How To: Configure Squid Proxy Server
Mission
To configure squid for simple proxying without caching anything.
Use Cases
- When you want to have control on what people browse on your lan.
- When number of machine is more than the number of IP addresses you can afford to buy.
- When you want to help this holy world in saving some IPV4 addresses
Assumptions
- You have a machine connected directly to internet that you are going to use as a proxy server for other machines on your network.
- The machines on your network are using 192.168.0.0/16 as private address space. You can use anyone/multiple address spaces of the available but for this howto we assume 192.168.0.0/16 as the local network.
- The local IP address of the machine which will run squid proxy server is 192.168.36.204. You can have any IP, but for this howto we assume this.
How to proceed
First of all ensure that you have squid installed. After installing squid, you need to set access control in squid configuration file which resides in /etc/squid by default. Open /etc/squid/squid.conf and add/edit following lines according to your preferences. Few lines already exist in the configuration file, you can add the rest.
# The port on which squid will listen for requests http_port 8080 # If 'cgi-bin' or '?' is in query, squid should not check with neighbours'/parents' cache # and should go to target web-server. hierarchy_stoplist cgi-bin ? # If url contains 'cgi-bin' or '?', then it must not be cached acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache # Absolute path to squid access log. access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 # Access control list to control every IP address acl all src 0.0.0.0/0.0.0.0 # Access control list for source machine in LAN acl lan_src src 192.168.0.0/16 # Access control list for destination machine in LAN acl lan_dst dst 192.168.0.0/16 # Access control list to manage squid cache acl manager proto cache_object # Access control list to define IP address allowed for source localhost acl localhost src 127.0.0.1/255.255.255.255 # Access control list to define IP addresses allowed for localhost as destination acl to_localhost dst 127.0.0.0/8 # Access control list to define Safe ports that should be allowed by default acl SSL_ports port 443 563 1863 5190 5222 5050 6667 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Allow cache management only from localhost http_access allow manager localhost # Deny cache management from remote hosts http_access deny manager # Deny http access via all the ports which are not listed as safe http_access deny !Safe_ports # Deny all connections via all ports which are not listed as safe http_access deny CONNECT !SSL_ports # Allow http access from localhost http_access allow localhost # Allow http access from machines on LAN http_access allow lan_src http_access deny all http_reply_access allow all icp_access allow all # Deny caching for everyone so that there is not caching at all cache deny all coredump_dir /var/spool/squid # Never allow direct connection to machines on the internet prefer_direct off never_direct allow all # Allow direct connetion if the destination machine is on LAN always_direct allow lan_dst # Delete this line if you don't have /etc/hosts file hosts_file /etc/hosts # Allow AIM connections # Delete the following 9 lines if you don't want people to connect to AIM acl AIM_ports port 5190 9898 6667 acl AIM_domains dstdomain .oscar.aol.com .blue.aol.com .freenode.net acl AIM_domains dstdomain .messaging.aol.com .aim.com acl AIM_hosts dstdomain login.oscar.aol.com login.glogin.messaging.aol.com toc.oscar.aol.com irc.freenode.net acl AIM_nets dst 64.12.0.0/255.255.0.0 acl AIM_methods method CONNECT http_access allow AIM_methods AIM_ports AIM_nets http_access allow AIM_methods AIM_ports AIM_hosts http_access allow AIM_methods AIM_ports AIM_domains # Allow connections to Yahoo Messenger # Delete the following 6 lines if you don't want people to connect to Yahoo Messenger acl YIM_ports port 5050 acl YIM_domains dstdomain .yahoo.com .yahoo.co.jp acl YIM_hosts dstdomain scs.msg.yahoo.com cs.yahoo.co.jp acl YIM_methods method CONNECT http_access allow YIM_methods YIM_ports YIM_hosts http_access allow YIM_methods YIM_ports YIM_domains # Allow connections to Google Talk # Delete the following 6 lines if you don't want people to connect to Google Talk acl GTALK_ports port 5222 5050 acl GTALK_domains dstdomain .google.com acl GTALK_hosts dstdomain talk.google.com acl GTALK_methods method CONNECT http_access allow GTALK_methods GTALK_ports GTALK_hosts http_access allow GTALK_methods GTALK_ports GTALK_domains # Allow connections to MSN # Delete the following 6 lines if you don't want people to connect to Google Talk acl MSN_ports port 1863 443 1503 acl MSN_domains dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com acl MSN_hosts dstdomain messenger.hotmail.com acl MSN_nets dst 207.46.111.0/255.255.255.0 acl MSN_methods method CONNECT http_access allow MSN_methods MSN_ports MSN_hosts
Now, start the squid proxy server as
service squid start
Also, if you want squid to be started every time you boot the machine, execute the following command
chkconfig --level 345 squid on
You have a squid proxy server running now. You can ask clients to configure there browsers to use 192.168.36.204 as a proxy server with 8080 as proxy port. Command line utilities like elinks, lynx, yum, wget etc. can be asked to use proxy by exporting http_proxy variable as below. Users can also add these lines to ~/.bashrc file to avoid exporting every-time.
