A proxy server is a device that usually sits between a client and the destination the user is trying to reach. It can provide security, anonymity, and even protection for the client behind the proxy. Here, we look at how to set up a web proxy, define access control lists, and troubleshoot it.
1. Install Squid
There is only one package required to install the Squid proxy server.
# yum install -y squid
2. Configuring the Proxy
When setting up your proxy server, you need to know the following items:
/etc/sysconfig/squid Start up options for the config file
/etc/squid/squid.conf Main config file for the service
/var/spool/squid Cache location on the proxy server
/var/log/squid Log files for proxy server
Let’s look at some of the main configuration options:
http_port Specifies the port to listen on
visible_hostname Identifies the name of the Squid server
hierarchy_stoplist Provides a list of words that tell the Squid server to handle the request
access_log Keeps track of the web pages that are downloaded
acl Defines an access control list
http_access Defines which system or networks have access
Here are some sample configuration (/etc/squid/squid.conf):
visible_hostname squid_server http_port 3128 cache mem 50 MB cache_dir ufs /var/spool/squid 100 16 256 |
3. Firewall and SELinux Configuration
Squid uses port 3128 by default for its communication, so you should open this port on the firewall (TCP & UDP):
# iptables -I INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
# iptables -I INPUT -p udp -m udp --dport 3128 -j ACCEPT
In RHEL5, you need to disable SELinux portection for the Squid service for it to work.
# setsebool -P squid_disable_trans=1
4. Web Proxy Security
Step 1. You can define an ACL (/etc/squid/squid.conf) for you network and give all other networks access to the proxy server.
acl my_local_net src 172.168.1.0/24
http_access allow my_local_net
Step 2. Suppose if you don’t want host 172.168.1.2 access the Internet, we can create a deny host
acl deny_host src 172.168.1.2/32
http_access deny deny_host
Step 3. Deny multiple websites
Step 4. Restrict the access time. If you want your employees have right to access facebook.com from Monday to Friday (1pm-5pm), you can do the following.
Step 5. Deny download files from the Internet
5. Transparent Proxy
In common, after setting your proxy server, users have to change proxy configuration on web browser to get access to the Internet. It takes time and not so convenient for the end users. For better usage, you should configure Squid as a transparent proxy server.
Have fun!