Squid is the most popular proxy server in use today. Some of the reasons why squid is so popular are:
1.
Squid is not an ordinary proxy server, it is a proxy cum caching
server. This means that when a web page is accessed through squid, it
caches the web page on the local hard disk. When a request is made for
the same web page either by the same client host computer or by any
other computer, squid serves the web page from its local hard disk
cache. This eliminates repetitive internet access and speeds up client
web access.
2.
Squid has excellent access control restrictions. For eg, you can
restrict only certain computers to access the internet, restrict certain
computers to access only certain web sites, restrict certain computers
to access the internet only on certain days between certain time
periods, restrict access to pornographic web pages etc. Squid can also
be integrated with third party content filtering software to provide
comprehensive and easily manageable web access restrictions.
3.
Squid has extremely good logging capabilities, for eg, you can monitor
which IP address has accessed which web site, how well your cache memory
is being utilized, etc.
To install and configure squid proxy on our Linux system we need the following rpm:
squid-2.5.STABLE1-2
Edit the file squid.conf
[root@akhisar root]# vi /etc/squid/squid.conf
#Line No. 53
http_port 3128 # uncomment this line
#Line No.468
cache_mem 8 MB # uncomment this line
# Line No. 666
cache_dir ufs /var/spool/squid 100 16 256 # uncomment this line
# Line No.673
cache_access_log /var/log/squid/access.log # uncomment this line
# Line No.681
cache_log /var/log/squid/cache.log # uncomment this line
# ACCESS CONTROLS
#Recommended minimum configuration:
# Line Nos. 1678-1693 # These are the default ACLs configured for our use
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Line No.1694 onwards ( Write your own ACLs from this line onwards)
acl ltc1 src "/etc/allowedips"
acl ltc2 src "/etc/domainrestrictedips"
acl ltc3 dstdomain "/etc/domains"
acl ltc4 src "/etc/timerestrictedips"
acl ltc5 time SMT 12:00-14:00
acl badurls url_regex sex hardcore playboy.com
# Line No.1720
#http_access deny all # Do not uncomment this line if using ACLs
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access deny badurls
http_access deny ltc4 ltc5
http_access allow ltc2 ltc3
http_access allow ltc1
# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all
# TAG: visible_hostname
# If you want to present a special hostname in error messages, etc,
# then define this. Otherwise, the return value of gethostname()
# will be used. If you have multiple caches in a cluster and
# get errors about IP-forwarding you must set them to have individual
# names with this setting.
#
visible_hostname akhisar
`Save the file and Quit'.
Explanation of Configuration directives :
Line No.53
Squid listens for requests on tcp port 3128 by default, you can change this.
Line No.468
'cache_mem' specifies the ideal amount of memory to be used
for:
* In-Transit objects
* Hot Objects
* Negative-Cached objects
Data for these objects are stored in 4 KB blocks. This
parameter specifies the ideal upper limit on the total size of
4 KB blocks allocated. In-Transit objects take the highest
priority.
In-transit objects have priority over the others. When
additional space is needed for incoming data, negative-cached
and hot objects will be released. In other words, the
negative-cached and hot objects will fill up any unused space
not needed for in-transit objects.
If circumstances require, this limit will be exceeded.
Specifically, if your incoming request rate requires more than
'cache_mem' of memory to hold in-transit objects, Squid will
exceed this limit to satisfy the new requests.
NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
THINGS AS WELL.
Line No.666
This specifies the top level directory squid will use as its cache folder.
`100'
specifies the amount of space allocated in MB for this folder (100MB is
the default, you can increase this value depending on your usage).
`16'
is the number of upper level folders created under the top level cache
folder. These upper level folders store the web pages that are more
frequently accessed.
`256'
is the number of lower level folders created under each of the 16 upper
level folders. These lower level folders store the web pages that are
less frequently accessed.
The
top level folder `/var/spool/squid' is created automatically, the 16
upper level and 256 lower level folders are created only when the squid
server service is started for the first time.
