Cyberithub

How to Install and Configure Squid Proxy Server on RHEL/CentOS 7/8

by

In this article, I will take you through the Steps to Install and configure Squid Proxy Server on RHEL/CentOS 7/8. You might face a situation where you have some server in private network which is not allowed to access anything on public network and suddenly you have some requirements like you need to update the Server immediately using yum tool. This can be easily done by using proxy server.

Also if you want to restrict or block some URLs you can do it through proxy server. Squid is an open source proxy software for the web supporting http, https, ftp and more. It is used by hundreds of Internet Providers and Organizations across the globe due to its high performance. More on Squid Proxy Official Documentation.

How to Install and Configure Squid Proxy Server on RHEL/CentOS 7/8 1

Install and Configure Squid Proxy Server

Also Read: 11 Best Python OS Modules Examples on Linux

Step 1: Prerequisites

a) You need to have a running RHEL/CentOS 7/8 System.

b) You should have yum tool installed in your Server. You can check Top 22 YUM command examples in RedHat/CentOS 7 to know more about yum command.

c) You need to have root or sudo access to run privileged commands. Please Check How to Add User to Sudoers to know more about providing sudo access to the User.

d) You should have httpd-tools package installed in your Server. If it is not installed then you can use yum install httpd-tools -y command to install this package.

Step 2: Update Your Server

Before going through the steps to install and configure squid proxy server on RHEL/CentOS 7/8, it is always recommended to first update your server by using yum update -y command as shown below.

[root@localhost ~]# yum update -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.piconets.webwerks.in
* epel: download.nus.edu.sg
* extras: mirrors.piconets.webwerks.in
* updates: mirrors.piconets.webwerks.in
Resolving Dependencies
--> Running transaction check
---> Package ansible.noarch 0:2.9.10-1.el7 will be updated
---> Package ansible.noarch 0:2.9.14-1.el7 will be an update
---> Package ca-certificates.noarch 0:2019.2.32-76.el7_7 will be updated
---> Package ca-certificates.noarch 0:2020.2.41-70.0.el7_8 will be an update
---> Package curl.x86_64 0:7.29.0-57.el7 will be updated
---> Package curl.x86_64 0:7.29.0-57.el7_8.1 will be an update
---> Package dbus.x86_64 1:1.10.24-13.el7_6 will be updated
---> Package dbus.x86_64 1:1.10.24-14.el7_8 will be an update
---> Package dbus-libs.x86_64 1:1.10.24-13.el7_6 will be updated
---> Package dbus-libs.x86_64 1:1.10.24-14.el7_8 will be an update
---> Package grub2.x86_64 1:2.02-0.81.el7.centos will be updated
---> Package grub2.x86_64 1:2.02-0.86.el7.centos will be an update
---> Package grub2-common.noarch 1:2.02-0.81.el7.centos will be updated
---> Package grub2-common.noarch 1:2.02-0.86.el7.centos will be an update
---> Package grub2-pc.x86_64 1:2.02-0.81.el7.centos will be updated
---> Package grub2-pc.x86_64 1:2.02-0.86.el7.centos will be an update
---> Package grub2-pc-modules.noarch 1:2.02-0.81.el7.centos will be updated
---> Package grub2-pc-modules.noarch 1:2.02-0.86.el7.centos will be an update
---> Package grub2-tools.x86_64 1:2.02-0.81.el7.centos will be updated
---> Package grub2-tools.x86_64 1:2.02-0.86.el7.centos will be an update
---> Package grub2-tools-extra.x86_64 1:2.02-0.81.el7.centos will be updated

Step 3: Install Squid Proxy Server

After successful updation you can now install squid package by using yum install squid -y command as shown below. This command will check the package dependencies and will install squid packages along with its dependencies.

[root@localhost ~]# yum install squid -y
Resolving Dependencies
--> Running transaction check
---> Package squid.x86_64 7:3.5.20-15.el7_8.1 will be installed
--> Processing Dependency: squid-migration-script for package: 7:squid-3.5.20-15.el7_8.1.x86_64
--> Processing Dependency: perl(Digest::MD5) for package: 7:squid-3.5.20-15.el7_8.1.x86_64
--> Processing Dependency: libecap.so.3()(64bit) for package: 7:squid-3.5.20-15.el7_8.1.x86_64
--> Running transaction check
---> Package libecap.x86_64 0:1.0.0-1.el7 will be installed
---> Package perl-Digest-MD5.x86_64 0:2.52-3.el7 will be installed
--> Processing Dependency: perl(Digest::base) >= 1.00 for package: perl-Digest-MD5-2.52-3.el7.x86_64
---> Package squid-migration-script.x86_64 7:3.5.20-15.el7_8.1 will be installed
--> Running transaction check
---> Package perl-Digest.noarch 0:1.17-245.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================================================================
Package Arch Version Repository Size
========================================================================================================================================================================
Installing:
squid x86_64 7:3.5.20-15.el7_8.1 updates 3.1 M
Installing for dependencies:
libecap x86_64 1.0.0-1.el7 base 21 k
perl-Digest noarch 1.17-245.el7 base 23 k
perl-Digest-MD5 x86_64 2.52-3.el7 base 30 k
squid-migration-script x86_64 7:3.5.20-15.el7_8.1 updates 50 k

Transaction Summary
========================================================================================================================================================================
Install 1 Package (+4 Dependent packages)

Total download size: 3.3 M
Installed size: 11 M
Downloading packages:
(1/5): perl-Digest-1.17-245.el7.noarch.rpm | 23 kB 00:00:00
(2/5): libecap-1.0.0-1.el7.x86_64.rpm | 21 kB 00:00:00
(3/5): perl-Digest-MD5-2.52-3.el7.x86_64.rpm | 30 kB 00:00:00
(4/5): squid-migration-script-3.5.20-15.el7_8.1.x86_64.rpm | 50 kB 00:00:00
(5/5): squid-3.5.20-15.el7_8.1.x86_64.rpm | 3.1 MB 00:00:00
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 2.2 MB/s | 3.3 MB 00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 7:squid-migration-script-3.5.20-15.el7_8.1.x86_64 1/5
Installing : libecap-1.0.0-1.el7.x86_64 2/5
Installing : perl-Digest-1.17-245.el7.noarch 3/5
Installing : perl-Digest-MD5-2.52-3.el7.x86_64 4/5
Installing : 7:squid-3.5.20-15.el7_8.1.x86_64 5/5
Verifying : perl-Digest-1.17-245.el7.noarch 1/5
Verifying : perl-Digest-MD5-2.52-3.el7.x86_64 2/5
Verifying : libecap-1.0.0-1.el7.x86_64 3/5
Verifying : 7:squid-3.5.20-15.el7_8.1.x86_64 4/5
Verifying : 7:squid-migration-script-3.5.20-15.el7_8.1.x86_64 5/5

Installed:
squid.x86_64 7:3.5.20-15.el7_8.1

Dependency Installed:
libecap.x86_64 0:1.0.0-1.el7 perl-Digest.noarch 0:1.17-245.el7 perl-Digest-MD5.x86_64 0:2.52-3.el7 squid-migration-script.x86_64 7:3.5.20-15.el7_8.1

Complete!

Step 4: Check Squid version

If you want to check the squid version then you need to use squid -v command as shown below. As you can see from below output current squid version is 3.5.20.

[root@localhost ~]# squid -v
Squid Cache: Version 3.5.20
Service Name: squid
configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,rock,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

Step 5: Start and Enable Squid Proxy Service

Once squid installation is successful you need to start the service by using systemctl start squid command as shown below.

[root@localhost ~]# systemctl start squid

In the next step, you need to enable the service by using systemctl enable squid command. This will enable the service to start at the boot time.

[root@localhost ~]# systemctl enable squid
Created symlink from /etc/systemd/system/multi-user.target.wants/squid.service to /usr/lib/systemd/system/squid.service.

Then you can check the service running status by using systemctl status squid command. As you can see below, service is currently active and running fine. If you see any error in the status then you can use systemctl status squid -l command to check more about the error.

[root@localhost ~]# systemctl status squid
● squid.service - Squid caching proxy
Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2020-10-25 07:30:26 EDT; 12s ago
Main PID: 11680 (squid)
CGroup: /system.slice/squid.service
├─11680 /usr/sbin/squid -f /etc/squid/squid.conf
├─11682 (squid-1) -f /etc/squid/squid.conf
└─11683 (logfile-daemon) /var/log/squid/access.log

Oct 25 07:30:26 localhost systemd[1]: Starting Squid caching proxy...
Oct 25 07:30:26 localhost systemd[1]: Started Squid caching proxy.
Oct 25 07:30:26 localhost squid[11680]: Squid Parent: will start 1 kids
Oct 25 07:30:26 localhost squid[11680]: Squid Parent: (squid-1) process 11682 started

Step 6: Configure Squid Proxy Server

If you want to access this proxy server from a specific source then you need to add that source network in squid.conf file as shown below. Here we are adding 192.168.12.0/24 source network to allow the squid proxy server access.

[root@localhost ~]# vi /etc/squid/squid.conf
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 192.168.12.0/24
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

After adding the source network in the above configuration file, you need to restart the squid proxy service using systemctl restart squid command to update the changes.

[root@localhost ~]# systemctl restart squid

Step 7: Test Squid Proxy Server

To test the squid proxy setup you can use curl tool to access google.com through proxy by using curl -x http://192.168.0.103:3128 -I http://google.com command as shown below.

[root@localhost ~]# curl -x http://192.168.0.103:3128 -I http://google.com
HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
Date: Mon, 26 Oct 2020 15:34:16 GMT
Expires: Wed, 25 Nov 2020 15:34:16 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Cache: MISS from localhost
X-Cache-Lookup: MISS from localhost:3128
Via: 1.1 localhost (squid/3.5.20)
Connection: keep-alive

Step 8: Enable Proxy User and Authentication

To enable proxy user, first you need to create a passwd file under /etc/squid path using touch /etc/squid/passwd command as shown below.

[root@localhost ~]# touch /etc/squid/passwd

Then you need to change the ownership of /etc/squid/passwd file using chown squid:squid /etc/squid/passwd command.

[root@localhost ~]# chown squid:squid /etc/squid/passwd

In the next step you need to use the htpasswd tool to add the password for user testuser in /etc/squid/passwd file using htpasswd /etc/squid/passwd testuser command as shown below.

[root@localhost ~]# htpasswd /etc/squid/passwd testuser
New password:
Re-type new password:
Adding password for user testuser

Now if you open and check the contents of /etc/squid/passwd file then you will see something like this.

[root@localhost ~]# cat /etc/squid/passwd
testuser:$apr1$nMZaAPOl$IUqna2h0hgJVvPFDU3qXh0

Here is the example configuration that you need to use in squid.conf file. Open the file with vi editor using vi /etc/squid/squid.conf and then add the below configuration. More on Squid Proxy Tutorial.

[root@localhost ~]# vi /etc/squid/squid.conf
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 24 hours
auth_param basic casesensitive off
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all
dns_v4_first on
forwarded_for delete
via off
http_port 9000
  • auth_param basic credentialsttl 24 hours: after 24 hours, user/pass will be asked again.
  • auth_param basic casesensitive off: case sensitive for user is off.
  • dns_v4_first on: use only IPv4 to speed up the proxy.
  • forwarded_for delete: remove the forwarded_for http header which would expose your source to the destination
  • via off: remove more headers to avoid exposing the source.
  • http_port 9000: we are using port 9000 for proxy. You can choose any free port.

Save the file by pressing Esc and then :wq!

After providing above configuration, you need to restart the service by using systemctl restart squid command. It is important to note here that if there will be any error in squid configuration file then service will fail to restart.

[root@localhost ~]# systemctl restart squid

Then check the status by using systemctl status squid command.

[root@localhost ~]# systemctl status squid
● squid.service - Squid caching proxy
Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2020-10-25 15:52:32 EDT; 7s ago
Process: 14382 ExecStop=/usr/sbin/squid -k shutdown -f $SQUID_CONF (code=exited, status=0/SUCCESS)
Process: 16187 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS)
Process: 16182 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
Main PID: 16189 (squid)
CGroup: /system.slice/squid.service
├─16189 /usr/sbin/squid -f /etc/squid/squid.conf
├─16191 (squid-1) -f /etc/squid/squid.conf
└─16192 (logfile-daemon) /var/log/squid/access.log

Oct 25 15:52:32 localhost systemd[1]: Starting Squid caching proxy...
Oct 25 15:52:32 localhost systemd[1]: Started Squid caching proxy.
Oct 25 15:52:32 localhost squid[16189]: Squid Parent: will start 1 kids
Oct 25 15:52:32 localhost squid[16189]: Squid Parent: (squid-1) process 16191 started

As you can see from above output, service restarted successfully and running fine. You can also verify the squid proxy running status by checking the state of Port 9000 using netstat tool as shown below.

[root@localhost ~]# netstat -an | grep -i 9000
tcp6 0 0 :::9000 :::* LISTEN

Step 9: Block Websites or URLs

If you want to block any websites or urls from proxy server then you need to first add all those urls in a file. Here we are creating a block_url file under /etc/squid path and adding all the urls which needs to be blocked.

[root@localhost ~]# cat /etc/squid/block_urls
yahoo.com
google.com
youtube.com

Then you need to edit the squid configuration file and add below ACL in it.

[root@localhost ~]# vi /etc/squid/squid.conf
acl block_urls dstdomain "/etc/squid/block_urls"
http_access deny block_urls

Now restart squid service using systemctl restart squid command to reflect the changes.

[root@localhost ~]# systemctl restart squid

Step 10: Remove Squid Packages

If you want to remove squid packages then you can remove it by using yum remove squid -y command as shown below.

[root@localhost ~]# yum remove squid -y
Loaded plugins: fastestmirror
Resolving Dependencies
--> Running transaction check
---> Package squid.x86_64 7:3.5.20-15.el7_8.1 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================================================================
Package Arch Version Repository Size
========================================================================================================================================================================
Removing:
squid x86_64 7:3.5.20-15.el7_8.1 @updates 10 M

Transaction Summary
========================================================================================================================================================================
Remove 1 Package

Installed size: 10 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Erasing : 7:squid-3.5.20-15.el7_8.1.x86_64 1/1
warning: /etc/squid/squid.conf saved as /etc/squid/squid.conf.rpmsave
Verifying : 7:squid-3.5.20-15.el7_8.1.x86_64 1/1

Removed:
squid.x86_64 7:3.5.20-15.el7_8.1

Complete!

 

 

 

Recommended Posts:-

Understanding Kafka Console Producer and Consumer in 10 Easy Steps

Popular firewalld examples to open a port on RedHat/CentOS 7

8 Most Popular mkdir command in Linux with Examples

26 Useful Firewall CMD Examples on RedHat/CentOS 7

12 Most Popular rm command in Linux with Examples

9 useful w command in Linux with Examples

Popular Apache Kafka Architecture Explained Using 4 Basic Components

Leave a Comment