Linux Squid Proxy Server

Descriptions and Purpose of Lab Exercise

Squid is caching proxy server, which improves the bandwidth and the reponse time by
caching the recently requested web pages. Now a days many servers in the world are
configured with squid in order to provide high delivery speeds to the clients. Configuring
the squid in transparent mode, special configuartion is not required on the client side. All
the requests originatinating from client and going to internet on port 8 are automatically
redirected by proxy. !epending on the requirement we need to configure the squid as
transparent or non transparent proxy. "his lab aims to enable readers implement a #roxy
server in the networ$ so that other users of the %AN can leverage the functionalities of
accessing internet through proxy.
Prerequisite
%atest version of Squid should be used.&version '.( or greater)
A web server for testing purpose which can be used instead of *nternet.
Squid +ersion greater than '., is required for "ransparent squid proxy configuartion in
this lab.
Estimated Completion Time
8( -inutes
Lab Setup Reference Diagram
Warning
It is imperative that you get written permission from the proper authority in your organization
before using these tools and techniques and that you advise your facilities network and computer
operations teams of your testing schedule.
Disclaimer
The information on this site is for educational purposes only. The author of this article
and/or C- DAC cannot be held responsible for any act(s) any person(s) has (have) done as a
result of reading this article.
Copyright . '/, Centre for !evelopment of Advanced Computing, 0yderabad
Squid #roxy Server
N*C121/'.1,8.,.3
N*C'21/'.1,8.8.1
4ebserver5*ntern
et
1/'.1,8.8.'
Client #C
1/'.1,8.,.(
ntroduction!
!uring the period of development of internet, users are allowed for unlimited access
to the resources due to less number of users. So there were less issues related to
accessing speed over internet.
4ith the increase in internet usage, many issues raised related to accessing speed,
effective bandwidth utilisation etc . 6ne method of overcoming these issues is,
maintaining a copy of webpage visited by a user in the cache so that the other user
who visits the same webpage will access the same website with in a short period of
time. "his method not only increases the accessing speed but also helps in utilising
the bandwidth effectively.
"he above said functionality, can be achieved by maintaining a proxy server through
which all the users in the organisation or a group access the internet. "he most
widely used proxy server in %inux is Squid #roxy, which is a free software released
7eneral #ublic %icense.
Squid provides proxy and cache services for "yper Text Transfer Protocol &0""#),
#ile Transfer Protocol &8"#), and various other protocols.
"o configure a system as a proxy server, one should have a sufficient amount of
memory for maintaining the cache which inturn increase the performance.
$ote!
*n case if the internet connection is not available, setup one host as a web server in
place of internet and assign the ipaddress to the proxy server networ$ interface in the
networ$, used by webserver instead of public ip address assigned to that interface.
Lab %! nstalling t&e Squid Proxy 'Estimated Completion Time! %( mins)

!ownload the squid proxy related rpm pac$age from the internet which has an
extension .rpm* %i$e for example, squid+,*-*ST./LE0+1*2E*%,*i130*rpm* Now
through the command prompt, go to location where the squid pac$age is present and issue
the following command at the command prompt as shown below.
root4boss5678rpm 9ivh squid+,*-*ST./LE0+1*2E*%,*i130*rpm
Copyright . '/, Centre for !evelopment of Advanced Computing, 0yderabad
Lab ,! .ccessing t&e Proxy Server configuration file 'Estimated Completion
Time! , mins)
"o configure squid proxy server we need to edit the 5etc9squid9squid*conf file
and the default location of squid*conf file varies from distribution to distribution and
from version to version. 4e can edit the configuration file using vi editor through
command prompt.
Example!
root4boss5678vi 9etc9squid9squid*conf
"hen the content of the configuration file can be viewed as shown below in the figure.

$ote 2
"o add5 modify data of a configuration file using vi editor window press i to go in to the
insert mode and the same can be noticed at the bottom of the vi editor window.
Lab 1! Editing t&e squid configuration file ' Estimated Completion Time! %-
mins)
%* Providing a name for t&e proxy server mac&ine*
"o specify a hostname for the proxy server in the squid.conf file, locate the
variable visible:&ostname and specifiy the hostname in the format shown below in the
example.
Example! visible:&ostname proxy.cdac.in

$ote 2
*n the above example, instead of proxy*cdac*in specify the hostname of your machine.
Copyright . '/, Centre for !evelopment of Advanced Computing, 0yderabad

,. Specifying t&e interface and port number on ;&ic& t&e proxy server
s&ould
listen*
:y default, the proxy server will listen on all the available networ$ interfaces on
the system for requests. 8or ;xample, if one interface card is assigned a public ip from
which it is connected to internet and the other interface card is assigned an ip address
which belongs to your local area networ$. "hen in order to ma$e you proxy server to
listen for requests from your %ocal Area Networ$ through aparticular port, then change the
variable &ttp:port 1%,3 in the squid configuration file to desired ipaddress and port
number in the format shown below.
&ttp:port <ip address belonging to L.$=!<port number=
Example! 8or example, if your proxy server has an ip address 1/'.1,8.,.3 which
belongs to the local area networ$ 1/'.1,8.,.5'< and you want the server to listen for
requests from your %AN through a particular port say =<(,, then you can change the
variable &ttp:port as shown.
http>port 1/'.1,8.,.32=<(,

1. .ssigning .ccess Controls
:y default, no user machine is allowed to connect to the proxy server except
the localhost. "o allow the local machines access your proxy server, locate the acl section in
the squid configuration file starting with acl and at the end of the last acl line specify your
access control.
8or example to allow local area networ$ 1/'.1,8.,.5'< machines to access your proxy
server, specify the acl as
acl mylan src %>,*%03*0(*(9,--*,--*,--*(

*n the above example, mylan specifies the name of my access control. 4e can specify any
name other than my lan for access control. src specifies the source networ$.

2* .llo; or Deny based on .ccess Control*
After specifying the access control for your local %AN, we need to
provide allow permission for the specified %AN using &ttp:access variable in the squid
configuration file as shown in the example below.
Example!
"o allow the above specified access control & i.e acl mylan src
1/'.1,8.,.5'((.'((.'((.), we need to specify the http>access variable as
Copyright . '/, Centre for !evelopment of Advanced Computing, 0yderabad
&ttp:access allow mylan
0ere mylan specifies the access control used. Suppose if we want to allow all the networ$s
except the 1/'.1,8.,.5'< networ$ to access the proxy then we can specify the
http>access variable as
&ttp:access deny ?mylan
*n the above line, ?mylan specifies except mylan networ$.
$ote!
"he above specified http>access variable should be specified before the line &ttp:access deny all
in the configuration file.
Saving t&e c&anges and exit t&e vi Editor

After ma$ing appropriate changes to your configuration file exit the vi editor
window by pressing Esc followed by !;q?* 0ere wq specifies save changes and exit the
configuration file.
Starting t&e squid proxy services
"o start the squid proxy services, at the command prompt type
9etc9init*d9squid start
"he other options that can be used instead of start are , stop, reload and force9
reload. Start and stop options are used to start and stop services. reload and force9reload
are used to reload the contents of configuration file incase of modifications done to
configuration file.
Testing t&e Squid configuartion

"o test the squid configuration, open a browser in any one of the pc in local area
networ$ or on the proxy server and specify the proxy settings as the ipaddress of the proxy
server and port on which it is listening for requests. 8or example, in firefox web browser if
we want to set the proxy settings in the browser window goto Edit 99?Preferences and
window similar to shown below will be displayed.

Copyright . '/, Centre for !evelopment of Advanced Computing, 0yderabad
Now select .dvanced tab, and under advanced tab clic$ on $et;or@ tab and clic$ on
Settings option under Connection field. "hen a window similar to the shown below will be
displayed.
then clic$ o$ to save changes and exit the connection settings window and #references
window. After type some website and chec$ whether you are able to view the webpage.
Copyright . '/, Centre for !evelopment of Advanced Computing, 0yderabad
) Configuring squid as a Transparent Proxy
$ote2 "o configure squid #roxy as a "ransparent #roxy, squid pac$age '., or
greater is used.
1."o Configure Squid proxy as a "ransparent proxy, modify the squid configuartion file as
shown below.
&ttp:port %>,*%03*0(*A(!3(3( transparent
'."o redirect the client requests going to internet on port 8 through the proxy, configure
the iptables by issuing the following command at the terminal prompt.

8iptables +t nat +. PRERBCT$D +i et&% +p tcp ++dport 3( +E REDRECT ++to+port 3(3(
=.Now restart the squid service by issuing following command at the terminal prompt.
89etc9init*d9iptables restart
<.Also enable ip forwarding, by typing the following command at the terminal prompt.
8ec&o % Fcat =9proc9sys9net9ipv29ip:for;ard
(.Now on the client side, specify the default gateway ipaddress as the proxy server ip
address and do not configure any proxy settings in the client side browser.
,.Now to try to access the web browser which was setup for testing from the client
machine.
Transparent Proxy s&ould not be used in t&e follo;ing situation
1.4hen https sites needs to be filtered.
'.4hen proxy authentication is enabled.
=.4hen local !NS servers are not available.
Copyright . '/, Centre for !evelopment of Advanced Computing, 0yderabad