Thursday, December 11, 2008

SQUID ( Proxy Server )

.Squid is a proxy server and web cache daemon. It has a wide variety of uses, from speeding up a web server by caching repeated requests, to caching web, DNS and other computer network lookups for a group of people sharing network resources, to aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including TLS, SSL, Internet Gopher and HTTPS.[1] The development version of Squid (3.1) includes IPv6 and ICAP support.

Squid is the default proxy server in RHEL5. In this article I will show how to configure squid proxy server on RHEL5.


SQUID (PROXY SERVER)

Purpose: Web caching, bandwidth management, URL surf control etc.
Service Type: Standalone
Dependency: Network Service
Ports: 8080 / 3128 TCP

RECOMMENDATIONS FOR A GOOD PROXY SERVER:

RAM: Min 1.0 GB
Processor: Min Pentium 4 D at least 2.8 GHz
Hard Drives: SCSI OR SATA-I, 3 HDs, 80GB each (SATA comes min in 80GB)

Partition Scheme:

To distribute I/O load among al hard drives use folowing partition scheme. You can use remaining space as
you like. There are three main directories where I/O load is very much in a proxy server

1. Operating system (/)
2. Log Directory (/var/log)
3. Cache Directory (/cache1 and /cache2)

And we have created these directories as a separate partition on diferent directories.

HD1:
/boot 500MB
/ 30GB

HD2:
/var/log 80GB

HD3:
/cache1 15GB
/cache2 15GB

The proxy server should be suficient for 1000 users (1000/3=330 active users)

Directory and File Location:

/etc/squid: Contains al Squid configuration files.
/etc/squid/squid.conf: Main proxy server’s configuration file.
/var/log/squid: Squid log directory
/var/log/squid/cache.log: Squid service log directory
/var/log/squid/access.log: Squid acess log directory
/var/log/message: Main system log file
/var/spool/squid: Default cache directory

Required Packages:

Squid-version.number: Main rpm package

SIMPLE WEB-CACHE SETUP WITH SQUID:

End Result: A proxy server performing web-cache.

Scenario:
Proxy Server: linuxbox5 (192.168.0.15)
Proxy Server Port: 8080


Internal Network: 192.168.0.0/24

Like apache web server squid proxy server comes almost pre-configured. You just have to configure proxy port
and ACLs and start squid service that’s al.

Step 1:

Configure htpd service to start at boot time.
chkconfig squid on

Step 2:

Configure /etc/hosts file. In this scenario /etc/hosts file should look like

192.168.0.14 linuxbox4

Step 3:

Note: squid.conf file is checked in sequence upper part is read first then lower part by squid service. Therefore
you must define parameters at their defined places. Sample configuration is present in default squid
configuration file.

Open /etc/squid/squid.conf file and change http_port parameter as.

From:
htp_port 3128

To:
htp_port 8080
Find “visible_hostname” section and define visible_hostname as.

visible_hostname linuxbox4

Note: /etc/hosts file must be configured.

Find ACL section and define folowing two lines at the beginning of that section.

acl internal src 192.168.0.0/255.255.255.0
http_access alow internal

Here:
Acl: is key word for ACL

Internal: ACL name.

src: ACL type is src (source address). Means we have specified source addresses in
this acl. ACLs are group of source address, URLs, time and MAC addresses etc.
After making such groups we configure their access either they are alowed or
denied access to access htp using this proxy server .

192.168.0.0/255.255.255.0:
IP address and subnet mask of clients which wil use this proxy server for
Internet access.
htp_access alow internal:
Alow web access to Source IP Group internal.

Step 4:

Save and exit and reload squid service.

service squid reload

Checking: In client system open Internet explorer and define Proxy server’s address and port and browse
some site.

BLOCK SITES WITH SQUID:

End Result: A proxy server performing web-cache and blocking certain sites.

Scenario:
Proxy Server: linuxbox5 (192.168.0.15)
Proxy Server Port: 8080
Internal Network: 192.168.0.0/24
Blocked Sites: hotmail.com & yahoo.com sites

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Add folowing ACL lines

acl blk url_regex hotmail.com yahoo.com
htp_access deny blk

Above these lines

acl internal src 192.168.0.0/255.255.255.0
htp_access alow internal

Save and exit and reload squid service.

service squid reload
Checking: In client system open Internet explorer and define Proxy server’s address and port and browse
hotmail.com and yahoo.com and you wil get “Acess Denied” eror from proxy.

BLOCK CLIENTS BASED ON MAC ADDRESS:

End Result: A proxy server performing web-cache and blocking certain MAC addresses.

Scenario:
Proxy Server: linuxbox5 (192.168.0.15)
Proxy Server Port: 8080
Blocked MAC: 00:B0:D0:A1:68:06
Alowed MAC: 17:FF:C3:A1:68:A0

Note: MAC based setings can only be used in squid.conf file if we have compiled squid with
enable-arp-acl” configure option. Squid does not come precompiled with this option.

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Add folowing ACL lines

acl deny-macs arp 00:50:04:99:C4:1D
http_access deny deny-macs

acl alow-macs arp 17:FF:C3:A1:68:A0
http_access allow allow-macs


Here:
deny-macs & alow-macs: are ACL names.

arp: ACL type is ARP (MAC address). Means we have created group of clients/PCs
based on MAC addresses. And after that we alow or deny access based on
these ACLs.

http_access deny deny-macs:
We have denied web (htp_access) acess to MAC addres specified in “deny-macs”
ACL.

htp_access alow alow-macs:
We have alowed web (htp_acces) acess to MAC addres specified in “alow-macs”
ACL.

Save and exit and reload squid service.

service squid reload

CONFIGURE SQUID IN IVS ENVIRONMENT:

End Result: A proxy server performing web-cache sending outgoing data from modem/DSL and
geting incoming data from satelite.

Scenario:
Proxy Server: linuxbox5
Proxy Server Port: 8080
IP address Assigned by ISP: 210.56.5.22/255.255.255.252
IP Address Given by Satelite Company: 64.32.5.88/255.255.255.252
Internal Network: 192.168.0.0/24
Number of NICs in Proxy Server: One

Assumptions:

1. Proxy server is connected with ISP and 210.56.5.22 is assigned as primary IP address to proxy server
and 64.32.5.88 is asigned as secondary IP addres to proxy server.
2. Proxy server’s gateway is configured as provided by ISP, so outgoing trafic go out using ISP
(DSL/Dialup).
3. Satelite interface card is instaled and configured and sync.

Perform all steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Add folowing lines in squid.conf file.

tcp_outgoing_address 64.32.5.88
udp_outgoing_address 64.32.5.88

Save and exit and reload squid service.

service squid reload

Checking: Instal ipterf package on proxy server and monitor packets on satelite interface

TRANSPARENT PROXY SETUP:

End Result: A proxy server performing transparent web-cache.

Scenario:
Proxy Server: linuxbox5 (192.168.0.15)
Proxy Server Port: 8080
Internal Network: 192.168.0.0/24

Note: Squid can not be configured with authentication and as a transparent proxy at the same
time.

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Add folowing lines under “htpd_accel” section.

htpd_accel_host virtual
htpd_accel_port 80
htpd_accel_with_proxy on
htpd_accel_uses_host_header on

Save and exit and reload squid service.

service squid reload

Add the folowing line at the end of /etc/rc.local file and reboot the server.

iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -dport 80 -j REDIRECT --to-port 8080


SQUID ATHENTICATION SETUP:

End Result: A proxy server performing web-cache with user authentication.

Scenario:
Proxy Server: linuxbox5 (192.168.0.15)
Proxy Server Port: 8080
Internal Network: 192.168.0.0/24
Alowed Users: u1 and u2

Step 1:


Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Step 2:

Create squid password file and add users in it.

touch /etc/squid/squidpasswd
htpasswd /etc/squid/squidpasswd u1
htpasswd /etc/squid/squidpasswd u2

Step 3:

Add folowing lines under “auth_param” section in squid.conf file.

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squidpasswd
auth_param basic children 15

Here:

auth_param: This parameter tels proxy to require authentication from clients.

basic: This is authentication type. Username and Passwords travel in clear text over the network.

program /usr/lib/squid/ncsa_auth:
Use this program to authenticate users. ncsa_auth only supports basic auth type.

/etc/squid/squidpasswd:
User name and passwords wil be kept in this file. We have to create this file and add users in it
by htpasswd command

auth_param basic children 15:
Start 15 authentication processes if 16 users logs in at the same time the last user wil have to
wait until a authentication programs becomes available.

Add folowing ACL lines

acl authchk proxy_auth REQUIRED
htp_access alow authchk

Above these lines

acl internal src 192.168.0.0/255.255.255.0
htp_access alow internal

Step 4:

Save and exit and reload squid service.

service squid reload

BLOCK CLIENTS BASED ON TIME SETTINGS:

End Result: A proxy server performing web-cache and implementing time based restrictions.
Scenario:
Proxy Server: linuxbox5 (192.168.0.15)
Proxy Server Port: 8080
Alowed Time: 9:00 AM to 09:00 PM

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the

additional steps given below.

Add folowing ACL line

acl timechk time 09:00-21:00

Above this line

acl internal src 192.168.0.0/255.255.255.0

And change folowing line

From:
htp_access alow internal

To:
htp_access alow internal timechk

Here:
timechk : ACL name.

time: ACL type is time. Means we have set group of times and based on these time
groups we wil alow or deny clients.

htp_access alow internal timechk:
Tells squid to implement time restrictions on clients what belongs to internal group

(whose source IP addres is in between 192.168.0.1 – 253)

Save and exit and reload squid service.

service squid reload

BANDWIDTH MANAGEMENT:

End Result: A proxy server with bandwidth management assigning 256Kbps to two clients and
64Kbps to al other users of 192.168.0.0/24 network.
Scenario:
Proxy Server: linuxbox5 (192.168.0.15)
Proxy Server Port: 8080
Bandwidth Group1: 192.168.0.1 and 192.168.0.10 (256Kbps)
Bandwidth Group2: 192.168.0.0/24 (64Kbps) Except 192.168.0.1 and 192.168.0.10

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Define folowing lines in squid.conf file.

acl bw256k src 192.168.0.1
acl bw256k src 192.168.0.10

Above these lines

acl internal src 192.168.0.0/255.255.255.0
htp_access alow internal

In delay pool section add folowing.

delay_pools 2
delay_class 1 2
delay_parameters 1 32000/32000 -1/-1
delay_access 1 alow bw256k

delay_class 2 2
delay_parameters 2 8100/8100 -1/-1
delay_access 2 alow internal

Here:
delay_pools 2 : There are two types of setings / groups of people one delay pool handle one
type of setings that’s y define two delay pool.

delay_class 1 2: Delay pool 1 belongs to delay clas 2. There are three delay classes. In class we
can limit bandwidth for only subnet. In class 2 we can configure bandwidth for a
client and subnet as wel. And in clas 3 we can configure bandwidth for a client
and subnet and complete network.

delay_parameters 1 32000/32000 -1/-1:
For delay pool 1 we are providing 32000/32000 (256Kbps OR 32000 Kilo Bytes)
for one user min and max 256Kbps. -1/-1 means no limit on network.

delay_access 1 alow bw256k:
We are alowing bw256k (192.168.0.1 & 192.168.0.10) group/ACL to use
setings of delay pool 1.

Save and exit and reload squid service.

service squid reload

DEFINE A DIFFERENT CACHE DIRECTORY THEN DEFAULT:

End Result: A proxy server keeping web cache in customized directory.

Scenario:
Proxy Server: linuxbox5 (192.168.0.15)
Proxy Server Port: 8080
Cache Directory: /cache partition (10GB in size)

Note: It is recommended that you should create /cache as a separate partition.

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Create a squid directory in /cache partition. And set it’s owner and group to squid user and group.

mkdir /cache/squid
chown squid.squid /cache/squid

Under cache_dir section add the folowing line

cache_dir ufs /cache/squid 8500 16 256

We left 1500 space for swap.state file that keep status of cache directory. Save and exit and run folowing
commands.

squid –z reconfigure
service squid restart



SQUID PERFORMANCE TUNNING:

End Result: A perfect squid proxy server.

Scenario:
Proxy Server: linuxbox5 (192.168.0.15)
Proxy Server Port: 8080

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

And configure folowing parameters under their sections

maximum_object_size 10000 KB
maximum_object_size_in_memory 16 KB
dns_timeout 3 minutes
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

2 comments:

  1. Excellent Stuff.

    Really useful.

    Hats off to you.

    ReplyDelete
  2. Problem with configuration of Squid-1 server that has an "authenticated Squid-2 parent".

    Squid-2 parent's Proxy detail: 10.31.31.10 port-3128 + userid/passwd

    Squid-1 server IP :

    eth0 -- 10.126.2.101 (connected to Squid-2, also a DHCP server)

    eth1 -- 192.168.1.1 (connected to LAN through ethernet switch , DHCP configured, LAN PCs take IP from 192.168.1..2 - 198.168.1..254, Firewall disabled)

    I am trying to access internet on LAN PCs, but all efforts have gone in vain.
    OS: SuSE 11.0 64 bit
    Please help me configure squid or mail me a squid.conf

    ReplyDelete