The Squid proxy server is mainly used as a gateway between users and the Internet, providing the following functions:
- cache user requests to Internet: if two users access the same website, only the first one will trigger the load of static objects, the other one getting them from disk managed by Squid (gain in speed and bandwidth),
- restrict access to Internet: ACL (Access Control List) can be defined to restrict IP addresses allowed to go through the proxy,
- log user requests to Internet: Squid log files can record all requests going through it.
Although this is not the purpose of this tutorial, Squid can also be used as a content accelerator. In this case, it is located in front of a webserver to speed up all requests for static objects. This is the reverse proxy role.
By default the Squid proxy listens to the 3128 tcp port and uses two network interfaces: one connected to the local network (here eth0) and one connected to the outside world (here eth1).
This means that all the users needing access to the Internet will have to set up their browser configuration to point to the Squid IP address and the 3128 port (various ways exist to do that automatically but it’s not the purpose of this tutorial).
The Squid proxy default gateway should be pointing to the Internet.
Install the Squid package:
# yum install -y squid
Edit the /etc/squid/squid.conf file and uncomment the line starting with the #cache_dir string:
cache_dir ufs /var/spool/squid 100 16 256
Note: ufs means the Squid storage space, /var/spool/squid represents the directory where the cache will be stored, 100 means the cache size (here 100MB), 16 and 256 are respectively the number of subdirectories of first and second level to create. Normally, only the 100MB parameter needs to be adjusted to the size allocated to the cache.
Then, in the same file, search for the INSERT YOUR OWN RULE string. Paste the following lines without forgetting to replace the X.Y.Z.0/N string with your local network addressing:
acl MyNetwork src X.Y.Z.0/N http_access allow MyNetwork
Optionally, still in the same file, use the visible_hostname directive to define the full name of the Squid server (useful in error messages):
Optionally, to change the port to which the Squid proxy is listening, modify the parameter of the http_port directive:
Note: An additional change to the firewall configuration will be needed to allow access to the 8080 port.
Add the following rule to the firewall:
# iptables -I INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT
Note: Here it is mandatory to specified which network interface (here eth0) can connect to the Squid proxy, otherwise outsiders could access to internal resources!
Save the firewall configuration:
# service iptables save
Edit the /etc/sysctl.conf file and allow IP forwarding on the Squid server:
net.ipv4.ip_forward = 1
Activate the change:
# sysctl -p
Activate the squid service at boot:
# chkconfig squid on
Start the squid service:
# service squid start