Line No.673
The access log file logs every client web request. It is used to monitor which IP address has accessed which web site.
Line No.681
Cache logging file. This is where general information about your cache's behavior goes.
ACCESS CONTROLS :
This section is used to impose access restrictions to Squid Proxy server.
Restrictions
are imposed with the help of access controls lists (ACLs) that need to
be created by the squid server administrator. Default access lists have
been created but for secure access further customization is required.
The syntax used in writing ACLs is as follows :
acl <label> <keyword> <parameter>
Explanation :
Every access control list starts with the word `acl'. Label is just a descriptive name for that acl,it has no technical significance.
The first acl is named `ltc1',it uses the keyword `src'.
The keyword `src'
stands for source IP address, i.e. the IP address of the client host
computer making a web request via the squid proxy server. Instead of
defining IP addresses individually we can write the IP addresses (one
below the other) to a file and mention the path to that file on the `acl line'.
Here we have written a few IP addresses to the file `allowedips' created under the /etc subdirectory.
The second `acl',`ltc2' also refers to IP addresses that have been saved to a file `domainrestrictedips' created under /etc.
The third `acl',`ltc3' contains the keyword `dstdomain'. This keyword refers to domain names for eg,www.yahoo.com,www.rediff.com
etc. Instead of specifying domain names individually we can write them
to a file (one below the other) and mention the path to that file on the
`acl line'. Here we have written a few domain names to the file `domains' created under /etc.
The fourth `acl',`ltc4' refers to IP addresses that have been written to a file `timerestrictedips' created under /etc.
The fifth `acl',`ltc5' specifies the keyword `time'.
This keyword refers to days of the week and times. Here we have
specified the days of the week as Sunday, Monday and Tuesday and the
time as 12:00 p.m. to 2:00 p.m.
The sixth `acl', named `badurl', consists of the keyword `url_regex'.
This keyword refers to regular expressions. Here we have mentioned a
few expressions or phrases like sex, hardcore, playboy.com.
The six `acls' that we have created above are of no use until and unless they have been enforced.
To enforce these rules go to the following section :
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access deny badurls
Explanation :
No
url mentioning any of the expressions or phrases mentioned in that acl
(sex,hardcore,playboy.com) will be allowed access to. In fact even if a
search is done through google or any other search engine on any of these
expressions, web access will be denied.
http_access deny ltc4 ltc5
Web access will be denied to all host computers having IP addresses contained in the file `/etc/timerestrictedips' on Sunday.Monday and Tuesday between 12:00 p.m. to 2:00 p.m.
http_access allow ltc2 ltc3
The host computers having the IP addresses defined in the file `/etc/domainrestrictedips' will be allowed access to only the web sites defined in the file /etc/domains.
http_access allow ltc1
All IP addresses mentioned in the file /etc/allowedips will be allowed unrestricted internet access other than access to site urls containing the phrases specified in the `badurls' acl.
# And finally deny all other access to this proxy
Explanation :
http_access allow localhost
Any
user who accesses the internet from the squid proxy server itself will
not be controlled by the access control lists and will have absolute
unrestricted internet access.
This privilege should only be reserved for the squid server administrator.
http_access deny all
Any incoming web request that is not matched by any of the acl rules will be denied.
# TAG : visible_hostname
Specifies the hostname of the squid proxy server as defined in the file `/etc/hosts' or in DNS.
To start the squid proxy server service :
[root@akhisar root]# service squid start
Any change made to the file `/etc/squid/squid.conf' will need the service to be restarted.
[root@akhisar root]# service squid restart
To set the squid service to be permanently on:
[root@akhisar root]# chkconfig squid on
" Do not forget to create your access control files"
1. [root@akhisar root]# vi /etc/allowedips
192.0.2.179
192.0.2.176
2. [root@akhisar root]# vi /etc/domainrestrictedips
192.0.2.167
3. [root@akhisar root]# vi /etc/timerestrictedips
192.0.2.176
4. [root@akhisar root]# vi /etc/domains
www.yahoo.com
www.rediff.com
You can create any files by any name located in any folder, just specify the correct name and path to the files on the `acl' lines.
