15.3. Squid configuration
Squid, adjust the directives in the configuration file.
Squidis normally configured according to the requirements of a given network using the command line and editing the
Squidconfiguration file, located at
/etc/squid/squid.conf, which contains recommended minimum configuration.
15.3.1. Basic Configuration and /etc/squid/squid.conf
Procedure 15.1. Basic configuration
- Backup the original config file.
mv /etc/squid/squid.conf /etc/squid/squid.conf.org
- Create a new
/etc/squid/squid.conffile with the following contents. Edit the Access Control List (ACL) line for mynetwork to define source network for your local network. This is the network where client systems use the
Squidserver as their proxy.
NoteThe order of the items in the
/etc/squid/squid.confconfiguration file is important as
Squidreads it from the beginning.
acl mynetwork src xxx.xxx.xxx.0/24 http_access allow mynetwork #defaults acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl localnet src 192.168.0.0/16 acl localnet src fc00::/7 acl localnet src fe80::/10 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all http_port 3128 hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
- Start the service and enable it on boot:
systemctl enable squid~]#
systemctl start squid
- If firewall is enabled, allow the
firewall-cmd --add-port=3128/tcp --permanent
- Configure your web browser to use the proxy. This depends on the browser you use and its version. For example, to configure Firefox version 46.0.0:
Procedure 15.2. Configuring Firefox with Proxy
- In the Firefox menu located in the top right corner, select, from the tabs on the left, select , and then select from the tabs located on the top bar.
- In the Connection section, open .
- In the new window that opens up, tick Manual proxy configuration and enter the proxy server that you are connecting to in the HTTP Proxy field. If you need to enter a specific port, enter it into the Port field.
/etc/squid/squid.conf, see the
15.3.2. Configuring Squid as an HTTP proxy server
Procedure 15.3. Configuring Squid as an HTTP proxy server
- Add the following lines to the top of the
/etc/squid/squid.conffile replacing the example IP address :
cache_dir ufs /var/spool/squid 500 16 256 acl my_machine src 192.0.2.21 # Replace with your IP address http_access allow my_machine
- Create cache directories using the following command:
systemctl restart squid
Squidnow starts listening on port 3128 (default) on all network interfaces on the machine.
- Configure your browser, for example Firefox, to use
Squidas an HTTP proxy server with the host as the IP address of the machine and port 3128: for details, see Procedure 15.2, “Configuring Firefox with Proxy”
184.108.40.206. Setting the HTTP Port
http_portdirective is used to specify the port where
Squidwill listen for client connections. The default behavior is to listen on port 3128 on all the available interfaces on a machine. You can force
Squidto listen on multiple interfaces and on different ports, on different interfaces.
Example 15.1. Specifying the HTTP Port
/etc/squid/squid.confand edit the respective line. In this example,
Squidis set up to listen on port 8080.
# Squid normally listens to port 3128 http_port 8080
Squidserver can listen on multiple ports at the same time.
Example 15.2. Specifying Two or More Ports
Squidlistens on both port 8080 and port 9090:
http_port 8080 http_port 9090
Squidserver to apply new settings by running:
systemctl restart squid
/etc/squid/squid.conf. Normally, this approach is used when you have multiple interfaces on the machine and want
Squidto listen only on the interface connected to a local area network (LAN).
Example 15.3. Setting IP addresses
Squidto listen on port 3128 on the interface with the IP address 192.0.2.25:
http_portby using host name and port combination. The host name will be translated to an IP address by
Squid, which will then listen on port 8080 on that particular IP address.
http_portdirective is that it can take multiple values on separate lines. The following lines will trigger
Squidto listen on three different IP addresses and port combinations. This is generally helpful when you have clients in different LANs, which are configured to use different ports for the proxy server. Edit the
/etc/squid/squid.conffile as follows:
http_port 192.0.2.25:8080 http_port lan1.example.com:3128 http_port lan2.example.com:8081
220.127.116.11. ACLs and HTTP access control
http_access, to control access to various
Squidcomponents and web resources.
Example 15.4. Constructing an ACL for a Domain Name
acl example_site dstdomain example.com
dstdomain, which specifies that the value (the website) is a domain name.
acl FB dstdomain facebook.com
- Write values on a single line:
acl example_sites dstdomain example.com example.net example.org
- Write values on multiple lines in case the list of values grows significantly:
acl example_sites dstdomain example.com example.net acl example_sites dstdomain example.org
- You can put the values in a dedicated file and then instruct
Squidto read the values from that file:
acl example_sites dstdomain '/etc/squid/example_sites.txt'The content of
/etc/squid/example_sites.txtlooks as follows:
# Write one value (domain name) per line example.net example.org # Temporarily remove example.org from example_sites acl example.com
http_accessis one such directive which is used to grant access to perform HTTP transactions through
Controlling HTTP access using ACLs
/etc/squid/squid.conffile, edit the
http_accessdirective, where ACL_NAME signifies the requests for which the access must be granted or revoked:
http_access allow|deny [!]ACL_NAME
Example 15.5. Allowing or denying Access to Clients
http_access allow localhost
http_access deny localhost
http_access deny !Safe_ports