How to setup Squid Proxy Server

July 11, 2001 0 comments


Vaibhav Sharma, Network Consultant, Exocore Consulting

We tell how to install and customize Squid, apply access control restrictions, authenticate users before giving access, and generate reports of user activity.

A proxy server, as you will know, helps to share one Internet connection amongst several users on a LAN. A typical proxy server, apart from sharing one Internet connection, maintains a cache of the requests being accessed so that any further requests can be served without fetching it again from the Web.

Squid is the most popular proxy software on Linux. Squid can do much more than what most of the proxy servers around can do. It supports proxying and caching of HTTP, FTP, and other URLs; proxying for SSL; cache hierarchies; ICP, HTCP, CARP, and Cache Digests; transparent caching; WCCP; extensive access controls; HTTP server acceleration; SNMP; and caching of DNS lookups.

Here, we’ll see how to install and customize Squid, apply access control restrictions, authenticate users before giving access, and generate reports of user activity.

Installing Squid

PCQ Linux 7.1 comes with squid-2.3.STABLE4-10. First check if you have squid rpm installed on your system. Just run
rpm -q squid
If you don’t have Squid on your system, install it from the PCQ Linux CD 2.
mount /mnt/cdrom
rpm -ivh /mnt/cdrom/Redhat/RPMS/squid-2.3.STABLE4-10.i386.rpm

Squid works out of the box and you just need to start it up after installing it. But we need to customize the behavior of Squid, for which we’ll edit the file /etc/squid/squid.conf. The file is about a kilometer long. That’s because there are a lot of options which you can control for Squid and you’ll find sufficient explanation for most of these in this file itself.

Customizing the basic options

Open the file squid.conf. The first and probably the most important option is the http_port on which Squid will listen for proxy requests.

If not specified, by default Squid will listen on port 3128. We can use the default port, but to make life a bit easier we’ll configure Squid to listen on port 8080. Put the following in squid.conf

http_port 192.168.1.1:8080

This means that Squid will bind to the IP 192.168.1.1 and listen on port 8080 on that IP. Replace this IP with whatever IP you have on your machine or ignore the IP and the ‘:’ to make Squid listen on all the available IPs on your machine.

http_port 8080

That’s about all you need to do for a plain vanilla configuration. However, Squid won’t give any access by default. So go down further and look for the following section

# ACCESS CONTROLS
Come down further where you get
# TAG: http_access
# Allowing or Denying access based on defined access lists
….
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access allow localhost
http_access deny all
Put the following two lines before the ‘http_access deny all’ line.
acl ourlan src 192.168.1.0/255.255.255.0
http_access allow ourlan

Replace the IP/netmask combination with your values. Now save this file and start up Squid.

service squid start

On the client machine, configure the browser to use the proxy machine as the proxy server with port 8080 for all proxy services and try to access some sites. Squid logs all activities in
/var/log/squid/access.log.

Applying access control features

Squid has very strong and flexible access control features. To apply them, you need to first define a set of Access Control Lists (ACLs) and then apply access rules (http_access) on them.

To apply an access control rule, a combination of an ACL statement and an http_access statement is required. The format of an ACL statement is

acl
aclname can be any name which you wish to use. There are several acl types depending on what you are referring to.

For example,

ACL name Refers to
src source IP address any client connection
dst destination IP address in any con nection
srcdomain reverse lookup client IP
dstdomain destination domain from URL
time time component of the request
proxy_auth used for proxy authentication

 

the format of http_access statement is

http_access allow|deny [!] aclname….
A combination of ACLs can also be used.
We have already used one pair of acl and http_access in this text to allow the local network machines to go through the proxy.

acl ourlan src 192.168.1.0/255.255.255.0

http_access allow ourlan

The first line defines an ACL of all the machines in the network 192.168.1.0 with the netmask 255.255.255.0. This ACL named ourlan now serves as a group of machines to which an http_access statement can be applied. The second statement allows this group of machines to access the proxy services.

More complex combinations of ACL and http_access can be applied.

For example, if you want to block all access to sites hotmail.com and yahoo.com, and give access to only select machines on the network

acl all src 0.0.0.0/0.0.0.0
acl blocked_sites url_regex hotmail.com yahoo.com # Define a group of sites we want to block.
acl allowed_machines src 192.168.1.10 192.168.1.100 192.168.1.40 # define a group of machines we want to give access to
http_access deny blocked_sites # deny access to the blocked sites
http_access allow allowed_machines # allow access to the allowed machines
http_access deny all # deny access to all other machines

User authentication

The basic setup of Squid allows anyone to use proxy services. You therefore need to configure Squid to authenticate a user before giving access.

You first need to decide how the user will be authenticated because Squid needs an external program for user authentication. There are several programs which allow Squid to authenticate users:

  • NCSA: NCSA style flat file containing username and encrypted password
  • PAM: Use the password authentication module on the machine
  • SAMBA: Authenticate against a Windows NT or a Samba server
  • LDAP: Authenticate against information from an LDAP tree
  • NTLM: Multidomain NTLM authentication
  • YP: Authenticate using NIS

These authentication modules are generally in the form of a binary. If you did an Intranet setup from the PCQ Linux CD, the pam_auth module should already be installed in the /usr/local/bin directory. You just need to use it with Squid.

We need to make this file suid root, as the authentication scheme that we are using on the system is shadow passwords.

Otherwise PAM will not allow it to authenticate other users. Check if the file is already SUID root, otherwise use

chmod +s /usr/local/bin/pam_auth
Create a file named Squid in /etc/pam.d with the following contents
auth required /lib/security/pam_unix.so
account required /lib/security/pam_unix.so
Now we need to tell Squid to use this program to authenticate users. Open the file /etc/squid/ squid.conf and search for a line which says
#authenticate_program none
Uncomment this line and change it to
authenticate_program /usr/local/bin/pam_auth

We need to make changes in the access control configuration too, as right now Squid allows any connections from the local network. Scroll down to the access control section of squid.conf and look for the line that we previously put in which said

acl ourlan src 192.168.1.0/255.255.255.0
http_access allow ourlan
Change these lines to the following
acl password proxy_auth REQUIRED
acl ourlan src 192.168.1.0/255.255.255.0
http_access deny !ourlan
http_access allow password
http_access deny all

This will deny all attempts to access the proxy from outside the local LAN and will authenticate users before giving access.

Configuring client machines

Configuring the client machines is as simple as specifying the Squid machine as the proxy server with port 8000 as the proxy port. However, if you have a large number of machines, it can be a non-trivial task. The two popular browsers have a proxy auto-configuration feature which can be used to make this task easier.

The idea is to point the browser on the client machine to a file on any Web server on the network from where it can pick up all the proxy configuration settings. If you have to change any settings, you just change that file and all the clients automatically pick up the new settings from the file.

Here’s how to configure the server side for this. You ‘ll need Apache web server for this to work.

  1. Add the MIME type for PAC into /etc/mime.types
    application/x-ns-proxy-autoconfig .pac
  2. Edit /etc/httpd/conf/httpd.conf and add the Addtype handler so that Apache knows what to do when a client requests for any files with a PAC (Proxy AutoConfiguration) extension.
    AddType application/x-ns-proxy-autoconfig .pac
  3. Create the file proxy.pac in the Apache DocumentRoot directory (usually /var/www/html/ proxy.pac) with the following contents:

function FindProxyForURL(url, host)
{
/* No proxy needed for hosts on our localnet (192.168.1.0/24) */
if (isInNet(host, “192.168.1.0”, “255.255.255.0”))
return “DIRECT”;
else
/* For all other hosts, use intranet.pcqlinux.com as proxy */
return “PROXY intranet.pcqlinux.com:8000”;
}
The only options you may want to change are the localnet IP, the FQDN and port for your proxy.
For browser-specific configuration see Configuring Windows clients (page 135) in this issue.

Generating user-activity reports

There are several software that can process Squid logs and generate reports. One is Calamaris. If you did the Intranet machine install from the PCQ Linux CDs, Calamaris should be installed by default. If it’s not there, the rpm for Calamaris is on the PCQ Linux CD 2 in the /pcq/squid directory. Install it using

rpm -i calamaris-2.29 1.noarch. rpm

Calamaris expects input to be on the standard input so after you have a considerable amount of access entries in/var/log/squid/access.log you can simply cat the log file to Calamaris

cat /var/log/squid/access.log | calamaris -a -f squid -w > squid_report.html

New features are constantly being added in Squid. What we have seen in this article is just a small portion of what Squid can do. Explore the Squid site
www.squid-cache.org for more details.

 

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.