Squid proxy server working example Debian GNU Linux

Posted on by

Hello guys, this is post is about an squid working example. The version of the squid that I am running is

2.7 stable. you can check it out running:

root@khs01sw10:~# squid -v
Squid Cache: Version 2.7.STABLE9
configure options:  (...)
root@khs01sw10:~#
Squid 3 error page

Squid 3 error page

Note: Uprated on november 25, 2015

This post is part of a bigger Debian material that you can access here. If you need to know first the basics about squid configuration, you can check out here.

Now, the network that I have configured the proxy for. Is a 300 PC network with the following range 10.175.0.0/23 (net mask 255.255.254.0). The IP address of the proxy is 10.175.0.1. My proxy uses a few father proxies. Those father proxies are in the range 10.0.4.xxx and they handle all the requests except for the ones that go to the local-domain, gabs.hospitals.moh.gov.bw. The fathers also handle the authentication, so in the configurations I just have to say that they will handle it. And I have rules to forbid some websites during working hours from Monday to Friday. All this Depending on the mac address of the PC. Also there are some computers that do not have any forbidden site depending on their mac address.

This is the config file content:

#ACL section
#My ACLs
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.175.0.0/23
acl bannedIP src 192.168.0.0/24
acl localdomain dstdomain .gabs.hospitals.moh.gov.bw
acl NotLocalDomain dstdomain !gov.bw
acl denysite url_regex "/etc/squid/deny.txt"
acl macAllow arp "/etc/squid/mac.txt"
acl morningTime time MTWHF 07:30-12:30
acl afternoonTime time MTWHF 14:00-16:30

#Safe port subsection
acl SSL_ports port 443        # https
acl SSL_ports port 563        # snews
acl SSL_ports port 873        # rsync
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl Safe_ports port 631        # cups
acl Safe_ports port 873        # rsync
acl Safe_ports port 901        # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

# Allow or deny access to ACLs
http_access allow manager localhost 
http_access deny manager bannedIP
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost

# Allow special people that can go everywhere every time.
http_access allow localnet macAllow
# Allow if not going to a forbiden website during working hours
http_access allow localnet !denysite morningTime 
http_access allow localnet !denysite AfternoonTime
# Allow everyone everywhere if is not working hours
http_access allow localnet !afternoonTime !morningTime
# And finally deny all other access to this proxy
http_access deny all

#Allow ICP queries from local networks only
icp_access allow localnet
icp_access deny all

# Squid normally listens to port 3128
http_port 3128

#Parent caches
cache_peer 10.0.4.71 parent 3128 3130 no-query round-robin login=PASS
cache_peer 10.0.4.76 parent 3128 3130 no-query round-robin login=PASS
cache_peer 10.0.4.95 parent 3128 3130 no-query round-robin login=PASS
cache_peer 10.0.4.94 parent 3128 3130 no-query round-robin login=PASS
cache_peer 10.0.4.96 parent 3128 3130 no-query round-robin login=PASS
cache_peer 10.0.4.110 parent 3128 3130 no-query round-robin login=PASS
cache_peer_domain 10.0.4.71 !.gabs.hospitals.moh.gov.bw
cache_peer_domain 10.0.4.76 !.gabs.hospitals.moh.gov.bw
cache_peer_domain 10.0.4.96 !.gabs.hospitals.moh.gov.bw
cache_peer_domain 10.0.4.95 !.gabs.hospitals.moh.gov.bw
cache_peer_domain 10.0.4.94 !.gabs.hospitals.moh.gov.bw
cache_peer_domain 10.0.4.110 !.gabs.hospitals.moh.gov.bw


#We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# cache handling
cache_mem 64 MB
cache_dir aufs /var/spool/squid 500 16 256
#log file
access_log /var/log/squid/access.log squid

#Cache Refresh paterns
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern (Release|Packages(.gz)*)$    0    20%    2880
refresh_pattern .        0    20%    4320

# Access policy
never_direct deny localdomain
never_direct allow all

# hosts file
hosts_file /etc/hosts
# chroot
coredump_dir /var/spool/squid

Note: The lines that begin with the # symbol are just comments.

That is it, and it works.

Some further explanation

If you need to know first the basics about squid configuration, you can check out here. But any way I am not going to explain every thing but a few important aspects that are not treated before.

#Parent caches
cache_peer 10.0.4.71 parent 3128 3130 no-query round-robin login=PASS
cache_peer_domain 10.0.4.71 !.gabs.hospitals.moh.gov.bw

For instance here you declare that 10.0.4.71 is a parent proxy. as well as that proxy is going to handle the login himsefl. Well actually that your proxy is going to prompt the users for password. And then it will send those details to the parent proxy for authentication. then the second line establishes a boundary for that relationship. it says that 10.0.4.71 is the should be contacted for everything  except for any resource ended in .gabs.hospitals.moh.gov.bw.

Then here:

# Access policy
never_direct deny localdomain
never_direct allow all

Here you say for which domain you are going directly and for which not.

Another part that deserves some explanation is how the rules work, for instance:

acl localnet src 10.175.0.0/23

Defines a rule called local net. This does not mean it does anything. It’s just a grouping rule under the name localnet. It groups all the requests that come from the network 10.175.0.0/23 giving them the name localnet. the name could be anything else that you might like. Now as I said you have to say what are you doing with that rule and that comes separate in a different section, for instance this part:

(...)
http_access allow localnet macAllow
(...)
http_access allow localnet !denysite morningTime 
(...)

macAllow, denysite, morningTime are just other rules that group other requests from the users, depending custom needs. In this case, macAllow gruops all the special mac addresses that I want to allow to go everywhere and denysite are sites that are supposed to be denied  during working hours, let say facebook or youtube for the sake of keeping it real. So line 1 says allow if the request is from “localnet” and at the same time “macAllow”, is other words let them go to internet if the PC of who is going is in the group of ip addreses called localnet and at the same time the mack address of his PC is in the group macs we want to allow. then the line 2 says something like; allow if the request is from “localnet” and is NOT (!) “denysite” and is done during “morningTime”.

Check out the whole config folder here. For specific information regarding the rest of the config options you can go to squid official website, they have a decent reference manual about those.

That is it for today, if you have any question feel free to ask any question bellow.

 

Leave a Reply

Your email address will not be published. Required fields are marked *