Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows and is licensed under the GNU GPL.
Requirements:
Three Virtual Machines
VMs of Centos 7.9: Two
VMs of Windows Server 2016: One
Configuration:
One master and two client nodes
Let's see the network settings for our master and clients.
Master: You should have two network adapters NAT and HOST-ONLY
You can view in network settings in created, here you can see two adapters
ENS 37
ENS 33
Client machines will be in HOST-ONLY mode.
CLIENT1: CENTOS 7.9 VM
CLIENT2: WINDOWS SERVER 2016:
PROXY SETTINGS (TO BE DONE ON ALL CLIENT'S BROWSERS)
ON CENTOS MACHINE
ON WINDOWS MACHINE
Commands to be followed on master:
To install Squid :
yum install squid
Now changes are to be made in the "squid.conf" file
we can find squid.conf in the path below:
cd /etc/lib/squid/squid.conf
Make sufficient changes in the file:
1. Find the line given below and uncomment it. Mostly it can be found on line number 62
cache_dir ufs /var/spool/squid 128 16 256
Legends:
128 = Cache Size
16 = means 16 sub-directories will be created in /spool/squid
256 = means 256 sub-directories will be created in the upper 16 subdirectories
2. To customize the name of the machine to be seen on the error page insert a line below the cache_dir line
visible_hostname proxy. panda.demo
3. Now to create swap directories
squid -z
The squid.conf file will look something like this;
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
acl hpcsalab src 10.10.10.0/24
acl microsoft dstdomain .microsoft.com
http_access deny microsoft hpcsalab
http_access allow hpcsalab
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 2048 16 256
visible_hostname proxy.panda.demo
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Let's see a few ways, how we can use SQUID
To Block On Entire Network:
Create a file in the squid folder or any folder just mention the proper folder address and write the domains you want to block over the network
vim /etc/squid/blocked_sites.txt And wrote these websites which I wanted to block .microsoft.com .esakal.com .redhat.comEdit squid.conf (Add acls and http_access)
ACL = Access control list
Syntax = acl <"name you want to give"> src <(source)> Network_IP
vim squid.conf Add acls and http_access under this line which you want to include - Enter your network ip here in place of "10.10.10.0/24" # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # acl hpcsalab src 10.10.10.0/24 acl blocked_sites dstdomain "/etc/squid/blocked-sites.txt" http_access deny blocked_sites hpcsalab http_access allow hpcsalabRestart squid service
systemctl restart squid
BLOCKED FOR A PARTICULAR CLIENT
- Create a file in the squid folder or any folder just mention the proper folder address
and write the domains you want to block over the network here I've created centos7-blocked.txt
vim /etc/squid/centos7-blocked.txt
.microsoft.com
.redhat.com
.facebook.com
Edit squid.conf (Add acls and http_access)
# # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # acl hpcsalab src 10.10.10.0/24 acl blocked_sites dstdomain "/etc/squid/blocked-sites.txt" http_access deny blocked_sites hpcsalab http_access allow hpcsalab #http_access allow localnet http_access allow localhost
Restart squid service
systemctl restart squid
FOR A TIME PERIOD OR DAY
We can block or can allow any websites for any time slot or day. Time will be in 24 HR format
Days have specific alphabets assigned:
Monday: M
Tuesday: T
Wednesday: W
Thursday: H
Friday: F
Saturday: A
Sunday: S
so acl format will be: acl dstdomain this can be done to a bunch of websites too as we have done above
Here I've taken bookmyshow.com for example to block on Saturday between evening 6 PM - 8 PM
Edit squid.conf (Add acls and http_access)
# # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # acl my-time time A 18:00-20:00 acl cdac dstdomain .bookmyshow.com http_access deny my-time #http_access allow localnet http_access allow localhostRestart squid service
systemctl restart squid
FOR ANY WORDS WE WANT TO BLOCK:
Make a file with all words you want to ban one by one in the lines below in one file
vim /etc/squid/badwords.txt torrent cricket ipl football movies bookmyshowEdit squid.conf (Add acls and http_access)
# # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # acl hpcsalab src 10.10.10.0/24 acl badwords url_regex -i "/etc/squid/badwords.txt" http_access deny badwords hpcsalab http_access allow hpcsalab #http_access allow localnet http_access allow localhostRestart squid service
systemctl restart squid
Squid Authentication
Add this in squid.conf file
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid-users auth_param basic children 5 Children means number of users you want to create auth_param basic realm Squid Basic Authentication auth_param basic credentialsttl 2 hours Credentialssttl : facilitates admin to set password time for usersEdit squid.conf (Add acls and http_access)
Define ACL :
Syntax of ACL: acl (name of the user) proxy_auth (name of the user)
# # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid-users auth_param basic children 5 auth_param basic realm Squid Basic Authentication auth_param basic credentialsttl 2 hours acl acts_users proxy_auth REQUIRED acl user1 proxy_auth user1 acl user1-access dstdomain "/etc/squid/user1.txt" acl all_web dstdomain . acl panda proxy_auth panda acl panda-access dstdomain "/etc/squid/panda.txt" http_access allow !user1-access user1 http_access allow !panda-access panda http_access allow all_web acts_users http_access allow localhost # And finally deny all other access to this proxy http_access deny allRestart squid service
systemctl restart squid
Learn, apply and execute....
Hope it helps you in your endevours ..