In this guide, we are going to learn how to install and configure Squid proxy on Rocky Linux 8.<\/p>\n\n\n\n
Squid<\/a> is a full-featured web proxy cache server application which provides proxy and cache services for HTTP, FTP, SSL requests and DNS lookups. It also performs transparent caching that reduces bandwidth and improves response time by caching and reusing frequently requested web pages.<\/p>\n\n\n\n Update your system package cache:<\/p>\n\n\n\n Squid proxy is available on the default Rocky Linux 8 repositories and can be installed by running the command;<\/p>\n\n\n\n Once the installation is done, start and enable Squid to run on system boot.<\/p>\n\n\n\n It ships with recommended minimum configuration settings.<\/p>\n\n\n\n Below is the content of this file, with comment lines removed;<\/p>\n\n\n\n Before you can begin to customize the Squid configuration to suite your needs, create the configuration file backup.<\/p>\n\n\n\n Create an Access Control List to define your local networks that should use Squid as the proxy.<\/p>\n\n\n\n Each ACL consists of a name, type and value and is defined using the For example, to configure hosts in the network 192.168.60.0\/24 to use Squid as the proxy server, you would use an ACL like;<\/p>\n\n\n\n Replace your networks accordingly<\/strong>.<\/p>\n\n\n\n This creates an ACL called After defining an ACL, you need to add a line that references the defined ACL to allow or deny access to a function of the cache.<\/p>\n\n\n\n For example, use Squid reads the configuration from top to bottom and hence the order of configuration options is important.<\/p>\n\n\n\n You can comment the existing Network ACLS by adding hash (#) at the beginning of these lines and add your custom ACLs<\/p>\n\n\n\n Squid proxy can be used to restrict access to specific websites. For example to block access to youtube, facebook, netflix you would have to create a file that defines the domains of these websites as shown below;<\/p>\n\n\n\n After that, created an ACL for the restricted sites above in the squid configuration file and set the deny<\/strong> rule for the defined ACL.<\/p>\n\n\n\n Instead of using a file to define sites to block, you can put the domains in the squid.conf file space separated on an ACL statement.<\/p>\n\n\n\n You can also restrict access to a website by the use of a keyword. Create a file with specific keywords as shown below;<\/p>\n\n\n\n Make the necessary changes on squid configuration file.<\/p>\n\n\n\n Comment the line below, since we have commented the localnet networks ACLs.<\/p>\n\n\n\n Also comment the access rule for localnet.<\/p>\n\n\n\n To prevent proxy servers from a possibility of exposing your IP addresses on the outgoing HTTP requests, include the following directives at the end of your squid configuration file.<\/p>\n\n\n\n Squid proxy listens on For example, to change the default port to 8888, as long as no other application is listening on the same port;<\/p>\n\n\n\n You can also set it to listen on a specific IP (Replace the IP address accordingly<\/strong>)<\/p>\n\n\n\n In general, this is how our configuration looks like;<\/p>\n\n\n\n Verify the Squid configuration for any errors;<\/p>\n\n\n\n Reconfigure Squid either by running the command below;<\/p>\n\n\n\n or by restarting its service.<\/p>\n\n\n\n Check that Squid is listening on the new port;<\/p>\n\n\n\n If firewall is enabled, allow the To configure client to connect to the Squid proxy server, you can either set system wide proxy configurations, configure client to use the Squid proxy as the gateway or set the proxy settings on the browser.<\/p>\n\n\n\n To set system wide proxy configurations, create a configuration file under Replace the IP address of the Squid server accordingly.<\/p>\n\n\n\n After that, source the new configuration file.<\/p>\n\n\n\n To test this, try to download anything from the clients terminal while tailing access logs on squid proxy server.<\/p>\n\n\n\n On the client\u2019s terminal, run;<\/p>\n\n\n\n On the Squid proxy server;<\/p>\n\n\n\n Try to access blocked sites;<\/p>\n\n\n\n You can as well set your Squid server as the default gateway.<\/p>\n\n\n\n On your Firefox, configure it to connect t external network via your Squid server.\u00a0Preferences<\/strong>\u00a0>\u00a0Genera<\/strong>l >\u00a0Network Settings > Manual Proxy Configuration<\/strong>. Check\u00a0Use this proxy server for all protocols.<\/strong><\/p>\n\n\n\n Read more on Squid wiki<\/a>.<\/p>\n\n\n\n Install and Setup Squid Proxy on Debian 11\/Debian 10<\/a><\/p>\n\n\n\n Configure Squid Proxy OpenLDAP Authentication on pfSense<\/a><\/p>\n\n\n\nInstalling Squid Proxy on Rocky Linux 8<\/h2>\n\n\n\n
Run system update<\/h3>\n\n\n\n
dnf update<\/code><\/pre>\n\n\n\nInstall Squid Proxy on Rocky Linux 8<\/h3>\n\n\n\n
dnf install squid<\/code><\/pre>\n\n\n\nDependencies resolved.\n============================================================================================================================================================================\n Package Architecture Version Repository Size\n============================================================================================================================================================================\nInstalling:\n squid x86_64 7:4.11-4.module+el8.4.0+404+316a0dc5.2 appstream 3.6 M\nInstalling dependencies:\n libecap x86_64 1.0.1-2.module+el8.4.0+404+316a0dc5 appstream 28 k\n perl-DBI x86_64 1.641-3.module+el8.4.0+509+59a8d9b3 appstream 739 k\n perl-Digest-SHA x86_64 1:6.02-1.el8 appstream 65 k\n perl-Math-BigInt noarch 1:1.9998.11-7.el8 baseos 194 k\n perl-Math-Complex noarch 1.59-419.el8_4.1 baseos 108 k\nEnabling module streams:\n perl-DBI 1.641 \n squid 4 \n\nTransaction Summary\n============================================================================================================================================================================\nInstall 6 Packages\n\nTotal download size: 4.7 M\nInstalled size: 14 M\nIs this ok [y\/N]: y\n<\/code><\/pre>\n\n\n\nRunning Squid on Rocky Linux 8<\/h3>\n\n\n\n
systemctl enable --now squid<\/code><\/pre>\n\n\n\nConfiguring Squid Proxy on Rocky Linux 8<\/h3>\n\n\n\n
\/etc\/squid\/squid.conf<\/code> is the default Squid Proxy configuration file.<\/p>\n\n\n\ngrep -vE \"^#|^$\" \/etc\/squid\/squid.conf<\/code><\/pre>\n\n\n\nacl localnet src 0.0.0.1-0.255.255.255\t# RFC 1122 \"this\" network (LAN)\nacl localnet src 10.0.0.0\/8\t\t# RFC 1918 local private network (LAN)\nacl localnet src 100.64.0.0\/10\t\t# RFC 6598 shared address space (CGN)\nacl localnet src 169.254.0.0\/16 \t# RFC 3927 link-local (directly plugged) machines\nacl localnet src 172.16.0.0\/12\t\t# RFC 1918 local private network (LAN)\nacl localnet src 192.168.0.0\/16\t\t# RFC 1918 local private network (LAN)\nacl localnet src fc00::\/7 \t# RFC 4193 local private network range\nacl localnet src fe80::\/10 \t# RFC 4291 link-local (directly plugged) machines\nacl SSL_ports port 443\nacl Safe_ports port 80\t\t# http\nacl Safe_ports port 21\t\t# ftp\nacl Safe_ports port 443\t\t# https\nacl Safe_ports port 70\t\t# gopher\nacl Safe_ports port 210\t\t# wais\nacl Safe_ports port 1025-65535\t# unregistered ports\nacl Safe_ports port 280\t\t# http-mgmt\nacl Safe_ports port 488\t\t# gss-http\nacl Safe_ports port 591\t\t# filemaker\nacl Safe_ports port 777\t\t# multiling http\nacl CONNECT method CONNECT\nhttp_access deny !Safe_ports\nhttp_access deny CONNECT !SSL_ports\nhttp_access allow localhost manager\nhttp_access deny manager\nhttp_access allow localnet\nhttp_access allow localhost\nhttp_access deny all\nhttp_port 3128\ncoredump_dir \/var\/spool\/squid\nrefresh_pattern ^ftp:\t\t1440\t20%\t10080\nrefresh_pattern ^gopher:\t1440\t0%\t1440\nrefresh_pattern -i (\/cgi-bin\/|\\?) 0\t0%\t0\nrefresh_pattern .\t\t0\t20%\t4320\n<\/code><\/pre>\n\n\n\ncp \/etc\/squid\/squid.conf{,.bak}<\/code><\/pre>\n\n\n\nConfigure Squid Access Policies<\/h3>\n\n\n\n
acl<\/code><\/strong> option.<\/p>\n\n\n\nacl mylocalnet src 192.168.60.0\/24<\/code><\/pre>\n\n\n\nmylocalnet<\/code> which specifies the hosts on the specified network.<\/p>\n\n\n\nhttp_access<\/code><\/strong> to allow or deny web browsers access to the web-cache;<\/p>\n\n\n\nhttp_access allow mylocalnet<\/code><\/pre>\n\n\n\n...\n### Adding Custom ACL #######\nacl mylocalnet src 192.168.60.0\/24\nhttp_access allow mylocalnet<\/strong>\n#\n#acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 \"this\" network (LAN)\n#acl localnet src 10.0.0.0\/8 # RFC 1918 local private network (LAN)\n#acl localnet src 100.64.0.0\/10 # RFC 6598 shared address space (CGN)\n#acl localnet src 169.254.0.0\/16 # RFC 3927 link-local (directly plugged) machines\n#acl localnet src 172.16.0.0\/12 # RFC 1918 local private network (LAN)\n#acl localnet src 192.168.0.0\/16 # RFC 1918 local private network (LAN)\n#acl localnet src fc00::\/7 # RFC 4193 local private network range\n#acl localnet src fe80::\/10 # RFC 4291 link-local (directly plugged) machines\n...\n<\/code><\/pre>\n\n\n\nBlocking Specific Websites<\/h3>\n\n\n\n
vim \/etc\/squid\/restricted-sites.squid<\/code><\/pre>\n\n\n\n.youtube.com\n.facebook.com\n.netflix.com<\/code><\/pre>\n\n\n\n...\n### Adding Custom ACL #######\nacl mylocalnet src 192.168.60.0\/24\n<\/strong>\n## Adding Sites to Block access to ###\nacl blockedsites dstdomain \"\/etc\/squid\/restricted-sites.squid\"<\/strong>\n\nhttp_access deny blockedsites\n<\/strong>http_access allow mylocalnet\n...<\/strong><\/code><\/pre>\n\n\n\nacl blockedsites dstdomain youtube.com facebook.com netflix.com<\/strong><\/code><\/pre>\n\n\n\nBlock Sites based on Specific Keywords<\/h3>\n\n\n\n
vim \/etc\/squid\/banned-keywords.squid<\/code><\/pre>\n\n\n\nporn\nads\nmovie\ngamble<\/code><\/pre>\n\n\n\n...\n<\/strong>### Adding Custom ACL #######\nacl mylocalnet src 192.168.100.0\/24\n\n## Adding Sites to Block access to ###\nacl blockedsites dstdomain \"\/etc\/squid\/restricted-sites.squid\"\nacl keyword-ban url_regex \"\/etc\/squid\/keyword-ban.squid\"\n\n<\/strong>http_access deny blockedsites\nhttp_access deny keyword-ban\n<\/strong>http_access allow mylocalnet <\/strong>\n...<\/code><\/pre>\n\n\n\n#http_access allow localnet<\/code><\/pre>\n\n\n\nMasking Outgoing Traffic<\/h3>\n\n\n\n
...\nrefresh_pattern ^ftp: 1440 20% 10080\nrefresh_pattern ^gopher: 1440 0% 1440\nrefresh_pattern -i (\/cgi-bin\/|\\?) 0 0% 0\nrefresh_pattern . 0 20% 4320\n# Anonymize Traffic\nvia off\nforwarded_for off\n\nrequest_header_access From deny all\nrequest_header_access Server deny all\nrequest_header_access WWW-Authenticate deny all\nrequest_header_access Link deny all\nrequest_header_access Cache-Control deny all\nrequest_header_access Proxy-Connection deny all\nrequest_header_access X-Cache deny all\nrequest_header_access X-Cache-Lookup deny all\nrequest_header_access Via deny all\nrequest_header_access X-Forwarded-For deny all\nrequest_header_access Pragma deny all\nrequest_header_access Keep-Alive deny all<\/strong>\n<\/code><\/pre>\n\n\n\nChange Squid Default Port<\/h3>\n\n\n\n
TCP port 3128<\/code> by default. If you want to change this port, you would simply open the \/etc\/squid\/squid.conf<\/code> configuration file and replace the value of the http_port<\/code> with your desired port number.<\/p>\n\n\n\n...\n# Squid normally listens to port 3128\n# http_port 3128 << Comment the line by adding #<\/strong>\nhttp_port 8888<\/strong>\n...<\/code><\/pre>\n\n\n\nhttp_port 192.168.60.19.50:8888<\/strong><\/code><\/pre>\n\n\n\ngrep -vE \"^#|^$\" \/etc\/squid\/squid.conf<\/code><\/pre>\n\n\n\nacl mylocalnet src 192.168.60.0\/24\nacl blockedsites dstdomain \"\/etc\/squid\/restricted-sites.squid\"\nhttp_access deny blockedsites\nhttp_access allow mylocalnet\nacl SSL_ports port 443\nacl Safe_ports port 80\t\t# http\nacl Safe_ports port 21\t\t# ftp\nacl Safe_ports port 443\t\t# https\nacl Safe_ports port 70\t\t# gopher\nacl Safe_ports port 210\t\t# wais\nacl Safe_ports port 1025-65535\t# unregistered ports\nacl Safe_ports port 280\t\t# http-mgmt\nacl Safe_ports port 488\t\t# gss-http\nacl Safe_ports port 591\t\t# filemaker\nacl Safe_ports port 777\t\t# multiling http\nacl CONNECT method CONNECT\nhttp_access deny !Safe_ports\nhttp_access deny CONNECT !SSL_ports\nhttp_access allow localhost manager\nhttp_access deny manager\nhttp_access allow localhost\nhttp_access deny all\nhttp_port 8888\ncoredump_dir \/var\/spool\/squid\nrefresh_pattern ^ftp:\t\t1440\t20%\t10080\nrefresh_pattern ^gopher:\t1440\t0%\t1440\nrefresh_pattern -i (\/cgi-bin\/|\\?) 0\t0%\t0\nrefresh_pattern .\t\t0\t20%\t4320\nvia off\nforwarded_for off\nrequest_header_access From deny all\nrequest_header_access Server deny all\nrequest_header_access WWW-Authenticate deny all\nrequest_header_access Link deny all\nrequest_header_access Cache-Control deny all\nrequest_header_access Proxy-Connection deny all\nrequest_header_access X-Cache deny all\nrequest_header_access X-Cache-Lookup deny all\nrequest_header_access Via deny all\nrequest_header_access X-Forwarded-For deny all\nrequest_header_access Pragma deny all\nrequest_header_access Keep-Alive deny all\n<\/code><\/pre>\n\n\n\nsquid -k parse<\/code><\/pre>\n\n\n\n2021\/10\/20 13:42:46| Startup: Initializing Authentication Schemes ...\n2021\/10\/20 13:42:46| Startup: Initialized Authentication Scheme 'basic'\n2021\/10\/20 13:42:46| Startup: Initialized Authentication Scheme 'digest'\n2021\/10\/20 13:42:46| Startup: Initialized Authentication Scheme 'negotiate'\n2021\/10\/20 13:42:46| Startup: Initialized Authentication Scheme 'ntlm'\n2021\/10\/20 13:42:46| Startup: Initialized Authentication.\n2021\/10\/20 13:42:46| Processing Configuration File: \/etc\/squid\/squid.conf (depth 0)\n2021\/10\/20 13:42:46| Processing: acl mylocalnet src 192.168.58.0\/24\n2021\/10\/20 13:42:46| Processing: acl blockedsites dstdomain \"\/etc\/squid\/restricted-sites.squid\"\n2021\/10\/20 13:42:46| Processing: http_access deny blockedsites\n2021\/10\/20 13:42:46| Processing: http_access allow mylocalnet\n2021\/10\/20 13:42:46| Processing: acl SSL_ports port 443\n2021\/10\/20 13:42:46| Processing: acl Safe_ports port 80\t\t# http\n2021\/10\/20 13:42:46| Processing: acl Safe_ports port 21\t\t# ftp\n2021\/10\/20 13:42:46| Processing: acl Safe_ports port 443\t\t# https\n2021\/10\/20 13:42:46| Processing: acl Safe_ports port 70\t\t# gopher\n2021\/10\/20 13:42:46| Processing: acl Safe_ports port 210\t\t# wais\n2021\/10\/20 13:42:46| Processing: acl Safe_ports port 1025-65535\t# unregistered ports\n2021\/10\/20 13:42:46| Processing: acl Safe_ports port 280\t\t# http-mgmt\n2021\/10\/20 13:42:46| Processing: acl Safe_ports port 488\t\t# gss-http\n2021\/10\/20 13:42:46| Processing: acl Safe_ports port 591\t\t# filemaker\n2021\/10\/20 13:42:46| Processing: acl Safe_ports port 777\t\t# multiling http\n2021\/10\/20 13:42:46| Processing: acl CONNECT method CONNECT\n2021\/10\/20 13:42:46| Processing: http_access deny !Safe_ports\n2021\/10\/20 13:42:46| Processing: http_access deny CONNECT !SSL_ports\n2021\/10\/20 13:42:46| Processing: http_access allow localhost manager\n2021\/10\/20 13:42:46| Processing: http_access deny manager\n2021\/10\/20 13:42:46| Processing: http_access allow localhost\n2021\/10\/20 13:42:46| Processing: http_access deny all\n2021\/10\/20 13:42:46| Processing: http_port 8888\n2021\/10\/20 13:42:46| Processing: coredump_dir \/var\/spool\/squid\n2021\/10\/20 13:42:46| Processing: refresh_pattern ^ftp:\t\t1440\t20%\t10080\n2021\/10\/20 13:42:46| Processing: refresh_pattern ^gopher:\t1440\t0%\t1440\n2021\/10\/20 13:42:46| Processing: refresh_pattern -i (\/cgi-bin\/|\\?) 0\t0%\t0\n2021\/10\/20 13:42:46| Processing: refresh_pattern .\t\t0\t20%\t4320\n2021\/10\/20 13:42:46| Processing: via off\n2021\/10\/20 13:42:46| Processing: forwarded_for off\n2021\/10\/20 13:42:46| Processing: request_header_access From deny all\n2021\/10\/20 13:42:46| Processing: request_header_access Server deny all\n2021\/10\/20 13:42:46| Processing: request_header_access WWW-Authenticate deny all\n2021\/10\/20 13:42:46| Processing: request_header_access Link deny all\n2021\/10\/20 13:42:46| Processing: request_header_access Cache-Control deny all\n2021\/10\/20 13:42:46| Processing: request_header_access Proxy-Connection deny all\n2021\/10\/20 13:42:46| Processing: request_header_access X-Cache deny all\n2021\/10\/20 13:42:46| Processing: request_header_access X-Cache-Lookup deny all\n2021\/10\/20 13:42:46| Processing: request_header_access Via deny all\n2021\/10\/20 13:42:46| Processing: request_header_access X-Forwarded-For deny all\n2021\/10\/20 13:42:46| Processing: request_header_access Pragma deny all\n2021\/10\/20 13:42:46| Processing: request_header_access Keep-Alive deny all\n2021\/10\/20 13:42:46| WARNING: HTTP requires the use of Via\n2021\/10\/20 13:42:46| Initializing https:\/\/ proxy context\n<\/code><\/pre>\n\n\n\nRestart Squid<\/h3>\n\n\n\n
squid -k reconfigure<\/code><\/pre>\n\n\n\nsystemctl restart squid<\/code><\/pre>\n\n\n\nss -altnp | grep 8888<\/code><\/pre>\n\n\n\nLISTEN 0 1024 *:8888 *:* users:((\"squid\",pid=37669,fd=13))<\/code><\/pre>\n\n\n\nAllow Squid Port on Firewall<\/h3>\n\n\n\n
Squid<\/code> port. Replace the port if you have changed the default<\/strong>.<\/p>\n\n\n\nfirewall-cmd --add-port=8888\/tcp<\/strong> --permanent<\/code><\/pre>\n\n\n\nfirewall-cmd --reload<\/code><\/pre>\n\n\n\nConfigure Proxy Clients to connect to the Proxy server<\/h3>\n\n\n\n
System Wide proxy configuration<\/h4>\n\n\n\n
\/etc\/profile.d<\/code> with environment variables defining squid proxy server details as follows;<\/p>\n\n\n\nvim \/etc\/profile.d\/squid.sh<\/code><\/pre>\n\n\n\nPROXY_URL=\"192.168.60.19:8888\"\nHTTP_PROXY=$PROXY_URL\nHTTPS_PROXY=$PROXY_URL\nFTP_PROXY=$PROXY_URL\nhttp_proxy=$PROXY_URL\nhttps_proxy=$PROXY_URL\nftp_proxy=$PROXY_URL\nexport HTTP_PROXY HTTPS_PROXY FTP_PROXY http_proxy https_proxy ftp_proxy\n<\/code><\/pre>\n\n\n\nsource \/etc\/profile.d\/squid.sh<\/code><\/pre>\n\n\n\nwget google.com<\/code><\/pre>\n\n\n\n\n--2021-10-20 13:47:46-- http:\/\/google.com\/\nConnecting to 192.168.60.19:8888... connected.\nProxy request sent, awaiting response... 301 Moved Permanently\nLocation: http:\/\/www.google.com\/ [following]\n--2021-10-20 13:47:47-- http:\/\/www.google.com\/\nReusing existing connection to 192.168.60.19:8888.\nProxy request sent, awaiting response... 200 OK\nLength: unspecified [text\/html]\nSaving to: \u2018index.html\u2019\n\nindex.html [ <=> ] 14.58K --.-KB\/s in 0s \n\n2021-10-20 13:47:47 (45.7 MB\/s) - \u2018index.html\u2019 saved [14933]\n<\/code><\/pre>\n\n\n\ntail -f \/var\/log\/squid\/access.log <\/code><\/pre>\n\n\n\n...\n1634726867.006 626 192.168.60.19 TCP_MISS\/301 618 GET http:\/\/google.com\/ - HIER_DIRECT\/172.217.170.206 text\/html\n1634726867.537 530 192.168.60.19 TCP_MISS\/200 15804 GET http:\/\/www.google.com\/ - HIER_DIRECT\/216.58.223.68 text\/html<\/code><\/pre>\n\n\n\nwget youtube.com<\/code><\/pre>\n\n\n\n--2021-10-20 13:48:50-- http:\/\/youtube.com\/\nConnecting to 192.168.60.19:8888... connected.\nProxy request sent, awaiting response... 403 Forbidden\n2021-10-20 13:48:50 ERROR 403: Forbidden.<\/code><\/pre>\n\n\n\ntail -f \/var\/log\/squid\/access.log<\/code><\/pre>\n\n\n\n1634726930.663 0 192.168.60.19 TCP_DENIED\/403 3903 GET http:\/\/youtube.com\/ - HIER_NONE\/- text\/html<\/code><\/pre>\n\n\n\nRead More<\/h3>\n\n\n\n
Related Tutorials<\/h3>\n\n\n\n