Servers

SQUID Proxy Server on Linux RHEL/CentOS – by Nyasha Charumbira

 

squii

 

When setting up your proxy server, you need to know the following items:

/etc/sysconfig/squid      :    Startup options for the config file.
/etc/squid/squid.conf    :    Main config file for the service.
/var/spool/squid            :    cache location on the proxy server.
/var/log/squid                :    Log files for the proxy server.


Let’s look at some of the main configuration options:

 

http_port                     :   Specifies the port to listen on
visable_hostname      :   Identifies the name of the squid server.
access_log                  :   Keeps track of the web pages that are downloaded.
Acl                              :   Defines an access control list
http_access                :   Defines which System or Network have access

Install & Configuring the Squid Proxy Server:

Step1: Install the package with the following command

       # yum install squid*  -y

Step2: To verify that package

      # rpm  –qa  /grep  squid

Step3: To start squid proxy

      # service squid start

Step3: Enable squid to start at boot

     # chkconfig squid on

Step4: Verify the service will start at boot
     # chkconfig  squid  –list

Web Proxy Sercurity:

Squid uses host-based security through the use of access control lists. These ACL’s are configured in the main config file, “/etc/squid/squid.conf”. In the config file, you can define an ACL for your network and give all other networks access to the proxy server.

1).Configure SQUID to Block Specific Website :

Add below rules for block specific website in squid configuration file. In this example we are blockwww.facebook.com , and http://www.youtube.com

# vim  /etc/squid/squid.conf

         acl blocksite1 dstdomain http://www.facebook.com
         acl blocksite2 dstdomain http://www.youtube.com
         http_access deny blocksite1
         http_access deny blocksite2


2). Block multiple domains with single file :

If you have number of websites,create a file “/etc/squid/blocksites.txt” and put website names in this file.

# vim /etc/squid/blocksites.txt

         http://www.herald.com
         http://www.iharare.com
         http://www.yahoo.com
         http://www.gmail.com
         ————-
         ————-
         http://www.amazon.com


:wq (save&quit)

Add above file in Squid Configuration file for block mentioned domains

# vim   /etc/squid/squid.conf

       acl  blocksites  dstdomain “/etc/squid/blocksites.txt”
       http_access deny blocksites


Client side configuration :

Open a webbrowser > Tools > Internet option > Network settings > and setup Squid server IP address and port # 3128.   

3). Configure Squid to Block Specific Keyword

Add below rules for block specific Keyword in squid configuration file. In this example we are block “mail” and “tube” keywords.

# vim  /etc/squid/squid.conf

         acl blockkey1 url_regex  mail
         acl blockkey2 url_regex  tube
         http_access deny blockkey1
         http_access deny blockkey2


4). Configure Squid to Block list of Keywords

If you have number of keywords,create a file “/etc/squid/blockkeywords.txt” and put keyword names in this file.

# vim /etc/squid/blockkeywords.txt

           Gmail
           Tube
           Facebook
           Social
           Media


:wq (save&quit)

Add above file in Squid Configuration file for block mentioned keywords.

# vim  /etc/squid/squid.conf

acl  blockkewords  dstdomain  “/etc/squid/ blockkeywords.txt ”
http_access deny blockkewords
                                  

                   Configure Squid for MAC Address based

5). Block single site for Single MAC Address
In this example we are block http://www.youtube.com site to system MAC address EC:A8:6B:F6:66:68

ACL Rule:

       acl blocksite1 dstdomain http://www.youtube.com
       acl sysmac1 arp  EC:A8:6B:F6:66:68
       http_access deny blocksite1 sysmac1


6). Block all sites for Single MAC Address

In this example we are block entire sites to system MAC address EC:A8:6B:F6:66:68

ACL Rule:

       acl sysmac1 arp  EC:A8:6B:F6:66:68
       http_access deny  sysmac1


7). Block single site for Multiple MAC Addresses

In this example we are block http://www.bsrtech.net site to system MAC addresses EC:A8:6B:F6:66:68,AT:B8:6D:F6:46:35 and etc…
create a file “/etc/squid/mac-addrs.txt” and put MAC Addresses in this file.