export http_proxy='http://192.168.36.204:8080' export ftp_proxy='http://192.168.36.204:8080'
I highly recommend the book “Squid: The Definitive Guide (Paperback)” for further reading.
[amazon-product alink="0000FF" bordercolor="000000" height="240"]0596001622[/amazon-product]
{ 45 comments… read them below or add one }
I would likje to know this config is sutable for fedora 6?
Am i trying to Install Squid proxy I got error ..Please tell me What are the steps to rectify this probalm? I have 20 systems in network. One is fedora 6 All are Windows Xp. How can i Config Linux Server?
This is a general configuration. I think it should work on any version of Fedora. If you are getting error while installing squid proxy server, its a separate problem. Either try asking in some forums or paste the complete error, so that we can suggest some solution.
If you want to change all your machine to Linux, then either you can go for Fedora itself or try out CentOS.
How to i configure my Fedora 6 proxy server to allow client machines (windows xp) to ping outside ip addresses. Currently machines can access the internet with no problem at all.
I think that can be and should be done via nameserver configuration. “named” may be of help.
whem i install squid on my system iam using fedora 8 iget the following error
install -recursive error 1
Provide more information on how are you installing (from rpm or tarball). Also the console output (errors) you are getting.
Can we run SQUID is such a way so that it can have seperate policies for two different LANs: Means two different Networks having seperate policies.
Yes. We can. Make two acls for the lans. For example
# Allow .com and .edu for Lan 1
acl lan_1 src 172.16.31.0/24
acl websites_for_lan1 dstdomain .com .edu
http_access allow lan_1 websites_for_lan1
http_access deny lan_1
# Allow .co.in and .ac.in for Lan 2
acl lan_2 src 172.16.32.0/24
acl websites_for_lan2 dstdomain .co.in .ac.in
http_access allow lan_2 websites_for_lan2
http_access deny lan_2
Extend the acl to gain more control over access.
Thank a lot bro, this squid configuration pretty usefull, especially the acl to allow/denied IMs traffic..
will put a backlink to your blog
dear sir,
i want to configure internet server through Fedora 9. so kindly give me instruction step by step . how to configure
thanks
regards
kailash kumar
[...] How to configure squid proxy server using Fedora [...]
how to configure red liunx 5 squid proxy server.
I configured squid proxy server in my lan clients to access internet. Also i allowed limited websites in that. I have problem now which is some of sublinks not opened what to do help me.
security systems
Please share more information as in what you have blocked and your configuration file. Also check the logs /var/log/squid/access.log for squid responses. Check /var/log/squid/cache.log for errors.
thank u
helow… thx for the article….
i have follow your line command about allowing yahoo messager
but i still cann’t connect my ym on cliet…
please help me…
Can I setup a multiple network and can access the same proxy server? I want to set up a centralized proxy server where all network 192.168.2.x, 192.168.3.x and 192.168.4.x can used this proxy. Do I need to install multiple lan cards or just a switch between those network? Please help me….
