[root@localhost ~]# yum install squid* -y
To start, stop, and restart squid after booting use the service command:
[root@bigboy tmp]# service squid start
[root@bigboy tmp]# service squid stop
[root@bigboy tmp]# service squid restart
[root@localhost ~]# vim /etc/squid/squid.conf
The http_port is the port number on the local server that Squid binds itself to and listens for incoming requests, its default port is 3128 but can be changed if needed (8080 is also a common cache port). Which ever port is used here, it will need to be set in all the workstations that will attach to and use the proxy
http_port 8080
we can say when swap utilization want to cross 95% of total swap utilization, then swap automatically delete up to 90% . Automatically will be continuing
cache_swap_low 90
cache_swap_high 95
Objects larger than this size will NOT be saved on disk. The value is specified in kilobytes, and the default is 4 MB. If you wish to get a high BYTES hit ratio, you should probably increase this (one 32 MB object hit counts for 3200 10 KB hits). If you wish to increase speed more than your want to save bandwidth, you should leave this low. During the initial downloading of a file, the downloading time seems to be a normal one, but if you download the same file again, the time it takes for download will be very minimum. This indicates that, the file comes from the Cache.
maximum_object_size 2000 KB
Objects smaller than this size will NOT be saved on disk. The value is specified in kilobytes, and the default is 0 KB, which means there is no minimum.
minimum_object_size 0 KB
cache_mem 256 MB
Objects greater than the size specified in this tag will not be kept in the memory cache. This should be set high enough to keep objects accessed frequently in memory to improve performance at the same time low enough to keep larger objects from hoarding
maximum_object_size_in_memory 16 KB
The cache_dir tag specifies the location where the cache will reside in the filesystem. ufs identifies the storage format for the cache. The "256" specifies the maximum allowable size of the cache (in MB), and should be adjusted to suit your needs. The 32 and 1024 specify the number1 of directories contained inside the first and second level cache store.
cache_dir ufs /var/spool/squid/cache 250 32 1024
The following tags specify the standard log file locations.
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
cache_effective_user squid
cache_effective_group squid
[root@mail ~]# vim /etc/squid/squid.confacl support src 192.168.100.0/24 192.168.50.0/24
http_access allow support
Password Authentication Using NCSA :
You can configure Squid to prompt users for a username and password. Squid comes with a program called ncsa_auth that reads any NCSA-compliant encrypted password file. You can use the htpasswd program that comes installed with Apache to create your passwords. Here is how it's done:
1) Create the password file. The name of the password file should be /etc/squid/squid_passwd, and you need to make sure that it's universally readable.
[root@bigboy tmp]# touch /etc/squid/squid_users
[root@bigboy tmp]# chmod o+r /etc/squid/squid_users2) Use the htpasswd program to add users to the password file.
[root@mail ~]# htpasswd /etc/squid/squid_users saiful
New password:
Re-type new password:
Adding password for user saiful
[root@mail ~]# htpasswd /etc/squid/squid_users rajan
New password:
Re-type new password:
Adding password for user rajan 3) Find your ncsa_auth file using the locate command.
[root@mail ~]# find / -name ncsa_auth
/usr/lib/squid/ncsa_auth 4) Edit squid.conf; specifically, you need to define the authentication program in squid.conf, which is in this case ncsa_auth. Next, create an ACL named ncsa_users with the REQUIRED keyword that forces Squid to use the NCSA auth_param method you defined previously. Finally, create an http_access entry that allows traffic that matches the ncsa_users ACL entry. Here's a simple user authentication example; the order of the statements is important: [root@mail ~]# vim /etc/squid/squid.conf auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_users
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users Specifying Organisational Policies (Restricted web Sites) :
procedure no 1:Single website block by using acl
[root@localhost ~]# vim /etc/squid/squid.conf
acl bad dstdomain .yahoo.com
http_access deny bad
procedure no 2 : Block multiple websites by using domain name
[root@localhost bin]# touch /etc/squid/blocksites.txt
[root@localhost bin]# vim /etc/squid/blocksites.txtfacebook.com
google.com
youtube.com
gmail.com[root@localhost ~]# vim /etc/squid/squid.conf
acl block dstdomain "/etc/squid/blocksites.txt"
http_access deny block
procedure no 3 : Block websites by using string matching squid linux
[root@localhost ~]# touch /etc/squid/block.txt
[root@localhost ~]# vim /etc/squid/block.txt
facebook
google
[root@localhost ~]# vim /etc/squid/squid.conf
acl block url_regex -i "/etc/squid/block.txt"
http_access deny block
some example for string matching site block :
[root@localhost ~]# touch /etc/squid/block_advertisers.txt
[root@localhost ~]# touch /etc/squid/block_entertainment.txt
[root@localhost ~]# touch /etc/squid/block_porn.txt
[root@localhost ~]# touch /etc/squid/block_webmail.txt
[root@localhost ~]# vim /etc/squid/squid.conf
acl block_advertisers url_regex -i "/etc/squid/block_advertisers.txt"acl block_entertainment url_regex -i "/etc/squid/block_entertainment.txt"acl block_webmail url_regex -i "/etc/squid/block_webmail.txt"acl block_porn url_regex -i "/etc/squid/block_porn.txt"
http_access deny block_advertisers
http_access deny block_entertainment
http_access deny block_porn
http_access deny block_webmail
Restricting Web Access By Time :
Squid TIME acls cannot wrap from one day to the next, so to get from 4:30 in the afternoon until 8:00 the next morning, we have to actually specify one acl for 4:30 to midnight and another acl for midnight to 8 in the morning. Time of day, and day of week
| Usage | acl aclname time [day-abbreviations] [h1:m1-h2:m2] day-abbreviations: S - Sunday M - Monday T - Tuesday W - Wednesday H - Thursday F - Friday A - Saturday h1:m1 must be less than h2:m2 |
Example
acl ACLTIME time M 9:00-17:00
ACLTIME refers day of Monday from 9:00 to 17:00.
