208.3. Implementing a proxy server
Weight: 2
Description: Candidates should be able to install and configure a proxy server, including access policies, authentication and resource usage.
Key Knowledge Areas:
- Squid 3.x configuration files, terms and utilities
- Access restriction methods
- Client user authentication methods
- Layout and content of ACL in the Squid configuration files
Terms and Utilities:
- squid.conf
- acl
- http_access
In this light weight lesson we talk about squid proxy server. Squid has a giant configuration file and covering all aspect of that needs spending more time, but for this course we just discuss about items which are important for LPIC2 exam.
A proxy server is a computer that acts as an intermediary between a desktop computer and the internet and allows a client machine to make an indirect connection to network servers and services. There are many reasons why we might want to include a proxy server on our network:
- To share internet connection on a LAN
- To speed up internet surfing
- To hide the IP address of the client computer for anonymous surfing
- To implement internet access control
- To scan outbound content
- To circumvent regional restrictions
Clearly some of the above reasons are perfectly fitting for a business and some others do not.Regardless, knowing how to install and configure a proxy server is a must-have skill for a network administrator.
Squid is a free and open-source full featured web proxy cache server released under GPL 3, which can be used in many other ways like a web server caching daemon to speed up websites loading, cache DNS lookups, filter the traffic and many other network protocols, right now, Squid server supports HTTP and FTP protocols, there is a limited support to other protocols like TLS and SSL, it was first released in 1996.

Lets install squid on CentOS7 and see what does really look like:
[root@centos7-2 ~]# yum install squid
[root@centos7-2 ~]# rpm -ql squid | grep etc
/etc/NetworkManager/dispatcher.d/20-squid
/etc/httpd/conf.d/squid.conf
/etc/logrotate.d/squid
/etc/pam.d/squid
/etc/squid
/etc/squid/cachemgr.conf
/etc/squid/cachemgr.conf.default
/etc/squid/errorpage.css
/etc/squid/errorpage.css.default
/etc/squid/mime.conf
/etc/squid/mime.conf.default
/etc/squid/squid.conf
/etc/squid/squid.conf.default
/etc/sysconfig/squid
The current version of squid server is version 3 , so based on our distribution we might need to mention that or version 3 will be automatically installed.
The default configuration file for squid is located under /etc/squid3/squid.conf or /etc/squid/squid.conf.
[root@centos7-2 ~]# cd /etc/squid/
[root@centos7-2 squid]# ls -l
total 48
-rw-r--r--. 1 root squid 692 Apr 10 2018 cachemgr.conf
-rw-r--r--. 1 root root 692 Apr 10 2018 cachemgr.conf.default
-rw-r--r--. 1 root root 1817 Apr 10 2018 errorpage.css
-rw-r--r--. 1 root root 1817 Apr 10 2018 errorpage.css.default
-rw-r--r--. 1 root root 12077 Apr 10 2018 mime.conf
-rw-r--r--. 1 root root 12077 Apr 10 2018 mime.conf.default
-rw-r-----. 1 root squid 2315 Apr 10 2018 squid.conf
-rw-r--r--. 1 root root 2315 Apr 10 2018 squid.conf.default
This file contains some configuration directives that needs to be configured to affect the behavior of the Squid.
[root@centos7-2 squid]# cat squid.conf
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
The file in Ubuntu is so huge cause of its rich documents.Lets take a look at important ones:
port [mode] [options]
This is the default port for the HTTP proxy server, by default it is 3128
cache_mem [bytes]
Defines the amount of memory Squid can use for cache. The default is 256 MB and it is commented out. This does not specify the memory usage of Squid and may be exceeded.
maximum_object_size_in_memory [bytes]
Objects greater than this size will not be attempted to kept in the memory cache. This should be set high enough to keep objects accessed frequently in memory to improve performance whilst low enough to keep larger objects from hoarding cache_mem. And the default size is 512 KB.
cache_dir aufs Directory-Name Mbytes L1 L2 [options]
The entry cache_dir defines the directory where all the objects are stored on disk. The numbers at the end indicate the maximum disk space in MB to use and the number of directories in the first and second level. "ufs" is the old well-known Squid storage format that has always been there. By default disk caching is not turned on and we can enable it by commenting it out.
cache_dir ufs /var/cache/squid/ 100 16 256
: The default is 100 MB occupied disk space in the /var/cache/squid directory and creation of 16 subdirectories inside it, each containing 256 more subdirectories.maximum_object_size [bytes]
Set the default value for max-size parameter on any cache_dir. The value is specified in bytes, and the default is 4 MB.
And after doing some configurations (as en example here we have turned on disk cache) we need to restart squid service :
[root@centos7-2 ~]# systemctl status squid.service
● squid.service - Squid caching proxy
Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@centos7-2 ~]# systemctl start squid.service
[root@centos7-2 ~]# systemctl status squid.service
● squid.service - Squid caching proxy
Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2018-10-10 11:49:42 EDT; 10s ago
Process: 35580 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS)
Process: 35571 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
Main PID: 35582 (squid)
CGroup: /system.slice/squid.service
├─35582 /usr/sbin/squid -f /etc/squid/squid.conf
├─35584 (squid-1) -f /etc/squid/squid.conf
└─35588 (logfile-daemon) /var/log/squid/access.log
Oct 10 11:49:42 centos7-2 systemd[1]: Starting Squid caching proxy...
Oct 10 11:49:42 centos7-2 squid[35582]: Squid Parent: will start 1 kids
Oct 10 11:49:42 centos7-2 squid[35582]: Squid Parent: (squid-1) process 35584 started
Oct 10 11:49:42 centos7-2 systemd[1]: Started Squid caching proxy.