Squid is an easy to install and configure proxy. Even for non Linux users/admins the configuration is quite simple. This example is done on CentOS Linux 8 and Squid 4.4.
First step is to install CentOS – you get the latest ISO here:
After you installed and configured your Linux installation, the first thing is to update your OS.
You can see all needed updates with this command:
sudo yum check-update
After you reviewed the updates, you can install all updates with this command:
sudo yum update -y
Now we adding the epel-release repository and updating the packages again:
sudo yum -y install epel-release sudo yum -y update sudo yum clean all
All updates are now installed, and we are now able to install Squid:
sudo yum -y install squid
To make sure that Squid is running and will start automatically we are using this commands:
sudo systemctl start squid sudo systemctl enable squid
We can verify the Squid status with:
sudo systemctl status squid
Change the configuration file
The Squid proxy configuration is done via a config file – we have no web interface, but this is no big issue. It’s quite easy and pretty straight forward to add the whitelisting functionality and the whitelisted websites.
First we need to open the configuration file:
sudo nano /etc/squid/squid.conf
Now we can change the configuration.
# # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports httpaccess deny !Safeports # Deny CONNECT to other than secure SSL ports httpaccess deny CONNECT !SSLports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user httpaccess deny tolocalhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed #http_access allow localnet #http_access allow localhost acl whitelist dstdomain .qwant.com .cn137.awmdm.com .ds137.awmdm.com .rmstage01.awmdm.com .vidmpreview.com .awcm137.awmdm.com .entrust.net .godaddy.com .modernmanagement.works .cloudfront.net .windowsupdate.com .vmwservices.com http_access allow whitelist # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
The important parts are the following
- acl whitelist dstdomain
This is used for whitelisting the domains. For example “.qwant.com” to whitelist all subdomains of qwant.com
- http_access allow whitelist
To make sure that we allow the created ACL list named “whitelist”
- http_access deny all
To make sure that we deny all other websites that are not listed in the whitelist
If you need to add SSL ports, or other secure ports you need to add them to the “SSL_ports” or “Safe_ports” ACL list.
After you modified the configuration file, you need to restart the service, so the new configuration gets loaded.
sudo systemctl restart squid
To test the connection, you can run the following command:
curl -x http://:3128 -L http://qwant.com
CentOS Firewall configuration
Before you can start using the proxy, you need to open the CentOS firewall:
Make sure in which zone you are located:
The Squid default proxy port is 3128, so if you changed it, make sure you change it also in the following command:
sudo firewall-cmd --permanent --zone=public --add-port=3128/tcp
Now we finished the configuration. To review the traffic there is a live logging functionality on the squid server
sudo tail -f /var/log/squid/access.log