Chapter 15. Configuring the Squid Caching Proxy Server

Squid is a proxy server that caches content to reduce bandwidth and load web pages more quickly. This chapter describes how to set up Squid as a proxy for the HTTP, HTTPS, and FTP protocol, as well as authentication and restricting access.

15.1. Setting up Squid as a Caching Proxy Without Authentication

This section describes a basic configuration of Squid as a caching proxy without authentication. The procedure limits access to the proxy based on IP ranges.

Prerequisites

  • The procedure assumes that the /etc/squid/squid.conf file is as provided by the squid package. If you edited this file before, remove the file and reinstall the package.

Procedure

  1. Install the squid package:
    # yum install squid
  2. Edit the /etc/squid/squid.conf file:
    1. Adapt the localnet access control lists (ACL) to match the IP ranges that should be allowed to use the proxy:
      acl localnet src 192.0.2.0/24
      acl localnet 2001:db8::/32
      By default, the /etc/squid/squid.conf file contains the http_access allow localnet rule that allows using the proxy from all IP ranges specified in localnet ACLs. Note that you must specify all localnet ACLs before the http_access allow localnet rule.

      Important

      Remove all existing acl localnet entries that do not match your environment.
    2. The following ACL exists in the default configuration and defines 443 as a port that uses the HTTPS protocol:
      acl SSL_ports port 443
      If users should be able to use the HTTPS protocol also on other ports, add an ACL for each of these port:
      acl SSL_ports port port_number
    3. Update the list of acl Safe_ports rules to configure to which ports Squid can establish a connection. For example, to configure that clients using the proxy can only access resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the following acl Safe_ports statements in the configuration:
      acl Safe_ports port 21
      acl Safe_ports port 80
      acl Safe_ports port 443
      By default, the configuration contains the http_access deny !Safe_ports rule that defines access denial to ports that are not defined in Safe_ports ACLs.
    4. Configure the cache type, the path to the cache directory, the cache size, and further cache type-specific settings in the cache_dir parameter:
      cache_dir ufs /var/spool/squid 10000 16 256
      With these settings:
      • Squid uses the ufs cache type.
      • Squid stores its cache in the /var/spool/squid/ directory.
      • The cache grows up to 10000 MB.
      • Squid creates 16 level-1 sub-directories in the /var/spool/squid/ directory.
      • Squid creates 256 sub-directories in each level-1 directory.
      If you do not set a cache_dir directive, Squid stores the cache in memory.
  3. If you set a different cache directory than /var/spool/squid/ in the cache_dir parameter:
    1. Create the cache directory:
      # mkdir -p path_to_cache_directory
    2. Configure the permissions for the cache directory:
      # chown squid:squid path_to_cache_directory
    3. If you run SELinux in enforcing mode, set the squid_cache_t context for the cache directory:
      # semanage fcontext -a -t squid_cache_t "path_to_cache_directory(/.*)?"
      # restorecon -Rv path_to_cache_directory
      If the semanage utility is not available on your system, install the policycoreutils-python-utils package.
  4. Open the 3128 port in the firewall:
    # firewall-cmd --permanent --add-port=3128/tcp
    # firewall-cmd --reload
  5. Start the squid service:
    # systemctl start squid
  6. Enable the squid service to start automatically when the system boots:
    # systemctl enable squid

Verification Steps

To verify that the proxy works correctly, download a web page using the curl utility:
# curl -O -L "https://www.redhat.com/index.html" -x "proxy.example.com:3128"
If curl does not display any error and the index.html file was downloaded to the current directory, the proxy works.