Thanks
A switch is enough to route packets in the scenario you described
Thanks. I just needed to setup squid at my office – that was very helpful
Hello,
I am from a school division and we have squid boxes running in each of our schools. We also use the proxies for logging. We have a firewall that does our content filtering, and it filters based on the IP address from the requested IP (the proxy server). Is it possible to setup a single squid server that has two IP address and have have two instances of squid running (one for students and one for teachers). What we want is the filtering for students and teachers to be different based on the IP address of the squid server. what my problem is that if I have students pointing to proxy A (with IP 10.1.1.31) and teachers to proxy B (with IP 10.1.1.32) and proxy B isn’t being filtered on our firewall, the students can still get the unfiltered content from proxy B even though they are pointing to proxy A.
I have tried setting the http_port setting to
Proxy A config file (with eth0 being 10.1.1.31):
http_port 10.1.1.31:8080
Proxy B config file (with eth1 being 10.1.1.32):
http_port 10.1.1.32:8081
I have tried some acl configs with the http_access without any success.
Any suggestions?
Thanks!
Hi,
It depends on the location of firewall. Is it between students/teachers and the proxy and between proxy and internet. Because if its in between proxy and internet, the above configuration is not going to help at all since the outgoing IP address will be same for both.
Anyways, one possible solution is that you create four aliases on your network interface. Two for incoming traffic and two for outgoing traffic and use iptables to masquerade the traffic such that
Teachers -> Interface Alias 1 -> squid -> Interface Alias 3 -> Firewall
Students -> Interface Alias 2 -> squid -> Interface Alias 4 -> Firewall
Since all these interfaces will have different IP address, I think there won’t be any issues.
Thank You!
How to allow user through MAC addresses with above configeration.
Kamran,
Squid supports acls for mac address as
acl students arp MAC_ADDRESS
Consult the comments in squid.conf file itself.
Thank You!
Thanks for your kind reply, I tried my best to recompile my running squid but it not work. Can any body help to regarding how recompile squid for arp.
i want to configure my lan through fedora 10 and want to send mails between local computers… i am a new bee plz provide indepth help…
regards
rachit
Hi,
Can I setup a proxy server on the same network. I have a ubuntu server with two NIC cards.
eth0 = 192.168.4.3 (connected to firewall – sonicwall)
eth1 = 192.168.4.5 (connected to LAN Network)
I successfully installed squid and running. I can block websites when I placed the proxy IP address on browsers (IE and Mozilla) proxy settings. From the other blogs and forums I need to do this:
iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j DNAT –to 192.168.4.3:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128
I set the client ip address to static and set the gateway to 192.168.4.3. It’s working but my settings to block the websites is not working.. All of the banned websites are now accessible? Did I missed something or wrong config?
Please help.
Thanks..
justin
sir.
i have installed and configured squid proxy server on my RHEL 5 machine in my office. I wish to block some sites like yahoo , hotmail, orkut etc. I blocked this sites and its working fine,but one problem occurs some users using a site name opscentral its worked with the help our domain,our ip range is 192.168.6.0/23, 7.0/23.I blocked only the above sites and allow the ip range of 7.0. when the users tried to access the opscentral website first stage is working then its showing some error
“permission denied” pls help me.And hope u understand my problem
I want to monitor the all IM traffic .( instant messenger traffic )
How can i configure the Squid.conf file
i want to know the traffic and time of using as a report .how can i get ?
No need to block any thing .All open
Thanks
Mr.K~
Mr. K,
OK. I have to know, Why do you want to monitor only the IM traffic? Are you trying to catch people goofing off at work, or is this an over usage issue?
[...] here . If you are using a Linux machine you can use squid for the same. To configure it you can go here [...]
hi
Using internet with proxy and i run new proxy for my local. Need to use my new proxy , how to block internet proxy for my local .
Thank !
really the reason was over usage matter .Before i need to go forward i need a report .
if inform to users wont accept just report .even i don’t care about the content of chatting just time duration using the IM’s
this what i need to know
Thanks
Mr.K~
I am using squid proxy which is working fine but sometimes it gave following error for any site like yahoo.com,gmail.com etc.; how to resolve this problem. can anybody suggest me.
The requested URL could not be retrieved
——————————————————————————–
While trying to retrieve the URL: http://www.labtestproject.com/linux_configuration.html
The following error was encountered:
Unable to determine IP address from host name for www.labtestproject.com
The dnsserver returned:
No DNS records
This means that:
The cache was not able to resolve the hostname presented in the URL.
Check if the address is correct.
Your cache administrator is root.
——————————————————————————–
Generated Sat, 01 Aug 2009 09:36:29 GMT by linuxproxy (Squid/2.4.STABLE7)
The requested URL could not be retrieved
——————————————————————————–
While trying to retrieve the URL: http://www.labtestproject.com/linux_configuration.html
The following error was encountered:
Unable to determine IP address from host name for www.labtestproject.com
The dnsserver returned:
No DNS records
This means that:
The cache was not able to resolve the hostname presented in the URL.
Check if the address is correct.
Your cache administrator is root.
——————————————————————————–
Generated Sat, 01 Aug 2009 09:36:29 GMT by linuxproxy (Squid/2.4.STABLE7)
Rajesh,
Thats probably something wrong with your nameserver. Check with your admins.
Thank You!
If we had Windows XP/Vista clients accessing Internet via this proxy, will the source IPs and user ids be masked (anonymous)?
Lynn,
I think you are looking for not forwarding your clients IP over the internet. Check details of forwarded_for directive in your squid.conf file. Get back in case you have more doubts
Great howto pal!
Itś so useful even tho I found it right after I installed and configured squid on my LAN.
But I’m still facing some problems with my transparent squid on Fedora 8.
My squid server is 192.168.1.10 at eth0. (Just one NIC) Which is the default gateway to my other LAN hosts.
My iptables rules are as follow:
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 20 -j REDIRECT –to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 21 -j REDIRECT –to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 25 -j REDIRECT –to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 110 -j REDIRECT –to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 443 -j REDIRECT –to-port 3128
Almost everything is going on fine after the configuration: web search… but I just can’t access to some webmail sites such as: GMail, Yahoo mail, MSN Hotmail…. IE 7.0 gives me a blank page or a connection error.
As far as I know, those services are supposed to use port 443 right?
And one more thing… how do I get Win XP clients connected to MSN Messenger now that their gateway is the proxy?
(It doesn’t work too)
I will really appreciate your support man.
Thanxs so much in advance!!
Blessings 4 u and your family.
Hi,
I want to know how to configure network load balancing in squid proxy server with multiple isp connection.I have two isp connection ,one is adsl and one is wimax connecton.Here are ip configuration of two isp connection
ADSL connection
ip is dynamic
Bandwith is 512 Kbps
Wimax connection
ip is dynamic
Bandwidth is 512 kbps
My network configuration is like that
one pc computer with Fedora 9 and squid proxy
One ethernet card for ADSL connection
One ethernet card for Wimax connection
One ethernet card for local network
I want to load share this two Adsl and wimax connection so that if one connections fails, other connection will serve all the client for high availavility.
If every one know how to combine multiple uplink in squid proxy server.
ples kindly let me know how to configure.I will be waiting for all of your answer.
I have a network with a broadband connection with dynamic ip address(external ip address provided by the ISP). How do I configure the squid proxy as the isp ip addresses is changing everytime we login. Please click on the following link to view our network diagram http://www.dotweb.in/share-both.jpg
What should be the appropriate IPTABLES commands to enable squid.
Hi Kulbir,
What is the configuration to allow an external IP address to run through a squid server like this? thus helping it look like that user is in the same country as the squid server.
Thasnk Matthew
Hi Kulbir Saini,
Thank you for your nice article. I have used this setup and all are working fine except yahoo messenger webcam and voice. Could you please advise how can I proceed as I need this setup to be enabled in our envionment.
Regards,
Ram
Guys,
If you look above he has not replied for many many months
i had some issues setting it up the first time but after a bit more reading on Google you can answer your own questions pretty easily – well everything is easy it might take a fwe hours but you learn so much more instead of someone doing it for you
Ant
I configure squid & it worling fine. But we are using pop.gmail.com & smtp.gmail.com via 995,465 respect. after we configure squid we cannot send/receive emails.pls help
Hello,
I want to allow squid proxy clients to access vnc server at remote location over the Internet.
Can anyone tell me how can I do this?
Is there any way to allow vnc traffic through squid proxy server.
Thanks in advance.
Regards,
Pankaj Garg