Squid is an easy to install and configure proxy. Even for non Linux users/admins the configuration is quite simple. This example is done on CentOS Linux 8 and Squid 4.4.

First step is to install CentOS – you get the latest ISO here:
https://www.centos.org/centos-linux/

After you installed and configured your Linux installation, the first thing is to update your OS.

You can see all needed updates with this command:

sudo yum check-update

After you reviewed the updates, you can install all updates with this command:

sudo yum update -y

Now we adding the epel-release repository and updating the packages again:

sudo yum -y install epel-release
sudo yum -y update
sudo yum clean all

All updates are now installed, and we are now able to install Squid:

sudo yum -y install squid

To make sure that Squid is running and will start automatically we are using this commands:

sudo systemctl start squid
sudo systemctl enable squid

We can verify the Squid status with:

sudo systemctl status squid

Change the configuration file

The Squid proxy configuration is done via a config file – we have no web interface, but this is no big issue. It’s quite easy and pretty straight forward to add the whitelisting functionality and the whitelisted websites.
First we need to open the configuration file:

sudo nano /etc/squid/squid.conf

Now we can change the configuration.

#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
httpaccess deny !Safeports

# Deny CONNECT to other than secure SSL ports
httpaccess deny CONNECT !SSLports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
httpaccess deny tolocalhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
#http_access allow localhost

acl whitelist dstdomain .qwant.com .cn137.awmdm.com .ds137.awmdm.com .rmstage01.awmdm.com .vidmpreview.com .awcm137.awmdm.com .entrust.net .godaddy.com .modernmanagement.works .cloudfront.net .windowsupdate.com .vmwservices.com

http_access allow whitelist

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

The important parts are the following

  • acl whitelist dstdomain
    This is used for whitelisting the domains. For example “.qwant.com” to whitelist all subdomains of qwant.com
  • http_access allow whitelist
    To make sure that we allow the created ACL list named “whitelist”
  • http_access deny all
    To make sure that we deny all other websites that are not listed in the whitelist

If you need to add SSL ports, or other secure ports you need to add them to the “SSL_ports” or “Safe_ports” ACL list.
After you modified the configuration file, you need to restart the service, so the new configuration gets loaded.

sudo systemctl restart squid

To test the connection, you can run the following command:

curl -x http://:3128 -L http://qwant.com

CentOS Firewall configuration

Before you can start using the proxy, you need to open the CentOS firewall:

Make sure in which zone you are located:

firewall-cmd --list-all

The Squid default proxy port is 3128, so if you changed it, make sure you change it also in the following command:

sudo firewall-cmd --permanent --zone=public --add-port=3128/tcp

Now we finished the configuration. To review the traffic there is a live logging functionality on the squid server

sudo tail -f /var/log/squid/access.log
Please follow and like us:

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *