{"id":1465,"date":"2018-11-20T13:09:14","date_gmt":"2018-11-20T10:09:14","guid":{"rendered":"http:\/\/kifarunix.com\/?p=1465"},"modified":"2024-03-11T21:32:21","modified_gmt":"2024-03-11T18:32:21","slug":"how-to-install-and-configure-squid-proxy-on-fedora-29-fedora-28-centos-7","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-install-and-configure-squid-proxy-on-fedora-29-fedora-28-centos-7\/","title":{"rendered":"Install and Configure Squid Proxy on Fedora 29\/Fedora 28\/CentOS 7"},"content":{"rendered":"\n

Welcome guys to this very tutorial on how to install and configure Squid proxy on Fedora 29\/Fedora 28\/CentOS 7.
Squid is a full-featured web proxy cache server application which provides proxy and cache services for HTTP, FTP, SSL requests and DNS lookups. It also performs transparent caching that reduces bandwidth and improves response time by caching and reusing frequently requested web pages.<\/p>\n\n\n\n

Installing Squid Proxy on Fedora 29\/Fedora 28\/CentOS 7<\/h2>\n\n\n\n

Squid proxy is available on both Fedora and CentOS default repositories and can be installed by running the command below.<\/p>\n\n\n\n

dnf install squid -y     << Fedora <\/strong>or\nyum install squid -y     << Fedora\/CentOS<\/strong><\/code><\/pre>\n\n\n\n
Once the installation is done, start and enable squid to run in system start.<\/p>\n\n\n\n
systemctl start squid\nsystemctl enable squid<\/code><\/pre>\n\n\n\n
When run, squid listens on port 3128 by default on all network interfaces on the machine. You can however change this by replacing the port number on http_port<\/code> directive to your respective port number on the squid proxy configuration file, \/etc\/squid\/squid.conf<\/code>. For example, to use port 8080,<\/p>\n\n\n\n
vim \/etc\/squid\/squid.conf<\/code><\/pre>\n\n\n\n
...<\/strong>\n# Squid normally listens to port 3128\n# http_port 3128   << comment the default port<\/strong>\nhttp_port 8080\n<\/strong>...<\/strong><\/code><\/pre>\n\n\n\n
Squid Configuration<\/h2>\n\n\n\n
The default squid configuration file is located at \/etc\/squid\/squid.conf<\/code>. This configuration file contains the minimum recommended configuration options.<\/p>\n\n\n\n
In order to make your own configuration customization, you can make a copy of the original configuration file.<\/p>\n\n\n\n
cp \/etc\/squid\/squid.conf \/etc\/squid\/squid.conf.bak<\/code><\/pre>\n\n\n\n
The default squid configuration file without comments looks like;<\/p>\n\n\n\n
\nacl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 \"this\" network (LAN)\nacl localnet src 10.0.0.0\/8             # RFC 1918 local private network (LAN)\nacl localnet src 100.64.0.0\/10          # RFC 6598 shared address space (CGN)\nacl localnet src 169.254.0.0\/16         # RFC 3927 link-local (directly plugged) machines\nacl localnet src 172.16.0.0\/12          # RFC 1918 local private network (LAN)\nacl localnet src 192.168.0.0\/16         # RFC 1918 local private network (LAN)\nacl localnet src fc00::\/7               # RFC 4193 local private network range\nacl localnet src fe80::\/10              # RFC 4291 link-local (directly plugged) machines\n\nacl SSL_ports port 443\nacl Safe_ports port 80          # http\nacl Safe_ports port 21          # ftp\nacl Safe_ports port 443         # https\nacl Safe_ports port 70          # gopher\nacl Safe_ports port 210         # wais\nacl Safe_ports port 1025-65535  # unregistered ports\nacl Safe_ports port 280         # http-mgmt\nacl Safe_ports port 488         # gss-http\nacl Safe_ports port 591         # filemaker\nacl Safe_ports port 777         # multiling http\nacl CONNECT method CONNECT\n#\nhttp_access deny !Safe_ports\nhttp_access deny CONNECT !SSL_ports\nhttp_access allow localhost manager\nhttp_access deny manager\nhttp_access allow localnet\nhttp_access allow localhost\nhttp_access deny all\nhttp_port 3128\ncoredump_dir \/var\/spool\/squid\nrefresh_pattern ^ftp:           1440    20%     10080\nrefresh_pattern ^gopher:        1440    0%      1440\nrefresh_pattern -i (\/cgi-bin\/|\\?) 0     0%      0\nrefresh_pattern .               0       20%     4320\n<\/code><\/pre>\n\n\n\n
Configure Squid Access Control List<\/h3>\n\n\n\n
In order to allow a specific network or CIDR ranges to access Internet through proxy server, you need to define an ACL for the same network. For example to allow hosts in the 192.168.56.0\/24 network to access internet through our proxy server, edit the \/etc\/squid\/squid.conf<\/code> configuration file and add an ACL entry as shown below.<\/p>\n\n\n\n
...<\/strong>\n# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS\n#\nacl internal src 19.168.56.0\/24 # Allow Internal hosts<\/strong>\n...<\/strong><\/code><\/pre>\n\n\n\n
Next, you need to allow access from the network based on your defined ACL above.<\/p>\n\n\n\n
...<\/strong>\n# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS\n#\nacl internal src 19.168.56.0\/24 # Allow Internal hosts\nhttp_access allow internal<\/strong>\n...<\/strong><\/code><\/pre>\n\n\n\n
Blocking Specific Websites<\/h3>\n\n\n\n
Squid proxy can be used to restrict access to specific websites. For example to block access to youtube, facebook, netflix you would have to create a file that defines the domains of these websites as shown below;<\/p>\n\n\n\n
vim \/etc\/squid\/restricted-sites.squid<\/code><\/pre>\n\n\n\n
.youtube.com\n.facebook.com\n.netflix.com<\/code><\/pre>\n\n\n\n
After that, created an ACL for the restricted sites above in the squid configuration file. After that, set the deny<\/strong> rule for the defined rule.<\/p>\n\n\n\n
...<\/strong>\n# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS\n#\nacl internal src 19.168.56.0\/24 # Allow Internal hosts\nacl blockedsites dstdomain \"\/etc\/squid\/restricted-sites.squid\" # For restricted sites\nhttp_access deny blockedsites\n<\/strong>http_access allow internal\n...\n<\/strong><\/code><\/pre>\n\n\n\n
Block Sites based on Specific Keywords<\/h3>\n\n\n\n
Just like how you block a website based on a domain, you can also restrict access to a website by the use of a keyword. Create a file with specific keywords.<\/p>\n\n\n\n
vim \/etc\/squid\/keyword-ban.squid<\/code><\/pre>\n\n\n\n
porn\nads\nmovie\ngamble<\/code><\/pre>\n\n\n\n
Make the necessary changes on squid configuration file.<\/p>\n\n\n\n
...<\/strong>\n# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS\n#\nacl internal src 19.168.56.0\/24 # Allow Internal hosts\nacl blockedsites dstdomain \"\/etc\/squid\/restricted-sites.squid\" # For restricted sites\n<strong>acl keyword-ban url_regex \"\/etc\/squid\/keyword-ban.squid\" <\/strong>\n<\/strong>http_access deny blockedsites\n<strong>http_access deny keyword-ban<\/strong>\n<\/strong>http_access allow internal\n...<\/strong><\/code><\/pre>\n\n\n\n
Masking Outgoing Traffic<\/h3>\n\n\n\n
As much as you use proxy server to anonymize your IP addresses by presenting the IP address of the proxy to other web servers, proxy servers may expose you by including your IP addresses on the outgoing HTTP requests. You can however disable this by including the following directives at the end of your squid configuration file.<\/p>\n\n\n\n
\n...\n#\nrefresh_pattern ^ftp:           1440    20%     10080\nrefresh_pattern ^gopher:        1440    0%      1440\nrefresh_pattern -i (\/cgi-bin\/|\\?) 0     0%      0\nrefresh_pattern .               0       20%     4320\n# Anonymize Traffic\nvia off\nforwarded_for off\n\nrequest_header_access From deny all\nrequest_header_access Server deny all\nrequest_header_access WWW-Authenticate deny all\nrequest_header_access Link deny all\nrequest_header_access Cache-Control deny all\nrequest_header_access Proxy-Connection deny all\nrequest_header_access X-Cache deny all\nrequest_header_access X-Cache-Lookup deny all\nrequest_header_access Via deny all\nrequest_header_access X-Forwarded-For deny all\nrequest_header_access Pragma deny all\nrequest_header_access Keep-Alive deny all<\/strong>\n<\/code><\/pre>\n\n\n\n
Once you are done with the configuration, save the file and restart squid.<\/p>\n\n\n\n
systemctl restart squid<\/code><\/pre>\n\n\n\n
If Firewalld is running, you need to allow squid proxy service.<\/p>\n\n\n\n
firewall-cmd --add-service=squid --permanent\nfirewall-cmd --reload<\/code><\/pre>\n\n\n\n
Configure Proxy Clients to connect to the Proxy server<\/h3>\n\n\n\n
To configure client to connect to the Internet through the squid proxy server, you can either set system wide proxy configurations, configure client to use the Squid proxy as the gateway and set the proxy settings on the browser.<\/p>\n\n\n\n
System Wide proxy configuration<\/h4>\n\n\n\n
To set system wide proxy configurations, create a configuration file under \/etc\/profile.d<\/code> with environment variables defining squid proxy server details as follows;<\/p>\n\n\n\n
vim \/etc\/profile.d\/squid.sh<\/code><\/pre>\n\n\n\n
PROXY_URL=\"192.168.43.70:3128\"\nHTTP_PROXY=$PROXY_URL\nHTTPS_PROXY=$PROXY_URL\nFTP_PROXY=$PROXY_URL\nhttp_proxy=$PROXY_URL\nhttps_proxy=$PROXY_URL\nftp_proxy=$PROXY_URL\nexport HTTP_PROXY HTTPS_PROXY FTP_PROXY http_proxy https_proxy ftp_proxy<\/code><\/pre>\n\n\n\n
After that, source the new configuration file.<\/p>\n\n\n\n
source \/etc\/profile.d\/squid.sh<\/pre>\n\n\n\n
To test this, try to download anything from the clients terminal while tailing access logs on squid proxy server.<\/p>\n\n\n\n
On the client’s terminal, run;<\/p>\n\n\n\n
wget google.com<\/strong><\/code><\/pre>\n\n\n\n
--2018-11-20 12:46:29--  http:\/\/google.com\/\nConnecting to 192.168.43.70:3128... connected.<\/strong>\nProxy request sent, awaiting response... 301 Moved Permanently\nLocation: http:\/\/www.google.com\/ [following]\n--2018-11-20 12:46:29--  http:\/\/www.google.com\/\nReusing existing connection to 192.168.43.70:3128.<\/strong>\nProxy request sent, awaiting response... 200 OK<\/strong>\nLength: unspecified [text\/html]\nSaving to: \u2018index.html\u2019\n\nindex.html              [  <=>               ]  11.59K  44.0KB\/s    in 0.3s    \n\n2018-11-20 12:46:30 (44.0 KB\/s) - \u2018index.html\u2019 saved [11865]<\/code><\/pre>\n\n\n\n
On the server;<\/p>\n\n\n\n
tail -f \/var\/log\/squid\/access.log <\/code><\/pre>\n\n\n\n
1542327358.562      0 192.168.43.214 TCP_MEM_HIT\/301 667 GET http:\/\/google.com\/ - HIER_NONE\/- text\/html\n1542327359.036    472 192.168.43.214 TCP_MISS\/200 12756 GET http:\/\/www.google.com\/ - HIER_DIRECT\/216.58.223.68 text\/html<\/code><\/pre>\n\n\n\n
Use Squid Proxy as the gateway and Configure Proxy Setting on the browser<\/h4>\n\n\n\n
To set Squid proxy as the default gateway, modify your interface configurations.<\/p>\n\n\n\n
ip route add default via 192.168.43.70 dev enp0s3<\/code><\/pre>\n\n\n\n
or<\/p>\n\n\n\n
nmcli con mod eth0 ipv4.gateway 192.168.43.70<\/code><\/pre>\n\n\n\n
To set proxy settings on browser, navigate to Preferences<\/strong> > Genera<\/strong>l > Network Settings > Manual Proxy Configuration<\/strong>. Enter the proxy server details as shown b below. Be sure to check Use this proxy server for all protocols.<\/strong><\/p>\n\n\n
\n
\"Install<\/figure><\/div>\n\n\n
Trying to access Netflix on the browser;<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
On the server;<\/p>\n\n\n\n
tail -f \/var\/log\/squid\/access.log<\/code><\/pre>\n\n\n\n
1542328269.419      0 192.168.43.214 TCP_DENIED\/403 3995 CONNECT facebook.com:443<\/strong> - HIER_NONE\/- text\/html\n1542328289.684      0 192.168.43.214 TCP_DENIED\/403 4080 GET http:\/\/netflix.com\/ - HIER_NONE\/- text\/html\n1542328289.820      0 192.168.43.214 TCP_HIT\/200 13052 GET http:\/\/localhost.localdomain:3128\/squid-internal-static\/icons\/SN.png - HIER_NONE\/- image\/png\n1542328289.922      0 192.168.43.214 TCP_DENIED\/403 4075 GET http:\/\/netflix.com<\/strong>\/favicon.ico - HIER_NONE\/- text\/html<\/code><\/pre>\n\n\n\n
You can also see how to configure Squid proxy authentication<\/a>.<\/p>\n\n\n\n
We also covered how to set system wide proxy settings on Ubuntu 18.04 in our previous article.<\/p>\n\n\n\n
How to Set System Wide Proxy in Ubuntu 18.04<\/a><\/p>\n\n\n\n
Other Tutorials<\/p>\n\n\n\n
Monitor Squid logs with Grafana and Graylog<\/a><\/p>\n\n\n\n
Create Squid Logs Extractors on Graylog Server<\/a><\/p>\n\n\n\n
Monitor Squid Access Logs with Graylog Server<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Welcome guys to this very tutorial on how to install and configure Squid proxy on Fedora 29\/Fedora 28\/CentOS 7.Squid is a full-featured web proxy cache<\/p>\n","protected":false},"author":1,"featured_media":10750,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,250],"tags":[88,289,4207,4208,252,251],"class_list":["post-1465","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-proxy","tag-centos-7","tag-fedora-29","tag-install-and-configure-squid-proxy-on-fedora-29-fedora-28-centos-7","tag-installing-squid-proxy-centos","tag-proxy","tag-squid","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1465"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=1465"}],"version-history":[{"count":12,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1465\/revisions"}],"predecessor-version":[{"id":21056,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1465\/revisions\/21056"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/10750"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=1465"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=1465"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=1465"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}