Thursday, July 28, 2005

Squid proxy configuratiion on LINUX

SQUID PROXY CONFIGURATION (LINUX 7.1 AND ABOVE)


Configuration file - /etc/squid/squid.conf

  1. Edit squid.conf file with vi editor
  2. Locate “http_port” remove the “#” and add the port number next to it(default 3128)
  3. Locate “cache_mem 8 MB” and remove the “#”
  4. Locate “cache_dir ufs /usr/spool/squid 100 16 256” , and remove the “#”
  5. Locate “dns_nameserver”, remove the “#” and add the DNS IP next to it
  6. Locate session “ACCESS CONTROLS”
  7. set rule “acl all src 0.0.0.0/0.0.0.0”
  8. Leave other rules as such
  9. Go to “http_access”
  10. set access “http_access allow all”. Give a “#” for all other rules


Last 4 steps steps will set http_access rule . Here the example is for giving access to all IP’s (i.e., 0.0.0.0/0.0.0.0). If you need additional rules to be set, set specific rules as mentioned at the end of this procedure.

Setup your client browser to point to this squid. If you face any problem, check /var/log/messages for any clue.

Note: You must restart squid for any changes in squid.conf to take effect.

To stop/start/restart the service

# /etc/rc.d/init.d/squid start

# /etc/rc.d/init.d/squid stop

# /etc/rc.d/init.d/squid restart

Setting up User based authentication with Squid.

This enables any user accessing internet through this proxy to get authenticated using username and password.

Copy /usr/lob/squid/ncsa_auth to /usr/bin/ncsa_auth

Create password file (# touch /usr/etc/passwd)

Create users for the above passwd file (use “htpasswd” command as below)


# htpasswd -c /usr/etc/passwd

Enter password for new user

User you have created as above will be authenticated for browsing. Set the below in squid.conf file

Locate “authenticate_program /usr/bin/ncsa_auth /usr/etc/passwd” and remove the “#”

Locate “authenticate_children” remove the “#” and set value 32 (which is max)

Go to “ACCESS CONTROLS”

Create a new ACL, “acl word proxy_auth REQUIRED”

Go to http_access, set access “http_access allow word”

Denying FTP access:

acl ftp proto FTP

http_access deny ftp

Denying Bad Domains:

acl baddomain dst

http_access deny baddomains

Denying access to sites with the “bad words” in the URL

acl badURL url_regex -i

http_access deny badUrl

http_access allow myNet

http_access deny all

Setting up additional IP rules for LAN users in “ACCESS CONTROL”

Set a rule for net access for only a specific range of IP

“acl mylan src 192.168.10.0/255.255.255.0”

“http_access allow mylan”

“http_access deny all”


This will allow access to all users in network “192.168.10.0” and deny all others.


Note: When you set specific rules as above; do remember to set “http_access deny all” at the end. If there are allow rules after deny all those rules will go void.

Cache Access Log

This tag is used to specify the path of the access.log file, which logs the client request activity. It contains an entry for every HTTP and ICP queries received

“cache_access_log /var/log/squid_access.log”

posted by Ramesh at 12:14 PM

0 Comments:

Post a Comment

<< Home