# vim  /etc/squid/mac-addrs.txt

        EC:A8:6B:F6:66:68 
        AT:B8:6D:F6:46:35
        —————–
        —————–   
        CT:B8:6D:F6:46:48
        SG:B8:6D:F6:46:21


ACL Rule:

      acl blocksite1 dstdomain http://www.bsrtech.net
      acl sysmacs arp  “/etc/squid/mac-addrs.txt”
      http_access deny blocksite1 sysmacs


8). Block all sites for Multiple MAC Addresses

In this example we are block all websites to system MAC addresses EC:A8:6B:F6:66:68, AT:B8:6D:F6:46:35 and etc…
create a file “/etc/squid/mac-addrs.txt” and put MAC Addresses in this file.

# vim  /etc/squid/mac-addrs.txt

        EC:A8:6B:F6:66:68 
        AT:B8:6D:F6:46:35
        —————–
        —————–   
        CT:B8:6D:F6:46:48
        SG:B8:6D:F6:46:21


ACL Rule:

       acl sysmacs arp  “/etc/squid/mac-addrs.txt”
       http_access deny  sysmacs


9). Allow Specific site for Single MAC Address

In this example we are allow http://www.bsrtech.net site to system MAC addresses EC:A8:6B:F6:66:68 and deny other sites.

ACL Rule :

      acl allowsite1 dstdomain http://www.bsrtech.net
      acl sysmac1 arp  EC:A8:6B:F6:66:68
      http_access allow allowsite1 sysmac1
      http_access deny sysmac1


10). Allow Multiple sites for Single MAC Address

In this example we are allow multiple sites to system MAC address EC:A8:6B:F6:66:68 and deny other sites.
create a file /etc/squid/allowsites.txt and put website names in this file.

# vim /etc/squid/allowsites.txt

         http://www.google.com
         http://www.rediff.com
         http://www.yahoo.com
         http://www.gmail.com
         ————-
         ————-
         http://www.amazon.com


:wq (save&quit)

ACL Rule :

      acl allowsites dstdomain  “/etc/squid/allowsites.txt”
      acl sysmac1 arp  EC:A8:6B:F6:66:68
      http_access allow allowsites sysmac1
      http_access deny sysmac1


11). Allow Specific site for Multiple MAC Addresses

In this example we are allow http://www.bsrtech.net website  to system MAC addresses EC:A8:6B:F6:66:68, AT:B8:6D:F6:46:35 and etc… and deny other sites.
create a file “/etc/squid/mac-addrs.txt” and put MAC Addresses in this file.

# vim  /etc/squid/mac-addrs.txt

        EC:A8:6B:F6:66:68 
        AT:B8:6D:F6:46:35
        —————–
        —————–   
        CT:B8:6D:F6:46:48
        SG:B8:6D:F6:46:21


ACL Rule:

       acl allowsite1 dstdomain http://www.bsrtech.net
       acl sysmacs arp  “/etc/squid/mac-addrs.txt”
       http_access allow allowsite1  sysmacs
       http_access deny  sysmacs


12). Allow Multiple sites for Multiple MAC Addresses

In this example we are allow multiple websites  to system MAC addresses EC:A8:6B:F6:66:68,   AT:B8:6D:F6:46:35 and etc… and deny other sites.
Create a file “/etc/squid/allowsites.txt” and put website names in this file.

# vim /etc/squid/allowsites.txt

         http://www.google.com
         http://www.rediff.com
         http://www.yahoo.com
         http://www.gmail.com
         ————-
         ————-
         http://www.amazon.com


:wq (save&quit)

create a file “/etc/squid/mac-addrs.txt” and put MAC Addresses in this file.

# vim  /etc/squid/mac-addrs.txt

        EC:A8:6B:F6:66:68 
        AT:B8:6D:F6:46:35
        —————–
        —————–   
        CT:B8:6D:F6:46:48
        SG:B8:6D:F6:46:21


ACL Rule:

      acl allowsites dstdomain  “/etc/squid/allowsites.txt”
      acl sysmacs arp  “/etc/squid/mac-addrs.txt”
      http_access allow allowsites  sysmacs
      http_access deny  sysmacssquii

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s