Posted on March 5, 2023 by nexonhost
How To Understand Squid Proxy And How To Configure Squid Proxy.
A proxy is a server located between two networks; in this case, the most common implementation of a Squid proxy is the division between user computers and devices and the internet, divided or separated by a proxy server in the middle. In other words, a proxy server function is to concentrate the network traffic through a single server. In this tutorial, we will redirect local network traffic to the internet through the Squid proxy. Only the device working as a proxy needs internet access; the rest of the devices will connect through it.
This tutorial explains how to set up Squid on CentOS 7 and configure Firefox and Google Chrome web browsers to use the proxy.
Squid package is included in the default CentOS 7 repositories. To install it run the following command as sudo user :
sudo yum install squid
Once the installation is completed, start and enable the Squid service:
sudo systemctl start squid sudo systemctl enable squid
To verify that the installation was successful, type the following command which will print the service status:
sudo systemctl status squid
● squid.service - Squid caching proxy
Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2023-03-05 13:04:00 EST; 57s ago
Main PID: 17262 (squid)
CGroup: /system.slice/squid.service
├─17262 /usr/sbin/squid -f /etc/squid/squid.conf
├─17264 (squid-1) -f /etc/squid/squid.conf
└─17265 (logfile-daemon) /var/log/squid/access.log
Mar 05 13:04:00 test-liviu systemd[1]: Starting Squid caching proxy...
Mar 05 13:04:00 test-liviu squid[17262]: Squid Parent: will start 1 kids
Mar 05 13:04:00 test-liviu squid[17262]: Squid Parent: (squid-1) process 17264 started
Mar 05 13:04:00 test-liviu systemd[1]: Started Squid caching proxy.Configuring Squid
Squid can be configured by editing the /etc/squid/squid.conf file. Additional files with configuration options can be included using the “include” directive.
Before making any changes, back up the original configuration file with the cp command:
sudo cp /etc/squid/squid.conf{,.orginal}To edit the file, open it in your text editor :
sudo nano /etc/squid/squid.conf
By default, Squid is configured to listen on port 3128 on all network interfaces on the server.
If you want to change the port and set a listening interface, locate the line starting with http_port and specify the interface IP address and the new port. If no interface is specified Squid will listen on all interfaces.
/etc/squid/allowed_ips.txt
# Squid normally listens to port 3128 http_port IP_ADDR:PORT
Running Squid on all interfaces and on the default port should be fine for most users.
You can control the access to the Squid server using the Access Control Lists (ACLs).
By default, Squid allows access only from localhost and localnet.
If all of the clients that will use the proxy have a static IP address you can create an ACL that will include the allowed IPs.
Instead of adding the IP addresses in the main configuration file we will create a new dedicated file that will hold the IPs:
/etc/squid/allowed_ips.txt
5.254.113.196 # All other allowed IPs
Once done open the main configuration file and create a new ACL named allowed_ips (first highlighted line) and allow access to that ACL using the http_access directive (second highlighted line):
/etc/squid/squid.conf
# ... acl allowed_ips src "/etc/squid/allowed_ips.txt" # ... http_access allow localnet http_access allow localhost http_access allow allowed_ips # And finally deny all other access to this proxy http_access deny all
The order of the http_access rules is important. Make sure you add the line before http_access deny all.
The http_access directive works in a similar way as the firewall rules. Squid reads the rules from top to bottom, and when a rule matches the rules below are not processed.
Whenever you make changes to the configuration file you need to restart the Squid service for the changes to take effect:
sudo systemctl restart squid
Squid Authentication
Squid can use different back ends, including Samba , LDAP and HTTP basic auth to authenticated users.
In this example, we’ll configure Squid to use basic auth. It is a simple authentication method built into the HTTP protocol.
We’ll use the openssl to generate the passwords and append the username:password pair to the /etc/squid/htpasswd file with the tee command as shown below:
printf "USERNAME:$(openssl passwd -crypt PASSWORD)\n" | sudo tee -a /etc/squid/htpasswd
For example to create a user named “mike” with password “Pz$lPk76” you would run:
printf "liviu:$(openssl passwd -crypt 'Pz$lPk76')\n" | sudo tee -a /etc/squid/htpasswd
liviu:2nkgQsTSPCsIo
The next step is to configure Squid to enable the HTTP basic authentication and use the file.
Open the main configuration and add the following:
/etc/squid/squid.conf
# ... auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/htpasswd auth_param basic realm proxy acl authenticated proxy_auth REQUIRED # ... http_access allow localnet http_access allow localhost http_access allow authenticated # And finally deny all other access to this proxy http_access deny all
With the first three highlighted lines we are creating a new ACL named authenticated. The last highlighted line is allowing access to authenticated users.
Restart the Squid service:
sudo systemctl restart squid
Configuring firewall
If you are running a firewall you’ll need to open port 3128. To do so run the following commands:
sudo firewall-cmd --permanent --add-port=3128/tcpfirewall-cmd --reload
If Squid is running on another, non-default port, you’ll need to allow traffic on that port with.
Configuring Your Browser to Use Proxy
Now that you have Squid set up, the last step is to configure your preferred browser to use it.
Firefox
The steps below are the same for Windows, macOS, and Linux.
In the upper right-hand corner, click on the hamburger icon ☰ to open Firefox’s menu:
Click on the ⚙ Preferences link.
Scroll down to the Network Settings section and click on the Settings… button.
A new window will open.
Select the Manual proxy configuration radio button.
Enter your Squid server IP address in the HTTP Host field and 3128 in the Port field.
Select the Use this proxy server for all protocols check box.
Click on the OK button to save the settings.
At this point, your Firefox is configured and you can browse the Internet through the Squid proxy. To verify it, open google.com, type “what is my ip” and you should see your Squid server IP address.
To revert back to the default settings go to Network Settings, select the Use system proxy settings radio button and save the settings.
Google Chrome
Google Chrome uses the default system proxy settings. Instead of changing your operating system proxy settings you can either use an addon such as SwitchyOmega or start Chrome web browser from the command line.
To launch Chrome using a new profile and connect to the Squid server, use the following command:
Linux :
/usr/bin/google-chrome \
--user-data-dir="$HOME/proxy-profile" \
--proxy-server="http://SQUID_IP:3128"
macOS :
"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" \
--user-data-dir="$HOME/proxy-profile" \
--proxy-server="http://SQUID_IP:3128"
Windows :
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" ^
--user-data-dir="%USERPROFILE%\proxy-profile" ^
--proxy-server="http://SQUID_IP:3128"
The profile will be created automatically if it does not exist. This way you can run multiple instances of Chrome at the same time.
To confirm the proxy server is working properly, open google.com, and type “what is my ip”. The IP shown in your browser should be the IP address of your server.
Conclusion
You have learned how to install squid on CentOS 7 and configure your browser to use it.
Squid is one of the most popular proxy caching servers. It improves