Table of Contents
In this article, I will take you through the Steps to Install and configure Squid Proxy Server on RHEL/CentOS 7/8. You might face a situation where you have some server in private network which is not allowed to access anything on public network and suddenly you have some requirements like you need to update the Server immediately using yum tool. This can be easily done by using proxy server.
Also if you want to restrict or block some URLs you can do it through proxy server. Squid is an open source proxy software for the web supporting http, https, ftp and more. It is used by hundreds of Internet Providers and Organizations across the globe due to its high performance. More on Squid Proxy Official Documentation.
Install and Configure Squid Proxy Server
Also Read: 11 Best Python OS Modules Examples on Linux
Step 1: Prerequisites
a) You need to have a running RHEL/CentOS 7/8
System.
b) You should have yum
tool installed in your Server. You can check Top 22 YUM command examples in RedHat/CentOS 7 to know more about yum
command.
c) You need to have root
or sudo
access to run privileged commands. Please Check How to Add User to Sudoers to know more about providing sudo
access to the User.
d) You should have httpd-tools
package installed in your Server. If it is not installed then you can use yum install httpd-tools -y
command to install this package.
Step 2: Update Your Server
Before going through the steps to install and configure squid proxy server on RHEL/CentOS 7/8
, it is always recommended to first update your server by using yum update -y
command as shown below.
[root@localhost ~]# yum update -y Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.piconets.webwerks.in * epel: download.nus.edu.sg * extras: mirrors.piconets.webwerks.in * updates: mirrors.piconets.webwerks.in Resolving Dependencies --> Running transaction check ---> Package ansible.noarch 0:2.9.10-1.el7 will be updated ---> Package ansible.noarch 0:2.9.14-1.el7 will be an update ---> Package ca-certificates.noarch 0:2019.2.32-76.el7_7 will be updated ---> Package ca-certificates.noarch 0:2020.2.41-70.0.el7_8 will be an update ---> Package curl.x86_64 0:7.29.0-57.el7 will be updated ---> Package curl.x86_64 0:7.29.0-57.el7_8.1 will be an update ---> Package dbus.x86_64 1:1.10.24-13.el7_6 will be updated ---> Package dbus.x86_64 1:1.10.24-14.el7_8 will be an update ---> Package dbus-libs.x86_64 1:1.10.24-13.el7_6 will be updated ---> Package dbus-libs.x86_64 1:1.10.24-14.el7_8 will be an update ---> Package grub2.x86_64 1:2.02-0.81.el7.centos will be updated ---> Package grub2.x86_64 1:2.02-0.86.el7.centos will be an update ---> Package grub2-common.noarch 1:2.02-0.81.el7.centos will be updated ---> Package grub2-common.noarch 1:2.02-0.86.el7.centos will be an update ---> Package grub2-pc.x86_64 1:2.02-0.81.el7.centos will be updated ---> Package grub2-pc.x86_64 1:2.02-0.86.el7.centos will be an update ---> Package grub2-pc-modules.noarch 1:2.02-0.81.el7.centos will be updated ---> Package grub2-pc-modules.noarch 1:2.02-0.86.el7.centos will be an update ---> Package grub2-tools.x86_64 1:2.02-0.81.el7.centos will be updated ---> Package grub2-tools.x86_64 1:2.02-0.86.el7.centos will be an update ---> Package grub2-tools-extra.x86_64 1:2.02-0.81.el7.centos will be updated
Step 3: Install Squid Proxy Server
After successful updation you can now install squid package by using yum install squid -y
command as shown below. This command will check the package dependencies and will install squid packages along with its dependencies.
[root@localhost ~]# yum install squid -y Resolving Dependencies --> Running transaction check ---> Package squid.x86_64 7:3.5.20-15.el7_8.1 will be installed --> Processing Dependency: squid-migration-script for package: 7:squid-3.5.20-15.el7_8.1.x86_64 --> Processing Dependency: perl(Digest::MD5) for package: 7:squid-3.5.20-15.el7_8.1.x86_64 --> Processing Dependency: libecap.so.3()(64bit) for package: 7:squid-3.5.20-15.el7_8.1.x86_64 --> Running transaction check ---> Package libecap.x86_64 0:1.0.0-1.el7 will be installed ---> Package perl-Digest-MD5.x86_64 0:2.52-3.el7 will be installed --> Processing Dependency: perl(Digest::base) >= 1.00 for package: perl-Digest-MD5-2.52-3.el7.x86_64 ---> Package squid-migration-script.x86_64 7:3.5.20-15.el7_8.1 will be installed --> Running transaction check ---> Package perl-Digest.noarch 0:1.17-245.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================================================== Package Arch Version Repository Size ======================================================================================================================================================================== Installing: squid x86_64 7:3.5.20-15.el7_8.1 updates 3.1 M Installing for dependencies: libecap x86_64 1.0.0-1.el7 base 21 k perl-Digest noarch 1.17-245.el7 base 23 k perl-Digest-MD5 x86_64 2.52-3.el7 base 30 k squid-migration-script x86_64 7:3.5.20-15.el7_8.1 updates 50 k Transaction Summary ======================================================================================================================================================================== Install 1 Package (+4 Dependent packages) Total download size: 3.3 M Installed size: 11 M Downloading packages: (1/5): perl-Digest-1.17-245.el7.noarch.rpm | 23 kB 00:00:00 (2/5): libecap-1.0.0-1.el7.x86_64.rpm | 21 kB 00:00:00 (3/5): perl-Digest-MD5-2.52-3.el7.x86_64.rpm | 30 kB 00:00:00 (4/5): squid-migration-script-3.5.20-15.el7_8.1.x86_64.rpm | 50 kB 00:00:00 (5/5): squid-3.5.20-15.el7_8.1.x86_64.rpm | 3.1 MB 00:00:00 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Total 2.2 MB/s | 3.3 MB 00:00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : 7:squid-migration-script-3.5.20-15.el7_8.1.x86_64 1/5 Installing : libecap-1.0.0-1.el7.x86_64 2/5 Installing : perl-Digest-1.17-245.el7.noarch 3/5 Installing : perl-Digest-MD5-2.52-3.el7.x86_64 4/5 Installing : 7:squid-3.5.20-15.el7_8.1.x86_64 5/5 Verifying : perl-Digest-1.17-245.el7.noarch 1/5 Verifying : perl-Digest-MD5-2.52-3.el7.x86_64 2/5 Verifying : libecap-1.0.0-1.el7.x86_64 3/5 Verifying : 7:squid-3.5.20-15.el7_8.1.x86_64 4/5 Verifying : 7:squid-migration-script-3.5.20-15.el7_8.1.x86_64 5/5 Installed: squid.x86_64 7:3.5.20-15.el7_8.1 Dependency Installed: libecap.x86_64 0:1.0.0-1.el7 perl-Digest.noarch 0:1.17-245.el7 perl-Digest-MD5.x86_64 0:2.52-3.el7 squid-migration-script.x86_64 7:3.5.20-15.el7_8.1 Complete!
Step 4: Check Squid version
If you want to check the squid version then you need to use squid -v
command as shown below. As you can see from below output current squid version is 3.5.20
.
[root@localhost ~]# squid -v Squid Cache: Version 3.5.20 Service Name: squid configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,rock,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
Step 5: Start and Enable Squid Proxy Service
Once squid installation is successful you need to start the service by using systemctl start squid command as shown below.
[root@localhost ~]# systemctl start squid
In the next step, you need to enable the service by using systemctl enable squid
command. This will enable the service to start at the boot time.
[root@localhost ~]# systemctl enable squid Created symlink from /etc/systemd/system/multi-user.target.wants/squid.service to /usr/lib/systemd/system/squid.service.
Then you can check the service running status by using systemctl status squid command. As you can see below, service is currently active and running fine. If you see any error in the status then you can use systemctl status squid -l
command to check more about the error.
[root@localhost ~]# systemctl status squid ● squid.service - Squid caching proxy Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2020-10-25 07:30:26 EDT; 12s ago Main PID: 11680 (squid) CGroup: /system.slice/squid.service ├─11680 /usr/sbin/squid -f /etc/squid/squid.conf ├─11682 (squid-1) -f /etc/squid/squid.conf └─11683 (logfile-daemon) /var/log/squid/access.log Oct 25 07:30:26 localhost systemd[1]: Starting Squid caching proxy... Oct 25 07:30:26 localhost systemd[1]: Started Squid caching proxy. Oct 25 07:30:26 localhost squid[11680]: Squid Parent: will start 1 kids Oct 25 07:30:26 localhost squid[11680]: Squid Parent: (squid-1) process 11682 started
Step 6: Configure Squid Proxy Server
If you want to access this proxy server from a specific source then you need to add that source network in squid.conf
file as shown below. Here we are adding 192.168.12.0/24
source network to allow the squid proxy server access.
[root@localhost ~]# vi /etc/squid/squid.conf # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 192.168.12.0/24 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT
After adding the source network in the above configuration file, you need to restart the squid proxy service using systemctl restart squid
command to update the changes.
[root@localhost ~]# systemctl restart squid
Step 7: Test Squid Proxy Server
To test the squid proxy setup you can use curl
tool to access google.com
through proxy by using curl -x http://192.168.0.103:3128 -I http://google.com
command as shown below.
[root@localhost ~]# curl -x http://192.168.0.103:3128 -I http://google.com HTTP/1.1 301 Moved Permanently Location: http://www.google.com/ Content-Type: text/html; charset=UTF-8 Date: Mon, 26 Oct 2020 15:34:16 GMT Expires: Wed, 25 Nov 2020 15:34:16 GMT Cache-Control: public, max-age=2592000 Server: gws Content-Length: 219 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Cache: MISS from localhost X-Cache-Lookup: MISS from localhost:3128 Via: 1.1 localhost (squid/3.5.20) Connection: keep-alive
Step 8: Enable Proxy User and Authentication
To enable proxy user, first you need to create a passwd file under /etc/squid path using touch /etc/squid/passwd command as shown below.
[root@localhost ~]# touch /etc/squid/passwd
Then you need to change the ownership of /etc/squid/passwd file using chown squid:squid /etc/squid/passwd command.
[root@localhost ~]# chown squid:squid /etc/squid/passwd
In the next step you need to use the htpasswd
tool to add the password for user testuser
in /etc/squid/passwd
file using htpasswd /etc/squid/passwd testuser
command as shown below.
[root@localhost ~]# htpasswd /etc/squid/passwd testuser New password: Re-type new password: Adding password for user testuser
Now if you open and check the contents of /etc/squid/passwd file then you will see something like this.
[root@localhost ~]# cat /etc/squid/passwd testuser:$apr1$nMZaAPOl$IUqna2h0hgJVvPFDU3qXh0
Here is the example configuration that you need to use in squid.conf
file. Open the file with vi
editor using vi /etc/squid/squid.conf
and then add the below configuration. More on Squid Proxy Tutorial.
[root@localhost ~]# vi /etc/squid/squid.conf auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwords auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 24 hours auth_param basic casesensitive off acl authenticated proxy_auth REQUIRED http_access allow authenticated http_access deny all dns_v4_first on forwarded_for delete via off http_port 9000
- auth_param basic credentialsttl 24 hours: after 24 hours, user/pass will be asked again.
- auth_param basic casesensitive off: case sensitive for user is off.
- dns_v4_first on: use only IPv4 to speed up the proxy.
- forwarded_for delete: remove the forwarded_for http header which would expose your source to the destination
- via off: remove more headers to avoid exposing the source.
- http_port 9000: we are using port 9000 for proxy. You can choose any free port.
Save the file by pressing Esc
and then :wq!
After providing above configuration, you need to restart the service by using systemctl restart squid
command. It is important to note here that if there will be any error in squid configuration file then service will fail to restart.
[root@localhost ~]# systemctl restart squid
Then check the status by using systemctl status squid
command.
[root@localhost ~]# systemctl status squid ● squid.service - Squid caching proxy Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2020-10-25 15:52:32 EDT; 7s ago Process: 14382 ExecStop=/usr/sbin/squid -k shutdown -f $SQUID_CONF (code=exited, status=0/SUCCESS) Process: 16187 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS) Process: 16182 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS) Main PID: 16189 (squid) CGroup: /system.slice/squid.service ├─16189 /usr/sbin/squid -f /etc/squid/squid.conf ├─16191 (squid-1) -f /etc/squid/squid.conf └─16192 (logfile-daemon) /var/log/squid/access.log Oct 25 15:52:32 localhost systemd[1]: Starting Squid caching proxy... Oct 25 15:52:32 localhost systemd[1]: Started Squid caching proxy. Oct 25 15:52:32 localhost squid[16189]: Squid Parent: will start 1 kids Oct 25 15:52:32 localhost squid[16189]: Squid Parent: (squid-1) process 16191 started
As you can see from above output, service restarted successfully and running fine. You can also verify the squid proxy running status by checking the state of Port 9000 using netstat tool as shown below.
[root@localhost ~]# netstat -an | grep -i 9000 tcp6 0 0 :::9000 :::* LISTEN
Step 9: Block Websites or URLs
If you want to block any websites or urls from proxy server then you need to first add all those urls in a file. Here we are creating a block_url
file under /etc/squid
path and adding all the urls which needs to be blocked.
[root@localhost ~]# cat /etc/squid/block_urls yahoo.com google.com youtube.com
Then you need to edit the squid configuration file and add below ACL in it.
[root@localhost ~]# vi /etc/squid/squid.conf acl block_urls dstdomain "/etc/squid/block_urls" http_access deny block_urls
Now restart squid service using systemctl restart squid
command to reflect the changes.
[root@localhost ~]# systemctl restart squid
Step 10: Remove Squid Packages
If you want to remove squid packages then you can remove it by using yum remove squid -y
command as shown below.
[root@localhost ~]# yum remove squid -y Loaded plugins: fastestmirror Resolving Dependencies --> Running transaction check ---> Package squid.x86_64 7:3.5.20-15.el7_8.1 will be erased --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================================================== Package Arch Version Repository Size ======================================================================================================================================================================== Removing: squid x86_64 7:3.5.20-15.el7_8.1 @updates 10 M Transaction Summary ======================================================================================================================================================================== Remove 1 Package Installed size: 10 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Erasing : 7:squid-3.5.20-15.el7_8.1.x86_64 1/1 warning: /etc/squid/squid.conf saved as /etc/squid/squid.conf.rpmsave Verifying : 7:squid-3.5.20-15.el7_8.1.x86_64 1/1 Removed: squid.x86_64 7:3.5.20-15.el7_8.1 Complete!
Recommended Posts:-
Understanding Kafka Console Producer and Consumer in 10 Easy Steps
Popular firewalld examples to open a port on RedHat/CentOS 7
8 Most Popular mkdir command in Linux with Examples
26 Useful Firewall CMD Examples on RedHat/CentOS 7
12 Most Popular rm command in Linux with Examples
9 useful w command in Linux with Examples
Popular Apache Kafka Architecture Explained Using 4 Basic Components
Dear Sir
the result for step 7 from my side is
[root@ab squid]# curl -x http://localhost:3128 -I http://google.com
HTTP/1.1 403 Forbidden
Server: squid/5.5
Mime-Version: 1.0
Date: Tue, 15 Nov 2022 11:47:22 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3539
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from ab.01.a880.ip4.static.sl-reverse.com
X-Cache-Lookup: NONE from ab.01.a880.ip4.static.sl-reverse.com:3128
Via: 1.1 ab.01.a880.ip4.static.sl-reverse.com (squid/5.5)
Connection: keep-alive
[root@ab squid]#
thank you for the information