Note : Make sure that the time restricted ips are have also been defined in the `allowedips' file else those ips will be denied web access.
Any change made in any of these files will require the squid service to be restarted.
Visible_hostname akhisar à This
line needs to be defined, else the squid service will fail to start.
Set this parameter to the hostname of your computer as defined in the
file /etc/hosts.
To configure authentication for Squid Proxy server :
We can also configure then squid server to request for authentication
whenever a user tries to access the internet through squid proxy.
Perform the following configuration in the auth_param section of the squid.conf file.
[root@akhisar root]# vi /etc/squid/squid.conf
# TAG: auth_param
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentials ttl 2 hours
The first line points to the name and location of the external
authenticator program used. Here we use the ncsa_auth software located
in the /usr/lib/squid folder. We need to input all authorized username
and password combinations into the file specified viz.
/etc/squid/passwd. This passwd file will not exist by default, it needs
to be created. You can create a file by any name under any folder.
[root@akhisar root]# cd /etc/squid
[root@akhisar squid]# touch passwd
Enter the authorized usernames/passwords you require.
[root@akhisar squid]# htpasswd passwd proxyuser
New password:
Re-type new password:
Adding password for user proxyuser
Here we create an authorized user by the name of `proxyuser'
and assign him a password. This username/password combination will need
to be used by requesting users to authenticate themselves before
accessing the internet.
Create an Access Control List for ncsa_auth in the file /etc/squid/squid.conf :
[root@akhisar root]# vi /etc/squid/squid.conf
# ACCESS CONTROLS
acl password proxy_auth REQUIRED
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access allow password
Here the name of the acl we create is `password'. The keyword used is `proxy_auth'.
The parameter used is `REQUIRED' which will cause ncsa_auth to accept
any valid username/password combination for authentication.
INSTALLING A EXTERNAL MODEM :
To install an external modem :
Connect the modem to a serial port at the back of your computer and power it on.
Execute the following command :
# wvdialconf /etc/wvdial.conf
This
starts the modem autodetection procedure,you will see the modem lights
blinking and a series of messages will be output on screen stating that
the modem is detected and the port on which it has been detected on(if
all goes well).
[root@akhisar squid]# wvdialconf /etc/wvdial.conf
Scanning your serial ports for a modem.
Port Scan<*1>: Scanning ttyS0 first, /dev/modem is a link to it.
ttyS0<*1>: ATQ0 V1 E1 -- OK
ttyS0<*1>: ATQ0 V1 E1 Z -- OK
ttyS0<*1>: ATQ0 V1 E1 S0=0 -- OK
ttyS0<*1>: ATQ0 V1 E1 S0=0 &C1 -- OK
ttyS0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 -- OK
ttyS0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyS0<*1>: Modem Identifier: ATI -- 33600
ttyS0<*1>: Speed 4800: AT -- OK
ttyS0<*1>: Speed 9600: AT -- OK
ttyS0<*1>: Speed 19200: AT -- OK
ttyS0<*1>: Speed 38400: AT -- OK
ttyS0<*1>: Speed 57600: AT -- OK
ttyS0<*1>: Speed 115200: AT -- OK
ttyS0<*1>: Max speed is 115200; that should be safe.
ttyS0<*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
Found a modem on /dev/ttyS0, using link /dev/modem in config.
Modem configuration written to /etc/wvdial.conf.
ttyS0<Info>: Speed 115200; init "ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0"
Edit the ‘wvdial.conf’ file and make changes to the highlighted sections
[root@akhisar squid]# vi /etc/wvdial.conf
[Dialer Defaults]
Modem = /dev/modem
Baud = 115200
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
ISDN = 0
Modem Type = Analog Modem
Phone = "Your ISP's internet acces number"
Username = "Your internet username"
Password = "Your internet access password"
To dialup to the internet, execute the following command :
[root@akhisar root]# wvdial
