Tutorial For Squid Server Ministry of Environment
Tutorial For Squid Server Ministry of Environment
no_cache deny QUERY hosts_file /etc/hosts refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl purge method PURGE acl CONNECT method CONNECT cache_mem 1024 MB http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl lan src 192.168.1.1 192.168.2.0/24 http_access allow localhost http_access allow lan http_access deny all http_reply_access allow all icp_access allow all visible_hostname myclient.hostname.com httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on coredump_dir /var/spool/squid
SETTING UP ACCESS CONTROLS The initial access controls for the Squid server are fairly restrictive, with good reason too. Before anyone can use the server, the access controls must be written to allow access. Rules can be written for almost any type of requirement and can be very complex for large organizations The following iptables rule lists all of the Safe_ports (and common ports) that Squid allows, and blocks them if they came directly from any of the internal workstations. So the only outgoing requests could have come from the proxy running on the gateway. The computers on the internal network are still allowed to send requests to the gateway proxy. You may need to change this rule depending on your network topology. iptables -I FORWARD -o ppp0 -s 192.168.1.0/24 -p tcp -m multiport \ --dports 21,23,70,80,81,82,210,280,443,488,563,591,777,3128,8080 -j DROP **A iptables multiport rule can only list up to 15 port numbers for each rule. Please note that there should be two Ethernet Cards on your server eth0 and eth1 SWITCHING ON SQUID (Making it go Live) Enable the proper run levels:
chkconfig squid on
Note, if you have problems starting squid, open a separate shell and run:
tail -f /var/log/messages
The tail command should show an error for squid that can help you solve the problem. One common error is that the swap (cache) directory doesnt exist. To solve this problem, run squid with the -z option to automatically create the directories:
/usr/sbin/squid -z
Make sure that squid has write permission to the swap directory or this command wont work. Configuring the Clients If you are using Firefox or Mozilla you will need to add the proxy server as follows: Go to Preferences>Network>Settings Add the name of your new proxy server and port 3128 to the http proxy field (under manual configuration). Open a shell to your proxy server so you can observe the log file being written to. Use tail, as before:
tail -f /var/log/squid/access.log
Now surf the web through your proxy server. You should see entries flying by in real time as you surf different http addresses. Congratulations, you now have a caching proxy server setup! How do I test my squid proxy is working correctly? See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log
Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.