12.3. Squid configuration

To configure Squid, adjust the directives in the configuration file. Squid is normally configured according to the requirements of a given network using the command line and editing the Squid configuration file, located at /etc/squid/squid.conf, which contains recommended minimum configuration.

12.3.1. Basic Configuration and /etc/squid/squid.conf

Procedure 12.1. Basic configuration

  1. Backup the original config file.
    mv /etc/squid/squid.conf /etc/squid/squid.conf.org
  2. Create a new /etc/squid/squid.conf file with the following contents. Edit the Access Control List (ACL) line for mynetwork to define source network for your local network. This is the network where client systems use the Squid server as their proxy.

    Note

    The order of the items in the /etc/squid/squid.conf configuration file is important as Squid reads it from the beginning.
    acl mynetwork src xxx.xxx.xxx.0/24
    http_access allow mynetwork
    
    #defaults
    acl localnet src 10.0.0.0/8
    acl localnet src 172.16.0.0/12
    acl localnet src 192.168.0.0/16
    acl localnet src fc00::/7
    acl localnet src fe80::/10
    acl SSL_ports port 443
    acl Safe_ports port 80
    acl Safe_ports port 21
    acl Safe_ports port 443
    acl Safe_ports port 70
    acl Safe_ports port 210
    acl Safe_ports port 1025-65535
    acl Safe_ports port 280
    acl Safe_ports port 488
    acl Safe_ports port 591
    acl Safe_ports port 777
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localnet
    http_access allow localhost
    http_access deny all
    http_port 3128
    hierarchy_stoplist cgi-bin ?
    coredump_dir /var/spool/squid
    refresh_pattern ^ftp:       1440    20% 10080
    refresh_pattern ^gopher:    1440    0%  1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
    refresh_pattern .       0   20% 4320
  3. Start the service and enable it on boot:
    ~]#  systemctl enable squid
    ~]#  systemctl start squid
  4. If firewall is enabled, allow the Squid port.
    ~]#  firewall-cmd --add-port=3128/tcp --permanent
  5. Configure your web browser to use the proxy. This depends on the browser you use and its version. For example, to configure Firefox version 46.0.0:

    Procedure 12.2. Configuring Firefox with Proxy

    1. In the Firefox menu located in the top right corner, select Preferences, from the tabs on the left, select Advanced, and then select Network from the tabs located on the top bar.
    2. In the Connection section, open Settings.
    3. In the new window that opens up, tick Manual proxy configuration and enter the proxy server that you are connecting to in the HTTP Proxy field. If you need to enter a specific port, enter it into the Port field.
For more information on /etc/squid/squid.conf, see the squid(8) man page.

12.3.2. Configuring Squid as an HTTP proxy server

Procedure 12.3. Configuring Squid as an HTTP proxy server

  1. Add the following lines to the top of the /etc/squid/squid.conf file replacing the example IP address :
    cache_dir ufs /var/spool/squid 500 16 256
    acl my_machine src 192.0.2.21 # Replace with your IP address
    http_access allow my_machine
  2. Create cache directories using the following command:
    ~]# systemctl restart squid
    Squid now starts listening on port 3128 (default) on all network interfaces on the machine.
  3. Configure your browser, for example Firefox, to use Squid as an HTTP proxy server with the host as the IP address of the machine and port 3128: for details, see Procedure 12.2, “Configuring Firefox with Proxy”

12.3.2.1. Setting the HTTP Port

The http_port directive is used to specify the port where Squid will listen for client connections. The default behavior is to listen on port 3128 on all the available interfaces on a machine. You can force Squid to listen on multiple interfaces and on different ports, on different interfaces.

Example 12.1. Specifying the HTTP Port

Open /etc/squid/squid.conf and edit the respective line. In this example, Squid is set up to listen on port 8080.
# Squid normally listens to port 3128
http_port 8080
The Squid server can listen on multiple ports at the same time.

Example 12.2. Specifying Two or More Ports

With the following setting, Squid listens on both port 8080 and port 9090:
http_port 8080 9090

Note

Do not forget to restart Squid server to apply new settings by running:
~]# systemctl restart squid
You can also specify the IP address and port combination in /etc/squid/squid.conf. Normally, this approach is used when you have multiple interfaces on the machine and want Squid to listen only on the interface connected to a local area network (LAN).

Example 12.3. Setting IP addresses

The following command instructs Squid to listen on port 3128 on the interface with the IP address 192.0.2.25:
http_port 192.0.2.25:3128
In addition, you can specify http_port by using host name and port combination. The host name will be translated to an IP address by Squid, which will then listen on port 8080 on that particular IP address.
http_port myproxy.example.com:8080
Another aspect of the http_port directive is that it can take multiple values on separate lines. The following lines will trigger Squid to listen on three different IP addresses and port combinations. This is generally helpful when you have clients in different LANs, which are configured to use different ports for the proxy server. Edit the /etc/squid/squid.conf file as follows:
http_port 192.0.2.25:8080
http_port lan1.example.com:3128
http_port lan2.example.com:8081

12.3.2.2. ACLs and HTTP access control

Access Control Lists (ACLs) are the base elements for access control and are normally used in combination with other directives, such as http_access, to control access to various Squid components and web resources.

Example 12.4. Constructing an ACL for a Domain Name

This example shows how to edit the following general instruction:
acl example_site dstdomain example.com
as follows. Name your ACL by replacing example_site with any name. The type used here is dstdomain, which specifies that the value (the website) is a domain name.
acl FB dstdomain facebook.com
If you need to construct an ACL covering a number of websites, you can:
  • Write values on a single line:
    acl example_sites dstdomain example.com example.net example.org
  • Write values on multiple lines in case the list of values grows significantly:
    acl example_sites dstdomain example.com example.net
    acl example_sites dstdomain example.org
  • You can put the values in a dedicated file and then instruct Squid to read the values from that file:
    acl example_sites dstdomain '/etc/squid/example_sites.txt'
    The content of /etc/squid/example_sites.txt looks as follows:
    # Write one value (domain name) per line
    example.net
    example.org # Temporarily remove example.org from example_sites acl
    example.com

Important

ACLs must be combined with access control directives to allow or deny access to various resources. http_access is one such directive which is used to grant access to perform HTTP transactions through Squid:
Controlling HTTP access using ACLs
To allow or deny access to clients, you need to combine ACLs with the http_access directive.
In the /etc/squid/squid.conf file, edit the http_access directive, where ACL_NAME signifies the requests for which the access must be granted or revoked:
http_access allow|deny [!]ACL_NAME

Example 12.5. Allowing or denying Access to Clients

The following configuration setting grants access to localhost:
http_access allow localhost
This configuration denies access to localhost:
http_access deny localhost
Some ACL names start with an exclamation mark, in such case include the mark as well:
http_access deny !Safe_ports