Saturday, January 18, 2025
Google search engine
HomeGuest BlogsInstall and Configure Squid Proxy Server Rocky Linux 9

Install and Configure Squid Proxy Server Rocky Linux 9

.tdi_3.td-a-rec{text-align:center}.tdi_3 .td-element-style{z-index:-1}.tdi_3.td-a-rec-img{text-align:left}.tdi_3.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_3.td-a-rec-img{text-align:center}}

This guide demonstrates how to install and configure Squid Proxy Server Rocky Linux 9. Squid proxy is a free and open-source web caching proxy that supports several protocols such as HTTP, HTTPS, FTP e.t.c. It improves the response time and reduces bandwidth by caching and reusing the frequently visited web pages.

The Squid proxy acts as a gateway between end users and the online resources. It sits between the Internet and the end user, redirecting inbound client requests to the server with the requested data. If the server(proxy) doesn’t have cached data, then the request is forwarded to the web server

The diagram below will help you comprehend the Squid Proxy architecture.

.tdi_2.td-a-rec{text-align:center}.tdi_2 .td-element-style{z-index:-1}.tdi_2.td-a-rec-img{text-align:left}.tdi_2.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_2.td-a-rec-img{text-align:center}}

Squid Proxy Server Rocky Linux 9

Squid is an extensive tool that is supported on almost all operating systems. The other features associated with the Squid Proxy Server are:

  • Setting up a strict access control list for all clients that access the proxy server.
  • It offers load distribution across hierarchies of intercommunicating proxy servers.
  • Reporting individual or group Internet usage by monitoring user traffic.
  • Generates statistics of most visited Web pages to assess surfing habits.
  • Denys/allows specific web page access through other applications.
  • Supports many internet protocols.
  • Manage traffic across multiple connection types by load balancing.
  • Improved security by not expositing the client machines directly to the internet.
  • Requests/responses filtering through an integrated malware/virus detection system.

Before you Begin

It is recommended that you have the following requirements met:

  • At least 1GB of RAM
  • Rocky Linux 9
  • User with sudo access.
  • Minimum disk cache size of 4GB.

1. Enable EPEL Repository on Rocky Linux 9

The EPEL repository is used to provide extra packages that aren’t shipped with the default repositories. Squid is not available in the default Rocky Linux 9 repositories and requires the EPEL repository to be installed.

To enable the Epel repo on Rocky Linux 9, execute the command:

sudo dnf install vim epel-release -y

Confirm EPEL has been added to the system:

sudo dnf repolist

2. Install Squid Proxy Server on Rocky Linux 9

Once the EPEL repository has been added, the Squid Proxy Server can be installed on Rocky Linux 9 as shown:

sudo dnf install squid

Dependency Tree:

Transaction Summary
================================================================================
Install  5 Packages

Total download size: 3.7 M
Installed size: 12 M
Is this ok [y/N]: y

Once complete, verify the installation:

$ squid --version
Squid Cache: Version 5.2
Service Name: squid
.....

Start and enable the service:

sudo systemctl start squid
sudo systemctl enable squid

Verify if the service is running:

$ systemctl status squid
 squid.service - Squid caching proxy
     Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
     Active: active (running) since Mon 2022-07-25 11:17:26 CEST; 9s ago
       Docs: man:squid(8)
   Main PID: 31497 (squid)
      Tasks: 3 (limit: 23441)
     Memory: 15.1M
        CPU: 146ms
     CGroup: /system.slice/squid.service
             ├─31497 /usr/sbin/squid --foreground -f /etc/squid/squid.conf
             ├─31499 "(squid-1)" --kid squid-1 --foreground -f /etc/squid/squid.conf
             └─31500 "(logfile-daemon)" /var/log/squid/access.log

3. Configure Squid Proxy Server on Rocky Linux 9

The Squid Proxy Server stores its configuration file at /etc/squid/squid.conf. This file contains the recommended minimum configurations for the server. The content of the file without comments can be viewed as shown:

$ sudo grep -vE "^#|^$" /etc/squid/squid.conf
acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
acl localnet src fc00::/7       	# RFC 4193 local private network range
acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

In the above file, you can make desired configurations, but first, take a backup of the file:

sudo cp /etc/squid/squid.conf{,.bak}

a. Configure Squid Access Policies

The ACLs(Access Control List) define who is allowed to use Squid as the proxy on your local network.

sudo vim /etc/squid/squid.conf

For example, to add hosts in the subnet 192.168.205.0/24, to use Squid as the proxy server, you can have the ACL defined as shown:

acl newlocalnet src 192.168.205.0/24

Adding this to the file will create and ACL known as newlocalnet with the hosts in the specified subnet.

