Here is a little introduction about the proxy we are going to use.
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows, and is licensed under the GNU GPL. In this chapter, I will be running Squid on Centos 7.
Pre-requisites:
– Create a virtual server using Centos 7 or RHEL 7.
– Configure an IP address and make sure the server is reachable.
– Install Squid packages.
– If you don’t have a firewall, you need to configure a nat statement on the box.
Diagram
Optional – Here is the NAT statement: if you want to configure your proxy without a firewall.
Enable IP Forwarding
To preserve packet forwarding on reboot
echo “net.ipv4.ip_forward = 1” >> /etc/sysctl.d/ip_forward.conf
Enabling NAT
IP masquerading must now be enabled using iptables.
firewall-cmd –permanent –direct –passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 192.168.1.0/24
firewall-cmd –reload
Testing
Any Internal node should now be able to access the outside network through the gateway server. For testing ping 8.8.8.8
If you need more guidance, feel free to download this script via Git Hub. Centos7-NAT
Step 1:
Update the system and Install the required packages.
# yum -y update
# yum -y install squid*
Step2:
Enable and start the service
# systemctl enable Squid
# systemctl start Squid
Step3:
Allow firewall port of Squid.
root@proxy ~]# firewall-cmd –permanent –add-port=3128/tcp
success
root@proxy ~]# firewall-cmd –reload
success
NOTE: The default port for squid is 3128. I’m allowing access to port 3128/tcp.
Step4:
Configure ACL (Access Control List);
By configuring an access list, we can restrict bad URLs. Restrict access to the outside world, control downloads, etc…
Open the Squid config file.
[root@proxy ~]# nano /etc/squid/squid.conf.
Allow the local network.
acl localnet src 192.168.1.0/24 – This will be your local network
http_access allow localnet – allowing the localhost.
Allow ports
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
http_access deny
Block bad sites
acl badsites url_regex “/etc/squid/badsites”
http_access deny badsites
Let’s write the bad sites in the config file.
# cat /etc/squid/badsites
.yahoo.com
.microsoft.com
.youtube.com
.amazon.com
.msn.com
.twitter.com
Block File downloads
acl blockfiles urlpath_regex “/etc/squid/blockfiles.acl”
http_access deny blockfiles
Let’s block the file type downloads. For example; let’s deny mp3, mp4, and mpg
# cat /etc/squid/blockfiles.acl
\.mp3.*$
\.mp4.*$
\.3gp.*$
\.[Mm][Pp][Gg]$
Optional – You can configure time-based access to deny access from a specific time. Likewise, restricting the download speed.
Time base configuration
acl work_hours time 09:00-17:00
http_access deny business_hours
Restricting download speed
acl speedcontrol src 192.168.1.0/24
delay_pools 1
delay_class 1 2
delay_parameters 1 524288/524288 52428/52428
delay_access 1 allow speedcontrol
Step5:
Let’s configure the workstation to use the proxy settings. Go to Internet options> Connections> Lan Settings.
NOTE: If you are not using a firewall, your proxy IP will be the default gateway. 192.168.1.1
How to view squid log transactions?
You can either use this command
tail -f /var/log/squid/access.log | or | sudo tail -f /var/log/squid/access.log
If you want to search log files, use the grep command | grep ‘string-to-search’ /var/log/squid/access.log
Here are the Squid Proxy settings.
- Log file Path: /etc/squid/squid.conf
- Config File: /var/log/squid
- Environment: Centos 7
- Default port: 3128