Hello guys, this is post is about an squid working example. The version of the squid that I am running is
2.7 stable. you can check it out running:
root@khs01sw10:~# squid -v Squid Cache: Version 2.7.STABLE9 configure options: (...) root@khs01sw10:~#
Note: Uprated on november 25, 2015
Now, the network that I have configured the proxy for. Is a 300 PC network with the following range 10.175.0.0/23 (net mask 255.255.254.0). The IP address of the proxy is 10.175.0.1. My proxy uses a few father proxies. Those father proxies are in the range 10.0.4.xxx and they handle all the requests except for the ones that go to the local-domain, gabs.hospitals.moh.gov.bw. The fathers also handle the authentication, so in the configurations I just have to say that they will handle it. And I have rules to forbid some websites during working hours from Monday to Friday. All this Depending on the mac address of the PC. Also there are some computers that do not have any forbidden site depending on their mac address.
This is the config file content:
#ACL section #My ACLs acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl localnet src 10.175.0.0/23 acl bannedIP src 192.168.0.0/24 acl localdomain dstdomain .gabs.hospitals.moh.gov.bw acl NotLocalDomain dstdomain !gov.bw acl denysite url_regex "/etc/squid/deny.txt" acl macAllow arp "/etc/squid/mac.txt" acl morningTime time MTWHF 07:30-12:30 acl afternoonTime time MTWHF 14:00-16:30 #Safe port subsection acl SSL_ports port 443 # https acl SSL_ports port 563 # snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT # Allow or deny access to ACLs http_access allow manager localhost http_access deny manager bannedIP http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost # Allow special people that can go everywhere every time. http_access allow localnet macAllow # Allow if not going to a forbiden website during working hours http_access allow localnet !denysite morningTime http_access allow localnet !denysite AfternoonTime # Allow everyone everywhere if is not working hours http_access allow localnet !afternoonTime !morningTime # And finally deny all other access to this proxy http_access deny all #Allow ICP queries from local networks only icp_access allow localnet icp_access deny all # Squid normally listens to port 3128 http_port 3128 #Parent caches cache_peer 10.0.4.71 parent 3128 3130 no-query round-robin login=PASS cache_peer 10.0.4.76 parent 3128 3130 no-query round-robin login=PASS cache_peer 10.0.4.95 parent 3128 3130 no-query round-robin login=PASS cache_peer 10.0.4.94 parent 3128 3130 no-query round-robin login=PASS cache_peer 10.0.4.96 parent 3128 3130 no-query round-robin login=PASS cache_peer 10.0.4.110 parent 3128 3130 no-query round-robin login=PASS cache_peer_domain 10.0.4.71 !.gabs.hospitals.moh.gov.bw cache_peer_domain 10.0.4.76 !.gabs.hospitals.moh.gov.bw cache_peer_domain 10.0.4.96 !.gabs.hospitals.moh.gov.bw cache_peer_domain 10.0.4.95 !.gabs.hospitals.moh.gov.bw cache_peer_domain 10.0.4.94 !.gabs.hospitals.moh.gov.bw cache_peer_domain 10.0.4.110 !.gabs.hospitals.moh.gov.bw #We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # cache handling cache_mem 64 MB cache_dir aufs /var/spool/squid 500 16 256 #log file access_log /var/log/squid/access.log squid #Cache Refresh paterns refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 # Access policy never_direct deny localdomain never_direct allow all # hosts file hosts_file /etc/hosts # chroot coredump_dir /var/spool/squid
Note: The lines that begin with the # symbol are just comments.
That is it, and it works.
Some further explanation
If you need to know first the basics about squid configuration, you can check out here. But any way I am not going to explain every thing but a few important aspects that are not treated before.
#Parent caches cache_peer 10.0.4.71 parent 3128 3130 no-query round-robin login=PASS cache_peer_domain 10.0.4.71 !.gabs.hospitals.moh.gov.bw
For instance here you declare that 10.0.4.71 is a parent proxy. as well as that proxy is going to handle the login himsefl. Well actually that your proxy is going to prompt the users for password. And then it will send those details to the parent proxy for authentication. then the second line establishes a boundary for that relationship. it says that 10.0.4.71 is the should be contacted for everything except for any resource ended in .gabs.hospitals.moh.gov.bw.
# Access policy never_direct deny localdomain never_direct allow all
Here you say for which domain you are going directly and for which not.
Another part that deserves some explanation is how the rules work, for instance:
acl localnet src 10.175.0.0/23
Defines a rule called local net. This does not mean it does anything. It’s just a grouping rule under the name localnet. It groups all the requests that come from the network 10.175.0.0/23 giving them the name localnet. the name could be anything else that you might like. Now as I said you have to say what are you doing with that rule and that comes separate in a different section, for instance this part:
(...) http_access allow localnet macAllow (...) http_access allow localnet !denysite morningTime (...)
macAllow, denysite, morningTime are just other rules that group other requests from the users, depending custom needs. In this case, macAllow gruops all the special mac addresses that I want to allow to go everywhere and denysite are sites that are supposed to be denied during working hours, let say facebook or youtube for the sake of keeping it real. So line 1 says allow if the request is from “localnet” and at the same time “macAllow”, is other words let them go to internet if the PC of who is going is in the group of ip addreses called localnet and at the same time the mack address of his PC is in the group macs we want to allow. then the line 2 says something like; allow if the request is from “localnet” and is NOT (!) “denysite” and is done during “morningTime”.
That is it for today, if you have any question feel free to ask any question bellow.