server is on the same network as the clients and they could even ping one another.

In fact, the clients show ‘the connection has timed out’ instead of ‘Access denied’ which clearly shows it does not see the server at all.

Initially I thought this has to do with the expoler but even mozilla can’t connect to the proxy on the clients machine.

I would be glad if someone can help me on this

Below are the few commented configuration on my squid: (these configs allows the server to browse): My network 10.1.0.0/25, Proxy server 10.1.0.3

# The port on which squid will listen for requests
http_port 3128

acl our_networks src 10.1.0.0/25
http_access allow our_networks

http_access allow localhost

http_rely_access allow all

icp_access allow all

visible_hostname infinityproxy

31 Ussy January 3, 2013 at 1:30 PM

I later realised the issue had to do with the firewall setting on the proxy server itself. The 8080 ports allowed on the squid and any other ports ( https, ftp, ssh, etc) also need to be enable on the firewall.

The squid is working perfectly now and all the windows systems are connecting to the internet through the server.
Thank you all.

Ussy

Comments on this entry are closed.

Previous post:

Next post: