Home
Squid is a
caching proxy for the Web supporting HTTP, HTTPS and FTP. It can be used to
protect internal lans from questionable servers and provide accounting of where
clients go and what servers clients are allowed to go to.
Squid allows you to enforce policies with your users. If you have a policy stating no one can access CNN unless it is lunch time between 12noon and 2pm then you have that control. If you need to block MySpace or YouTube or if you only allow the latest version of Firefox outside your network, you have that ability. Squid also allows one to limit the headers a client can send and receive. If you want to block clients from logging into, but still allow them to look at, any external sites like Gmail then filtering the "authorization" header will do it.
If you are a parent and need to filter web access at home then Squid is the perfect tool. It can run on a separate machine inaccessible to children thus securing it from tampering. You can setup search parameters that stop pages from loading if certain words are found on the remote page. Pages can be blocked by URL or ip address and you can even setup times your children can access the web. Squid gives you the ability to enforce the rules you set down for your home network. As an added bonus Squid will keep logs of every URL, search query and server your network accesses for future review.
The best part is Squid is Open Source and completely free.
This squid proxy configuration is setup to be a non-caching secure proxy for HTTP and HTTPS only. This machine is accessing a low latency, high speed and un-metered Internet connection. Since our example network has unlimited bandwidth and it is fast, we are _not_ going to use caching. This config only allows access by the internal LAN (10.10.10/28), applies short timeouts for connections and enables the calomel.org "anti-ad server" modification. To protect our internal browsers squid will deny all headers except those specifically listed and obfuscate the Accept and User-Agent headers anonymizing our browsers.
Below you will find the link to the squid.conf example file and below that is the same squid.conf file in a text box. Both formats are available to make it easier for you to review the code. This squid.conf is a fully working config file with the exception of setting up a few variables for your environment.
You can download the Squid squid.conf here by doing a "save as" or just clicking on the link and choosing download. Before using the config file take a look it below or download it and look at the options. Calomel.org Squid squid.conf
# ### Calomel.org Squid squid.conf # ########### squid.conf ########### # ## interface, port and proxy type #http_port 10.10.10.1:8080 transparent http_port 10.10.10.1:8080 ## general options cache_mgr not_to_be_disturbed client_db on collapsed_forwarding on detect_broken_pconn on dns_defnames on dns_retransmit_interval 2 seconds dns_timeout 5 minutes forwarded_for off half_closed_clients off httpd_suppress_version_string on ignore_unknown_nameservers on pipeline_prefetch on retry_on_error on strip_query_terms off uri_whitespace strip visible_hostname localhost ## timeouts forward_timeout 30 seconds connect_timeout 30 seconds read_timeout 30 seconds request_timeout 30 seconds persistent_request_timeout 1 minute client_lifetime 20 hours ## host definitions acl all src 0.0.0.0/0 acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 ## proxy server client access acl mynetworks src 127.0.0.0/8 10.10.10.0/28 http_access deny !mynetworks ## max connections per ip acl maxuserconn src 127.0.0.0/8 10.0.10.0/28 acl limitusercon maxconn 500 http_access deny maxuserconn limitusercon ## disable caching cache deny all cache_dir null /tmp ## disable multicast icp icp_port 0 icp_access deny all ## disable ident lookups ident_lookup_access deny all ## no-trust for on-the-fly Content-Encoding acl apache rep_header Server ^Apache broken_vary_encoding allow apache ## logs logformat combined [%tl] %>A %{Host}>h "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh access_log /var/log/squid/access.log combined cache_store_log /var/log/squid/store.log cache_log /var/log/squid/cache.log logfile_rotate 8 ## support files coredump_dir /tmp pid_filename /var/log/squid/squid.pid ## ports allowed acl Safe_ports port 80 443 http_access deny !Safe_ports ## ssl ports/method allowed acl SSL_ports port 443 acl CONNECT method CONNECT http_access deny CONNECT !SSL_ports ## protocols allowed acl Safe_proto proto HTTP SSL http_access deny !Safe_proto ## browsers allowed # acl Safe_browser browser ^Mozilla/5\.0.