You can also allow/deny access to a certain function in the cache. For example http_access:

http_access allow newlocalnet

Squid reads the config file from top to bottom and so the order is important here. You can comment out, the available ACLs and leave your new defined ACLs as shown:

# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
#acl localnet src 10.0.0.0/8            # RFC 1918 local private network (LAN)
#acl localnet src 100.64.0.0/10         # RFC 6598 shared address space (CGN)
#acl localnet src 169.254.0.0/16        # RFC 3927 link-local (directly plugged) machines
#acl localnet src 172.16.0.0/12         # RFC 1918 local private network (LAN)
#acl localnet src 192.168.0.0/16                # RFC 1918 local private network (LAN)
#acl localnet src fc00::/7              # RFC 4193 local private network range
#acl localnet src fe80::/10             # RFC 4291 link-local (directly plugged) machines

b. Block Specific Websites

You can also use squid to restrict access to desired sites. This can be done by creating and editing the file that defines the domains

sudo vim /etc/squid/restricted-sites.squid

In the file, add the domains to restrict. For example:

.netflix.com
.youtube.com
.facebook.com

After creating the file, you need to set a DENY rule for the appropriate ACL. For example to my created ACL localnet, I will add the lines:

### Adding Custom ACL #######
acl newlocalnet src 192.168.205.0/24

## Adding Sites to Block access to ###
acl blockedsites dstdomain "/etc/squid/restricted-sites.squid"

http_access deny blockedsites
http_access allow newlocalnet

It is also possible to put the blocked domains in the main squid.conf by defining the domains and ACL as shown:

acl blockedsites dstdomain youtube.com facebook.com netflix.com

c. Block Sites based on Keywords

To block malicious sites based on certain keywords, you can create a config file as shown:

sudo vim /etc/squid/banned-keywords.squid

Add the keywords to the file:

porn
gamble
ads
movie

For the changes to apply, we need to make the desired configs in the main config file:

### Adding Custom ACL #######
acl newlocalnet src 192.168.205.0/24

## Adding Sites to Block access to ###
acl blockedsites dstdomain "/etc/squid/restricted-sites.squid"
acl keyword-ban url_regex "/etc/squid/keyword-ban.squid"

http_access deny blockedsites
http_access deny keyword-ban
http_access allow newlocalnet 

You after commenting localhost ACL, also comment out this line:

# from where browsing should be allowed
#http_access allow localnet

d. Mask the Client’s IP address

In order to anonymize traffic by not exposing the client Ip addresses, you can add the below lines at the end of the main squid.conf file.

......
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

# Anonymize Traffic
via off
forwarded_for off
request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all

e. Configure the Squid Proxy Port

By default, the Squid Proxy server listens on port 3128/tcp.This port can be changed by editing the main config file and replacing the value for http_port as preferred.

For example, changing the default port to another port, say 8085. I will edit the file as shown:

# Squid normally listens to port 3128
# http_port 3128                 #Comment the line by adding #
http_port 8085

It is also possible to specify the IP Address:

http_port 192.168.205.12:8085

You can now view the configuration file after editing:

sudo grep -vE "^#|^$" /etc/squid/squid.conf

In this case, my configuration file looks as shown below:

Squid Proxy Server Rocky Linux 9 1

Validate the configurations:

squid -k parse

Sample Output:

2022/07/25 11:29:25| Startup: Initializing Authentication Schemes ...
2022/07/25 11:29:25| Startup: Initialized Authentication Scheme 'basic'
2022/07/25 11:29:25| Startup: Initialized Authentication Scheme 'digest'
2022/07/25 11:29:25| Startup: Initialized Authentication Scheme 'negotiate'
2022/07/25 11:29:25| Startup: Initialized Authentication Scheme 'ntlm'
2022/07/25 11:29:25| Startup: Initialized Authentication.
2022/07/25 11:29:25| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2022/07/25 11:29:25| Processing: acl newlocalnet src 192.168.205.0/24
2022/07/25 11:29:25| Processing: acl blockedsites dstdomain "/etc/squid/restricted-sites.squid"
2022/07/25 11:29:25| Processing: acl keyword-ban url_regex "/etc/squid/keyword-ban.squid"
2022/07/25 11:29:25| ERROR: Can not open file /etc/squid/keyword-ban.squid for reading
2022/07/25 11:29:25| Warning: empty ACL: acl keyword-ban url_regex "/etc/squid/keyword-ban.squid"
......
2022/07/25 11:29:25| Processing: request_header_access Pragma deny all
2022/07/25 11:29:25| Processing: request_header_access Keep-Alive deny all
2022/07/25 11:29:25| WARNING: HTTP requires the use of Via
2022/07/25 11:29:25| Initializing https:// proxy context
2022/07/25 11:29:25| Requiring client certificates.

Once everything is okay, restart Squid

sudo systemctl restart squid

Verify if Squid is listening on the set port:

$ sudo ss -altnp | grep 8085
LISTEN 0      4096               *:8085            *:*    users:(("squid",pid=31637,fd=11))

f. Configure SELinux and Firewall for Squid Proxy Server

You need to allow the set squid port through the firewall. The below command can be used:

sudo firewall-cmd --permanent --add-port=[port_number]/tcp
sudo firewall-cmd --reload

You also need to modify SELinux to allow the port to be accessible:

sudo semanage port -a -t squid_port_t -p tcp [port_number]

Replace [port_number] with the set port in the config file.

4. Configure Squid Proxy Server Clients

To use the Squid server, you need to connect clients to it. These clients can be configured to connect to the Squid proxy server using any of the following ways below:

  • System-wide proxy configuration
  • Using the Squid server as the gateway
  • Set the proxy settings on the browser

a. System-wide proxy configuration

This requires one to create a file under /etc/profile.d defining the proxy configurations. For our Squid proxy server, we will have the file as below:

sudo vim /etc/profile.d/squid.sh

Capture the Squid proxy server environment variables:

PROXY_URL="192.168.205.12:8085"
HTTP_PROXY=$PROXY_URL
HTTPS_PROXY=$PROXY_URL
FTP_PROXY=$PROXY_URL
http_proxy=$PROXY_URL
https_proxy=$PROXY_URL
ftp_proxy=$PROXY_URL
export HTTP_PROXY HTTPS_PROXY FTP_PROXY http_proxy https_proxy ftp_proxy

Save the file and source the profile:

source /etc/profile.d/squid.sh

To verify if the changes are effective, we will download anything from the clients terminal:

wget google.com

Sample Output:

Squid Proxy Server Rocky Linux 9 1 1

From the Squid server, check the logs:

$ sudo tail -f /var/log/squid/access.log 
1658741586.666     31 192.168.205.13 TCP_MISS/301 640 GET http://google.com/ - HIER_DIRECT/142.250.186.110 text/html
1658741586.818    151 192.168.205.13 TCP_MISS/200 14435 GET http://www.google.com/ - HIER_DIRECT/142.250.185.164 text/html

You can also try downloading any blocked site. For example:

wget facebook.com

Sample output:

Squid Proxy Server Rocky Linux 9 2

b. Proxy settings on the browser

It is also possible to connect to the Squid proxy server from the client using browsers, such as firefox/chrome. Navigate to Settings > General > Network Settings > Manual Proxy Configuration and also enable the Use this proxy HTTPS

Squid Proxy Server Rocky Linux 9 3

Save the changes and try accessing any blocked site

Squid Proxy Server Rocky Linux 9 4

c.Configure Squid Proxy Server for Wget/cURL

The Squid Proxy Server can be configured to work with Wget/cURL only bu editing the below files:

  • For wget
$ vim ~/.wgetrc
HTTP_PROXY=192.168.205.12:8085
FTP_PROXY=192.168.205.12:8085

If you have a username and password for the Proxy server, you can capture it. For example:

wget google.com --proxy-user=YOUR-USERNAME-HERE --proxy-password=YOUR-PASSWORD-HERE
  • For cURL
$ vim ~/.curlrc
proxy=http://192.168.205.12:8085

If you have a user and password configured, pass the command with the -U flag as shown:

curl http://example.com/file.tar.gz -U YOUR-USERNAME-HERE:YOUR-PASSWORD-HERE

d. Configure DNF to use Squid Proxy Server

The DNF repository can be accessed using a Proxy server such as Squid. To achieve this, you need to make the configurations to /etc/dnf/dnf.conf:

sudo vim /etc/dnf/dnf.conf

In the configurations, make the configs below:

  • proxy=http://URL:PORT/: This is the URL of the Squid proxy server
  • proxy_username=YOUR-PROXY-USERNAME-HERE: (optional) if you have a username configured on the Proxy server
  • proxy_password=YOUR-SUPER-secrete-PASSWORD-HERE: (optional) if you have a password for the username configured

For this case, we will have the file modified as shown:

[main]
gpgcheck=1
installonly_limit=3
clean_requirements_on_remove=True
best=True
skip_if_unavailable=False

proxy=http://192.168.205.12:8085/
#proxy_username=YOUR-PROXY-USERNAME-HERE
#proxy_password=YOUR-SUPER-secrete-PASSWORD-HERE

Since we haven’t configured the username and password, we will comment out the two lines.

Remember that, using this type of definition will enable the Proxy configurations for all users.

Verify the changes by updating the system:

sudo dnf update

Check logs on the Squid proxy server:

$ sudo tail -f /var/log/squid/access.log 
1658742479.074     11 192.168.205.13 TCP_MISS/200 155221 GET http://mirror.rackspeed.de/almalinux/9/BaseOS/x86_64/os/Packages/sssd-ldap-2.6.2-4.el9_0.1.x86_64.rpm - HIER_DIRECT/185.147.219.20 application/x-redhat-package-manager
1658742479.103     10 192.168.205.13 TCP_MISS/200 67952 GET http://mirror.rackspeed.de/almalinux/9/BaseOS/x86_64/os/Packages/sssd-proxy-2.6.2-4.el9_0.1.x86_64.rpm - HIER_DIRECT/185.147.219.20 application/x-redhat-package-manager
1658742479.124      9 192.168.205.13 TCP_MISS/200 20879 GET http://mirror.rackspeed.de/almalinux/9/BaseOS/x86_64/os/Packages/vim-filesystem-8.2.2637-16.el9_0.2.noarch.rpm - HIER_DIRECT/185.147.219.20 application/x-redhat-package-manager
1658742479.195     43 192.168.205.13 TCP_MISS/200 219472 GET http://mirror.rackspeed.de/almalinux/9/BaseOS/x86_64/os/Packages/xz-5.2.5-8.el9_0.x86_64.rpm - HIER_DIRECT/185.147.219.20 application/x-redhat-package-manager
1658742479.201     61 192.168.205.13 TCP_MISS/200 696815 GET http://mirror.rackspeed.de/almalinux/9/BaseOS/x86_64/os/Packages/vim-minimal-8.2.2637-16.el9_0.2.x86_64.rpm - HIER_DIRECT/185.147.219.20 application/x-redhat-package-manager
1658742479.229     10 192.168.205.13 TCP_MISS/200 94314 GET http://mirror.rackspeed.de/almalinux/9/BaseOS/x86_64/os/Packages/xz-libs-5.2.5-8.el9_0.x86_64.rpm - HIER_DIRECT/185.147.219.20 application/x-redhat-package-manager
1658742479.255     11 192.168.205.13 TCP_MISS/200 92465 GET http://mirror.rackspeed.de/almalinux/9/BaseOS/x86_64/os/Packages/zlib-1.2.11-31.el9_0.1.x86_64.rpm - HIER_DIRECT/185.147.219.20 application/x-redhat-package-manager
1658742479.290   3823 192.168.205.13 TCP_MISS/200 108465888 GET http://mirror.rackspeed.de/almalinux/9/AppStream/x86_64/os/Packages/firefox-91.11.0-2.el9_0.alma.x86_64.rpm - HIER_DIRECT/185.147.219.20 application/x-redhat-package-manager

5. Setup Basic Authentication on the Squid Proxy Server

It is possible to create a username and password to be used to access the Squid Proxy server. This can be done by editing the main configuration file as shown:

sudo vim /etc/squid/squid.conf

Add the below lines to the file as shown. Comment out the previous ACL and modify it as shown to accommodate the authentication

#acl newlocalnet src 192.168.205.0/24
acl newlocalnet proxy_auth REQUIRED src 192.168.205.0/24
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm proxy

## Adding Sites to Block access to ###
acl blockedsites dstdomain "/etc/squid/restricted-sites.squid"
acl keyword-ban url_regex "/etc/squid/keyword-ban.squid"

http_access deny blockedsites
http_access deny keyword-ban
http_access allow newlocalnet
.....

Save the file and set up the user and password. First, install the required tools:

sudo dnf install httpd-tools

Then proceed and set a password for the specified username:

$ sudo htpasswd -c /etc/squid/passwords username
New password: 
Re-type new password: 

Enter and confirm the set password, then restart the service:

sudo systemctl restart squid

To verify if the authentication is working, try updating the client above with the Squid Proxy server:

$ sudo dnf makecache
Errors during downloading metadata for repository 'appstream':
  - Curl error (56): Failure when receiving data from the peer for https://mirrors.almalinux.org/mirrorlist/9/appstream [Received HTTP code 407 from proxy after CONNECT]
Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: Curl error (56): Failure when receiving data from the peer for https://mirrors.almalinux.org/mirrorlist/9/appstream [Received HTTP code 407 from proxy after CONNECT]

You now need to update the config file and the username and password to be able to use the proxy server.

$ sudo vim /etc/dnf/dnf.conf
proxy=http://192.168.205.12:8085/
proxy_username=YOUR-PROXY-USERNAME-HERE
proxy_password=YOUR-SUPER-secrete-PASSWORD-HERE

Once added, the update command should work again.

$ sudo dnf makecache
AlmaLinux 9 - AppStream                                                                                     7.3 kB/s | 3.8 kB     00:00    
AlmaLinux 9 - BaseOS                                                                                        7.4 kB/s | 3.8 kB     00:00    
AlmaLinux 9 - Extras                                                                                        7.0 kB/s | 3.7 kB     00:00    
Metadata cache created.

Also from the web, provide the proxy sever’s username and password.

Squid Proxy Server Rocky Linux 9 5

6. Squid Proxy Server Log Monitoring.

The Squid Proxy Server stores its log files at /var/log/squid/ as:

  • access.log: logs web requests and results
  • cache.log: logs the error and debug message from squid

Squid recognizes several request methods such as:

  • GET: object retrieval and simple searches
  • HEAD: metadata retrieval
  • POST: submit data (to a program).
  • PUT: upload data (e.g. to a file)
  • DELETE: remove resource (e.g. file).
  • TRACE: appl. layer trace of request route.
  • ICP_QUERY: used for ICP-based exchanges.

The two logs Squid Server can be loaded and analyzed using several tools that include Firewall Analyzer, Nagios Log Server, Squid Log Analysis Software, e.t.c

Conclusion

We have walked through how to install and configure the Squid Proxy Server Rocky Linux 9. I hope this will be of great value to you.

See more:

.tdi_4.td-a-rec{text-align:center}.tdi_4 .td-element-style{z-index:-1}.tdi_4.td-a-rec-img{text-align:left}.tdi_4.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_4.td-a-rec-img{text-align:center}}

RELATED ARTICLES

Most Popular

Recent Comments