Chapter 16. Configuring the Squid Caching Proxy Server
Squid is a proxy server that caches content to reduce bandwidth and load web pages more quickly. This chapter describes how to set up Squid as a proxy for the HTTP, HTTPS, and FTP protocol, as well as authentication and restricting access.
16.1. Setting up Squid as a Caching Proxy Without Authentication
This section describes a basic configuration of Squid as a caching proxy without authentication. The procedure limits access to the proxy based on IP ranges.
- The procedure assumes that the
/etc/squid/squid.conffile is as provided by the squid package. If you edited this file before, remove the file and reinstall the package.
- Install the squid package:
# yum install squid
- Edit the
- Adapt the
localnetaccess control lists (ACL) to match the IP ranges that should be allowed to use the proxy:
acl localnet src 192.0.2.0/24 acl localnet 2001:db8::/32By default, the
/etc/squid/squid.conffile contains the
http_access allow localnetrule that allows using the proxy from all IP ranges specified in
localnetACLs. Note that you must specify all
localnetACLs before the
http_access allow localnetrule.
ImportantRemove all existing
acl localnetentries that do not match your environment.
- The following ACL exists in the default configuration and defines
443as a port that uses the HTTPS protocol:
acl SSL_ports port 443If users should be able to use the HTTPS protocol also on other ports, add an ACL for each of these port:
acl SSL_ports port port_number
- Update the list of
acl Safe_portsrules to configure to which ports Squid can establish a connection. For example, to configure that clients using the proxy can only access resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the following
acl Safe_portsstatements in the configuration:
acl Safe_ports port 21 acl Safe_ports port 80 acl Safe_ports port 443By default, the configuration contains the
http_access deny !Safe_portsrule that defines access denial to ports that are not defined in
- Configure the cache type, the path to the cache directory, the cache size, and further cache type-specific settings in the
cache_dir ufs /var/spool/squid 10000 16 256With these settings:
If you do not set a
- Squid uses the
- Squid stores its cache in the
- The cache grows up to
- Squid creates
16level-1 sub-directories in the
- Squid creates
256sub-directories in each level-1 directory.
cache_dirdirective, Squid stores the cache in memory.
- If you set a different cache directory than
- Create the cache directory:
# mkdir -p path_to_cache_directory
- Configure the permissions for the cache directory:
# chown squid:squid path_to_cache_directory
- If you run SELinux in
enforcingmode, set the
squid_cache_tcontext for the cache directory:
# semanage fcontext -a -t squid_cache_t "path_to_cache_directory(/.*)?" # restorecon -Rv path_to_cache_directoryIf the
semanageutility is not available on your system, install the policycoreutils-python-utils package.
- Open the
3128port in the firewall:
# firewall-cmd --permanent --add-port=3128/tcp # firewall-cmd --reload
- Start the
# systemctl start squid
- Enable the
squidservice to start automatically when the system boots:
# systemctl enable squid
To verify that the proxy works correctly, download a web page using the
# curl -O -L "https://www.redhat.com/index.html" -x "proxy.example.com:3128"
curldoes not display any error and the
index.htmlfile was downloaded to the current directory, the proxy works.