*Firefox/2\.0\.0\.6 # http_access deny !Safe_Browser ## disable ads ( //squid_adservers.html ) # acl ads dstdom_regex "/etc/squid/ad_block.txt" # http_access deny ads # deny_info TCP_RESET ads ## Banned Sites # acl Bad_Site dstdom_regex myspace.com youtube.com facebook.com # http_access deny Bad_Site ## redirector # acl my_url dstdomain SITE_NAME.COM # redirector_access allow my_url # redirect_children 1 # redirect_rewrites_host_header off # redirect_program /etc/squid/squid_redirector.pl ## methods allowed acl Safe_method method CONNECT GET HEAD POST http_access deny !Safe_method ## allow replies to client requests http_reply_access allow all ## header re-write # header_replace Accept */* # header_replace Accept-Encoding gzip # header_replace Accept-Language en header_replace User-Agent OurBrowser/1.0 (Some Name) ## header list ( DENY all -> ALLOW listed ) header_access Accept allow all header_access Accept-Encoding allow all header_access Accept-Language allow all header_access Authorization allow all header_access Cache-Control allow all header_access Content-Disposition allow all header_access Content-Encoding allow all header_access Content-Length allow all header_access Content-Location allow all header_access Content-Range allow all header_access Content-Type allow all header_access Cookie allow all header_access Expires allow all header_access Host allow all header_access If-Modified-Since allow all header_access Location allow all header_access Range allow all header_access Referer allow all header_access Set-Cookie allow all header_access WWW-Authenticate allow all header_access All deny all ########## END ###########
The following instructions will allow you to get squid installed and working with the squid.conf config file listed above. Since entire books are written about squid we can not go to go into all of the definitions of all of the directives in the config file. Once you get squid working check at the bottom of the page for links to the squid directives definitions page.
Step 1: To get started you need to install Squid. Most operating systems have packages (rpm dev pkg) for Squid and you can also build it from source (squid-cache.org).
Step 2: Once squid is installed, download the squid.conf config file from above and place it in your squid config directory. This is usually found in /etc/squid/ on most OS distributions.
Step 3: Now, we need to edit the squid.conf file and make changes reflecting your environment.
"interface, port and proxy type" : We need to set the ip and port the squid daemon is going to listen on. In our example we listen on 10.10.10.1 port 8080 as that is the interface on the internal network on our client machines.
"Access Control List" : Next edit the area called "proxy server client access" and look for the directive "acl mynetworks src". This is the access control list (acl) of networks or individual ips that can access squid. You need to put in the network ips of your LAN. For example, most internal networks are setup with the ips 192.168.0.0 to 192.168.0.254. Then you would make sure the line read "acl mynetworks src 127.0.0.0/8 192.168.0/24".
"The logs" : The log files are going to be placed in /var/log/squid/ and we need to make that directory and make it owned by the squid user. Use "mkdir -p /var/log/squid/" and chown _squid:_squid /var/log/squid/" for OpenBSD Squid from packages.
Optional: Redirector : A redirector is a program squid will call to do a job. You can use a redirector for many purposes like blocking and redirecting URLs. In this example we are going to have squid pass URLs to the following Perl script to re-write the URL "SITE_NAME.COM" to "localhost:8080". If you run squid on the same machine as a webserver, then you may want to use this method.
The client browser will use the URL SITE_NAME.com and the requests will actually goto the webserver running on localhost port 8080. Notice that we have added an ACL to only have URLs with the destination domain of SITE_NAME.COM use the redirector to reduce congestion and keep squid fast. Squid will also not touch the "hosts" header. This means that clients will actually still see the URL name "SITE_NAME.COM" in the URL field even though they are getting the data from "localhost port 8080".
You are welcome to cut/paste the following Perl code. This script is called squid_redirector.pl and place in /etc/squid/ according to our example.
#!/usr/bin/perl -p BEGIN { $|=1 } s|http://SITE_NAME.COM|http://localhost:8080|;The Headers : Finally, at the bottom of the config file are the headers squid will allow though to the Internet from the clients. At the end of the instructions you can find an explanation of each of the headers used and why you would want to use them.
The last task is to tell machines on the inside of the LAN that squid is available at ready for use. In our example above our proxy server could be found at "10.10.10.1:8080" so we are going to enter this into our browser's proxy config page. On most browsers there is a menu for setting up access to a proxy server. The problem is that every browser is different and we can not cover all of the setup procedures of every browser. The easiest way to find instructions for your browser is to search on Google for the words "proxy server" and the name of your bowser. For example, if we were using Firefox we would search for the string "proxy server firefox".