How to Install and Configure

Squid Proxy on CentOS 7

A proxy server is a computer which sits between two endpoint
devices and acts as an intermediate device. When the client
computer requests a resource from the server, it may be a file
or a web page, the request is sent to the proxy server first.
The proxy server then sends the request to the destination
server and obtains the resource sent by the server. Once the
resource is obtained by the proxy server, it sends the resource
to the client machine. The use of a proxy server is that it can
cache the resource, for example if a website is accessed
frequently from a proxy server, it's likely that the proxy
server will have the content of the site in its cache, it can
now serve the webpage directly to the user. A proxy server can
be used to facilitate security, administrative controls and
caching services. Proxy servers can also be used for anonymity
as whenever obtaining a resource from a server, proxy server
uses its own IP address rather than the client's IP address.

Squid Proxy is an open source caching proxy for the web. It

supports many protocols such as HTTP, HTTPS, FTP and more. It
improves the response time and reduces bandwidth by caching and
reusing the frequently accessed web pages and files. In this
tutorial we will learn to install Squid Proxy on CentOS 7. We
will also learn about some basic configuration which can be done
on Squid caching server.
Requirements
Squid does not have any minimum hardware requirements, but the
amount of RAM may vary according to the users accessing the
Internet through your proxy and the objects stored in the cache.
To follow this tutorial you will need a CentOS 7.x server with
root access on it. If you are logged in as non root user,
run sudo -i to switch to root user. You can also use sudo command
before all the administrative commands to run them as root user.

Installing Squid
Before installing any packages, it is recommended to update the
system and packages using the following command.

yum -y update

Now you will need to install EPEL repository to your system as

Squid is not available in default yum repository. Run the
following command to install EPEL repository in your server.

yum -y install epel-release

yum -y update
yum clean all

Now you can install Squid Proxy using the following command.

yum -y install squid

Once you install Squid, you can start the program immediately
using the following command.

systemctl start squid

To automatically start Squid at boot time you can run the
following command.

systemctl enable squid

To view the status of Squid service, run the following command.

systemctl status squid

You will see an output similar to this.

[root@ip-172-31-23-60 ~]# systemctl status squid

● squid.service - Squid caching proxy
Loaded: loaded (/usr/lib/systemd/system/squid.service;
enabled; vendor preset: disabled)
Active: active (running) since Sun 2016-10-16 04:36:10
UTC; 4min 36s ago
Main PID: 7416 (squid)
CGroup: /system.slice/squid.service
├─7416 /usr/sbin/squid -f /etc/squid/squid.conf
├─7418 (squid-1) -f /etc/squid/squid.conf
└─7419 (logfile-daemon) /var/log/squid/access.log

Oct 16 04:36:10 ip-172-31-23-60 systemd[1]: Starting Squid caching proxy...

Oct 16 04:36:10 ip-172-31-23-60 systemd[1]: Started Squid caching proxy. Oct

16 04:36:10 ip-172-31-23-60 squid[7416]: Squid Parent: will start 1 kids Oct

16 04:36:10 ip-172-31-23-60 squid[7416]: Squid Parent: (squid-1) process...d

Hint: Some lines were ellipsized, use -l to show in full.

To view the available options with squid command, run the

following command.

squid -h

You will see output similar to this.

[root@ip-172-31-23-60 ~]# squid -h

 Usage: squid [-cdhvzCFNRVYX] [-s | -l facility] [-f config-
file] [-[au] port] [-k signal]
-a port Specify HTTP port number (default: 3128).
-d level Write debugging to stderr also.
-f file Use given config-file instead of
/etc/squid/squid.conf
-h Print help message.
-k
reconfigure|rotate|shutdown|interrupt|kill|debug|check|parse
Parse configuration file, then send signal
to
running copy (except -k parse) and exit.
-s | -l facility
Enable logging to syslog.
-u port Specify ICP port number (default: 3130),
disable with 0.
-v Print version.
-z Create missing swap directories and then
exit.
-C Do not catch fatal signals.
-D OBSOLETE. Scheduled for removal.
-F Don't serve any requests until store is
rebuilt.
-N No daemon mode.
-R Do not set REUSEADDR on port.
-S Double-check swap during rebuild.
-X Force full debugging.
-Y Only return UDP_HIT or UDP_MISS_NOFETCH
during fast reload.

To view the Squid version and configuration options, run the

following command.

squid -v

You will likely see the following output.

 [root@ip-172-31-23-60 ~]# squid -v
Squid Cache: Version 3.3.8
configure options: '--build=x86_64-redhat-linux-gnu' '--
host=x86_64-redhat-linux-gnu' '--program-prefix=' '--
prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--
sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '-
-includedir=/usr/include' '--libdir=/usr/lib64' '--
libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--
mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-
strict-error-checking' '--exec_prefix=/usr' '--
libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--
datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-
logdir=$(localstatedir)/log/squid' '--with-
pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-
tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--
enable-auth' '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-
domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-
auth-ntlm=smb_lm,fake' '--enable-auth-
digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos'
'--enable-external-acl-
helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbi
nfo_group' '--enable-cache-digests' '--enable-cachemgr-
hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--
enable-icap-client' '--enable-ident-lookups' '--enable-linux-
netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp'
'--enable-ssl' '--enable-ssl-crtd' '--enable-
storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--
enable-ecap' '--with-aio' '--with-default-user=squid' '--with-
filedescriptors=16384' '--with-dl' '--with-openssl' '--with-
pthreads' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --
param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -
mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -
Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector-strong --param=ssp-buffer-size=4
-grecord-gcc-switches -m64 -mtune=generic -fpie'
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

The main configuration file for Squid proxy can be found

on /etc/squid/squid.conf. You can now setup your browser to use the
proxy server you just created. For Internet Explorer and Google
Chrome, you can go to Control Panel > Internet Options. In the
Connections tab, click on LAN settings and enter your proxy
server IP address and port 3128. You will see that you are now
browsing the internet through the proxy server.

By default the Squid proxy server is configured to connect to a

local network only, if you are not into the local network of the
proxy server, you will see an error saying "The proxy server is
refusing connections". If you are getting these kind of errors,
then you will need to configure Access Control Lists or ACL into
the squid configuration file.

You can check the error logs of Squid using the following
command.

tail -f /var/log/squid/access.log

You will see an output similar to shown below.

[root@ip-172-31-23-60 ~]# tail -f /var/log/squid/access.log

1476596170.987 61641 61.14.229.246 TCP_MISS/200 3460
CONNECT aus5.mozilla.org:443 - HIER_DIRECT/52.42.158.162 -
1476596470.531 121781 61.14.229.246 TCP_MISS/200 129 CONNECT
qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476596574.995 101350 61.14.229.246 TCP_MISS/200 129 CONNECT
qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476596867.906 290539 61.14.229.246 TCP_MISS/200 129 CONNECT
qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476596875.984 4939 61.14.229.246 TCP_MISS/200 129 CONNECT
qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476597519.292 1561080 61.14.229.246 TCP_MISS/200 3828
CONNECT qa.sockets.stackexchange.com:443 -
HIER_DIRECT/198.252.206.25 -
1476597857.853 979174 61.14.229.246 TCP_MISS/200 216 CONNECT
qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476598063.413 4459 61.14.229.246 TCP_MISS/200 129 CONNECT
qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
 1476598213.392 351400 61.14.229.246 TCP_MISS/200 158 CONNECT
qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -
1476598576.745 511218 61.14.229.246 TCP_MISS/200 158 CONNECT
qa.sockets.stackexchange.com:80 - HIER_DIRECT/198.252.206.25 -

Configuring Squid
Squid can be easily configured by editing the global
configuration file /etc/squid/squid.conf. To edit the configuration
file run the following command.

nano /etc/squid/squid.conf

You can use any editor of your choice, in this tutorial we will
be using nano editor. If you don't have nano editor installed,
you can run yum -y install nano command to install nano editor.

A minimum sample configuration file will look like this.

#
# Recommended minimum configuration:
## Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where
browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal
network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal
network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal
network
acl localnet src fc00::/7 # RFC 4193 local private
network range
acl localnet src fe80::/10 # RFC 4291 link-local
(directly plugged) machinesacl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
 acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports# Deny CONNECT to other than
secure SSL ports
http_access deny CONNECT !SSL_ports# Only allow cachemgr
access from localhost
http_access allow localhost manager
http_access deny manager# We strongly recommend the
following be uncommented to protect innocent
# web applications running on the proxy server who think the
only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR
CLIENTS
## Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal)
IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost# And finally deny all other
access to this proxy
http_access deny all# Squid normally listens to port 3128
http_port 3128# Uncomment and adjust the following to add a
disk cache directory.
 #cache_dir ufs /var/spool/squid 100 16 256# Leave coredumps
in the first cache dir
coredump_dir /var/spool/squid

# # Add any of your own refresh_pattern entries above

these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440
0% 1440 refresh_pattern -i(/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 20% 4320

Allow IP Address to Use the Internet

through Your Proxy Server
To allow a range of IP address to use the Internet through your
proxy server. You can add a new ACL entry. Squid supports CIDR
notations. Consider an example, if you want to allow a range of
IP address from 110.220.330.1 to 110.220.330.255 then you can
make the following entry in Squid configuration file under the
list of ACLs.

acl localnet src 110.220.330.0/24

Your list of ACLs will finally look like this.

acl localnet src 10.0.0.0/8 # RFC1918 possible internal

network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal
network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal
network
acl localnet src fc00::/7 # RFC 4193 local private
network range
acl localnet src fe80::/10 # RFC 4291 link-local
(directly plugged) machines
acl localnet src 110.220.330.0/24 #Your newly added ACL

For changes to take effect you will need to restart your Squid
server, use the following command for same.
 systemctl restart squid

Allow a Specific Port for HTTP

Connections
By default Squid only consider very few ports as safe ports and
allow connections through them. The ports which are allowed by
default are:

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

The ports which are not listed above will not be accessed
through the proxy. You can add a Port into the list
of Safe_ports by modifying the list of ACLs for ports. For example
it you want to allow port 168 to be accessed through the proxy
server you can add the following ACL entry for this.

acl Safe_ports port 168

For changes to take effect you will need to restart your Squid
server, use the following command for same.

systemctl restart squid

Using Basic Authentication with Squid
If you want to authenticate the user before they can use your
proxy server, you can do it using the basic authentication
feature available in Squid proxy. Although Squid supports many
kind of authentication but basic authentication is very easy to
set up.

First of all you will need to install httpd-tools, which comes

with a tool htpasswd which we will use to create an encrypted
password file. Run the following command to install httpd-tools.

yum -y install httpd-tools

Now create a new file and provide the ownership to squid daemon
so that it can access it. Run the following command for same.

touch /etc/squid/passwd && chown squid /etc/squid/passwd

Now you can add a new user to the password file using
the htpasswd tool. In this tutorial we will be creating an example
user pxuser. You can replace pxuser with anything you like. Run
the following command to create a new user using htpasswd tool.

htpasswd /etc/squid/passwd pxuser

It will ask for the new password twice, provide the password and
you will see following output.

[root@ip-172-31-23-60 ~]# htpasswd /etc/squid/passwd pxuser

New password:
Re-type new password:
Adding password for user pxuser
By default htpasswd uses MD5 encryption for the password, hence
your password will be stored in MD5 hash.

As we have our password file ready, you can now edit the squid
configuration file using the following command.

nano /etc/squid/squid.conf

Add the following lines into the configuration file under the
access control lists of ports.

auth_param basic program /usr/lib64/squid/basic_ncsa_auth

/etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow auth_users

Write the changes to the file and exit from editor. Reload the
Squid daemon using the following command.

systemctl restart squid

Now if you will try to use the proxy server, it will ask you for
authentication. Provide your username and password and you will
be able to use the proxy server. Unauthenticated user will be
shown an error page.

Blocking Websites
You can easily block a single or a list of websites from the
users. Using a separate file for the list of websites to be
blocked is a good way to manage the blocked websites. Create a
new file to store the list of websites to be blocked using your
favorite editor.

nano /etc/squid/blocked_sites

Now enter the list of sites you want to block. One website per
line.

liptanbiswas.com
liptan.com

Save the file and exit the editor. In this example we used some
example websites, you can put a list of actual websites you wish
to block. Now open the Squid configuration file again using the
following command.

nano /etc/squid/squid.conf

Enter the following lines under acl list and http_access list.

acl blocked_sites dstdomain "/etc/squid/blocked_sites"

http_access deny blocked_sites

Write the changes to the file and exit from editor. Reload the
Squid daemon using the following command.

systemctl restart squid

Now if you will try to access the blocked sites, you will get
an access denied message from Squid.

Changing Squid Port

You can easily change the port on which squid listens to. Edit
the configuration file using the following command.

nano /etc/squid/squid.conf
Scroll down to find the following lines into the file.

# Squid normally listens to port 3128

http_port 3128

Now change the http_port from 3128 to any port you want. Make sure
that no other service is using the port which you will use for
Squid. Now restart the Squid daemon and you will see that the
changes are in effect.

Conclusion
In this detailed tutorial we learned how to install Squid proxy
server on CentOS 7 systems. You can now easily setup a basic
installation of Squid. You also learnt about some basic
configuration of Squid proxy server including enabling basic
authentication.