acl ACLTIME time M 9:00-17:00
ACLTIME refers day of Monday from 9:00 to 17:00.
[root@localhost ~]# vim /etc/squid/squid.conf
acl deployment src 192.168.50.1-192.168.50.10
acl sales src 192.168.50.11-192.168.50.19
acl noc src 192.168.50.21-192.168.50.30
acl deployment_workhours time SMTWH 08:00-14:00
acl sales_workhours time TWH 10:00-16:00
acl noc_workhours time SMTWHFA 08:00-19:00
http_access allow deployment deployment_workhours
http_access deny deployment
http_access allow sales sales_workhours
http_access deny sales
http_access allow noc noc_workhours
http_access deny noc
Example 1 : To restrict access to work hours (9am - 5pm, Monday to Friday) from IP 192.168.2/24
acl ip_acl src 192.168.2.0/24
acl time_acl time MTWHF 9:00-17:00
http_access allow ip_acl time_acl
http_access deny all
acl time_acl time MTWHF 9:00-17:00
http_access allow ip_acl time_acl
http_access deny all
To restrict multitime access control list for different users for different timing.
acl abc src 172.161.163.85
acl xyz src 172.161.163.86
acl asd src 172.161.163.87
acl morning time 06:00-11:00
acl lunch time 14:00-14:30
acl evening time 16:25-23:59
acl xyz src 172.161.163.86
acl asd src 172.161.163.87
acl morning time 06:00-11:00
acl lunch time 14:00-14:30
acl evening time 16:25-23:59
Access Controls
http_access allow abc morning
http_access allow xyz morning lunch
http_access allow asd lunch
http_access allow xyz morning lunch
http_access allow asd lunch
Example 2 : To restrict access to websites
Specifying which network IPs we will support in squid
acl subnet_lab1 src ip-address_lab1/netmask
acl subnet_lab2 src ip-address_lab2/netmask
acl subnet_pub src ip-address_pub/netmask
Specifying Time intervals we will supportacl TIMEafterhoursMORN time MTWHF 00:00-08:00
acl TIMEafterhoursAFT time MTWHF 16:30-24:00
acl TIMEsatMORN time A 00:00-07:00
acl TIMEsatAFT time A 17:00-24:00
acl TIMEsundALLDAY time S 00:00-24:00 Restricting Internal Access - relevant to organisational policieshttp_access deny subnet_pub TIMEafterhoursMORN
http_access deny subnet_pub TIMEafterhoursAFT
http_access deny subnet_pub TIMEsatMORN
http_access deny subnet_pub TIMEsatAFT
http_access deny subnet_pub TIMEsundALLDAY How To Bind MAC with IP in SQUID:[root@localhost ~]# ping 192.168.50.24
PING 192.168.50.24 (192.168.50.24) 56(84) bytes of data.
64 bytes from 192.168.50.24: icmp_seq=1 ttl=128 time=2.64 ms
64 bytes from 192.168.50.24: icmp_seq=2 ttl=128 time=0.727 ms
--- 192.168.50.24 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 0.727/1.685/2.643/0.958 ms
[root@localhost ~]# arp 192.168.50.24
Address HWtype HWaddress Flags Mask Iface
192.168.50.24 ether 00:0D:56:C5:13:B7 C eth0
[root@mail ~]# vim /etc/squid/squid.confacl pc1_mac arp 00:0D:56:C5:13:B7
acl pc1_ip src 192.168.50.24http_access deny pc1_mac pc1_ip
Examples:
(1) To allow http_access for only one machine with MAC Address
00:08:c7:9f:34:41To use MAC address in ACL rules. Configure with option -enable-arp-acl.
acl all src 0.0.0.0/0.0.0.0
acl pl800_arp arp 00:08:c7:9f:34:41
http_access allow pl800_arp
http_access deny all
acl pl800_arp arp 00:08:c7:9f:34:41
http_access allow pl800_arp
http_access deny all
This rule defines an ACL called BADPC with a single sourceIP address of 192.168.1.25.It then denies access to the ACL. acl BADPC src 192.168.1.25 http_access deny BADPC
The following two rules will block all files that end in the file extensions ".mp3"and ".exe"
respectively. The "-i"means treat them as case insensitive which matches both upper and lower case.acl FILE_MP3
urlpath_regex -i \.mp3$http_access deny FILE_MP3 acl FILE_EXE
urlpath_regex -i \.exe$http_access deny FILE_EXE Proxy Error Webpage Configuration : [root@mail ~]# vim /etc/squid/errors/ERR_ACCESS_DENIED
<P>Your cache administrator is : Md Saiful Islam Chowdhury <br>
Mobile : 01190115978
<A HREF="mailto:%w">%w</A>.
Trnasparent proxy : iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT --to-source 192.168.50.30
iptables -t nat -A PREROUTING -s 192.168.100.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080
OR
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
Install and configure squid log analyzer Squint :
wget http://www.linux-bd.com/app/squint.tar.gz
https://www.linux-bd.com/app/
[root@localhost ~]# cd Desktop/
[root@localhost Desktop]# ls
squint.tar.gz
[root@localhost Desktop]# tar -zxvf squint.tar.gz
[root@localhost Desktop]# ls
squint-0.3.18 squint.tar.gz
[root@localhost Desktop]# tar -zxvf squint.tar.gz
[root@localhost Desktop]# ls
squint-0.3.18 squint.tar.gz
[root@localhost Desktop]# cd squint-0.3.18/
[root@localhost squint-0.3.18]# cp squint.pl squint.cron.sh /usr/local/bin/
[root@localhost squint-0.3.18]# squint.cron.sh init
[root@localhost squint-0.3.18]# squint.cron.sh all
| Now there is a bug in crontab format of squint in /etc/crontab to work the squint properly we have to fix that. Open the crontab file and see what exits for squint section. | |||||
[root@localhost squint-0.3.18]# vim /etc/crontab | |||||
| # squint squid reports # Weekly, on Mondays 00 01 * * Monday root /usr/local/bin/squint.cron.sh weekly # Monthly, on the first day of the month 00 02 1 * * root /usr/local/bin/squint.cron.sh monthly # Daily at 3am */1 03 * * * root /usr/local/bin/squint.cron.sh daily |
[root@localhost squint-0.3.18]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@localhost squint-0.3.18]# /etc/init.d/squid restart
Stopping squid: ................ [ OK ]
Starting squid: .. [ OK ]
http://192.168.50.20/squint/
| Acl Type: | port |
Description
Access can be controlled by destination (server) port address
Access can be controlled by destination (server) port address
| Usage | acl aclname port port-no |
Example
This example allows http_access only to the destination 172.16.1.115:80 from network 172.16.1.0
This example allows http_access only to the destination 172.16.1.115:80 from network 172.16.1.0
acl acceleratedhost dst 172.16.1.115/255.255.255.255
acl acceleratedport port 80
acl mynet src 172.16.1.0/255.255.255.0
http_access allow acceleratedhost acceleratedport mynet
http_access deny all
acl acceleratedport port 80
acl mynet src 172.16.1.0/255.255.255.0
http_access allow acceleratedhost acceleratedport mynet
http_access deny all
| Acl Type: | arp |
| Usage | acl aclname arp ARP-ADDRESS |
Description
Ethernet (MAC) address matching This acl is supported on Linux, Solaris, and probably BSD variants.
Ethernet (MAC) address matching This acl is supported on Linux, Solaris, and probably BSD variants.
To use ARP (MAC) access controls, you first need to compile in the optional code.
Do this with the --enable-arp-acl configure option:
% ./configure --enable-arp-acl ...
% make clean
% make
Do this with the --enable-arp-acl configure option:
% ./configure --enable-arp-acl ...
% make clean
% make
If everything compiles, then you can add some ARP ACL lines to your squid.conf
| Default | acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 1025-65535 acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT |
Example
acl ACLARP arp 11:12:13:14:15:16
ACLARP refers MACADDRESS of the ethernet 11:12:13:14:15:16
acl ACLARP arp 11:12:13:14:15:16
ACLARP refers MACADDRESS of the ethernet 11:12:13:14:15:16
Note
Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.
Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.
1. edit your squid.conf. Add these acl..
acl mac1 arp 00:14:85:99:3B:8D
acl ip1 arp 192.168.0.1
2. Add this before "http_access deny all"
http_access allow mac1 ip1
URL Port (port)
Matches the destination port number of the request.
acl aclname port number
acl aclname port range
Example acl web_port port 80
acl voip_port port 10000-11000
