Linux Services Organization

Our goal, introduce Linux services to the enterprise world.
Contact us in contact@linuxsv.org

Linux Services Organization : Linux Proxy Linux Server

Squid Web proxy cache is a HTTP and FTP caching proxy server. It stores data from Web pages and files accessed through it in order to offer to his clients the data they need without having to look to the Internet, if that data is cached on the proxy server. By default Squid runs as a caching proxy server on TCP port 3128 and can control who can use the proxy server based on host or user authentication. It also allows to filter the access to Internet based on destinations ports, destination URLs, etc ...

With Squid web proxy cache you can control and monitor who is accessing where on the Internet.

Squid proxy Server

In order to configure a server as Squid proxy server the 'squid' rpm must be installed.

# yum install squid
# chkconfig squid on


Squid runs as a 'squid' system daemon storing cached data on /var/spool/squid directory. It is configured through the files on /etc/squid directory and stores the logs on /var/log/squid.

/etc/squid/squid.conf

This is the main configuration file that sets the way the proxy cache server is executed. In this case nodes on 192.168.1.0/24 LAN and localhost are allowed to connect to Internet to the safe ports listed on 'Safe_ports' directive through the proxy.

# cat /etc/squid/squid.conf

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128

# Rule allowing access from your local networks.
acl localnet src 192.168.1.0/24

# This acl directives specify ports through which traffic is cached and are considered as safe ports.
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# Recommended minimum Access Permission configuration:
# Only allow cachemgr access from localhost.
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports.
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports.
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user.
http_access deny to_localhost

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed.
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy.
http_access deny all

# Squid normally listens to port 3128.
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir.
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these. The refresh_pattern directive specifies when data from a specified server is considered "fresh" and there is not need to refresh it into proxy cache.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320


Note: there is a full documented squid.conf sample file on /usr/share/doc/squid-3.1.4/squid.conf.documented.

Once the configuration file has been configured the squid daemon must be started and configured to start at boot.

# /etc/init.d/squid start
# chkconfig squid on

Squid Security

Firewall

Because of squid listen on 3128 TCP/IP by default, that port must be open on the firewall.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT

Squid can be configured in transparent mode where the client does not known that is connecting to Internet through a proxy server. In this case Squid server must be running on the LAN default gateway and all traffic that pass through it with destination port 80,446,... must be redirected to the Squid port. With this configuration the client is accessing to the Internet using the Squid proxy cache without having to connect directly to it.

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3128
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-ports 3128

SElinux

In order to allow Squid service to run without any SElinux interference the following parameter must be activated.

# setsebool -P squid_connect_any 1

Host Based Security

There are two methods that can be used on /etc/squid/squid.conf in order to allow/deny client access to the Squid proxy web cache server : using the IP or the MAC client address. For example if we want allow access to the 192.168.1.101 address :

# cat /etc/squid/squid.conf
...
acl node01 src 192.168.1.101/32
...
http_access allow node01
...
http_access deny all


Instead of IP address we can use the MAC address.

# cat /etc/squid/squid.conf
...
acl node01mac arp 00:0C:29:78:97:8C
...
http_access allow node01mac
...
http_access deny all

User Based Security

If we want to control the access to Squid web proxy cache to certain users in order to allow to access to Internet to that users, the module 'ncsa' can be used.

# cat /etc/squid/squid.conf
...
acl localnet src 192.168.1.0/24
...
# NCSA proxy authentication configuration.
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
# Users ACL definition.
acl ncsa_users proxy_auth REQUIRED
# Allow access users only from localnet.
http_access allow ncsa_users localnet
# Deny the rest.
http_access deny all


Finally the password file used to authenticate users through ncsa must be created using the 'htpasswd' command as in the case of http user authentication.

# htpasswd -c /etc/squid/passwd john
# chown root:squid /etc/squid/passwd
# chmod 640 /etc/squid/passwd

# /etc/init.d/squid restart

URL Filter

Squid can also filter the sites that his client is trying to access. For example if you want to deny the access to all webs that has in their URL the word 'adult' you can use the 'url_regex' directive on /etc/squid/squid.conf file.

# cat /etc/squid/squid.conf
...
acl filterurl url_regex adult
...
http_access deny filterurl
...

Squid Client

One way to configure a client to use a Squid proxy to connect to Internet is configuring the web browser (Firefox) to use the Proxy server in order to connect to internet. For example is you are using Firefox and you want to use the Squid Proxy running on 192.168.1.10 port 3128 :

Edit --> Preferences --> Network --> Connection --> Settings
Manual Proxy Configuration
Proxy HTTP 192.168.1.10 Port 3128


In case of using test web browser as 'elinks' the way to configure the browser to use a Proxy cache is through 'http_proxy' environment variable.

# export http_proxy=http://192.168.1.10:3128
# elinks http://www.linuxsv.org

Questions

1.- By default Squid web proxy cache runs on 8080 TCP/IP port (true/false).

2.- NSCA authentication module is used to control the access to the Squid web proxy cache to authenticated users (true/false).

3.- Squid web proxy cache server can control the access to Internet based on the type of the client web browser used (true/false).

4.- Which command must be executed in order to configure access to a web proxy cache (192.168.1.10:3128) on text web browser?.

5.- Which SElinux boolean must be configured in order to allow Squid to run without any restriction on a SElinux targered environment?.

Labs

1.- Configure the squid proxy server on port 3128 on rhel6 server (192.168.1.10) allowing internet access to 192.168.1.0/24 but blocking msn.com site to access. Test it connecting from node01 (192.168.1.101).

2.- Use elinks text web browser to connect from node01 to http://www.linuxsv.org through the squid proxy configured on 192.168.1.10:3128..

3.- Configure user access to the squid web proxy cache configured on Lab1. Only users 'john' with password 'john' and 'charles' with password 'charles' must be allowed to connect to Internet through squid service.

-- This page is part of Linux Server online tutorial --