Nutshell

Follow by Email

 

Step by step Setup and Configure Squid Proxy Server on Fedora Core.

Monday

The main purpose of proxy server is to sharing one internet connection and maintains a cache for web browsing performance. Squid cache proxy server is free proxy server that comes with bundle with the Fedora Core operating system, you can configure your Linux Fedora Core PC to be a Cache proxy server and share the connection to the internet only by a simple configuration setup.

   The article below show the step by step to setup and configure SQUID proxy serve on Fedora core with screenshot and SQUID configuration example.

Network configuration scenario:


To configure squid proxy server for local network client to access the internet.
This server have two network card using internal IP address and external IP address
Configure the Squid Cache Proxy to listen for proxy request from different network client on internal IP address.
Configure Squid cache proxy server to listen request only from specific IP address 10.2.0.5 (internal IP card) on Port 8080.

The step to setup/configure Squid Cache Proxy on Linux Fedora Core:


1.  Backup Squid configuration files.
2.  Open and start edit the Squid configuration file.
3.  Configure internal address and port where Squid will listen for HTTP client requests.
4.  Improve Proxy performances.
5.  Set Proxy to find DNS servers.
6.  Adding aux Port to ACL.
7.  Adding Internal network to ACL.
8.  Start and using Squid Proxy for first time.
9.  Procedure to start, stop and automatic start Squid Proxy on Fedora core system.
10.  Configure Squid client browser to use Squid Proxy.

Backup Squid configuration files:


   The Squid configuration files usually located in /etc/squid/ directory.  To configure the Squid you need to edit and change these configuration files, it's better to make backup of these file before you start the configuration process.  The command below show the example of simple backup process.

To backup the Squid configuration directory:

[root@cempakasari ~]# cp -pr /etc/squid/ /etc/squid.bak
[root@cempakasari ~]#

Backup the squid.conf file:

[root@cempakasari ~]# cp -pr /etc/squid/squid.conf /etc/squid/squid.conf.bak
[root@cempakasari ~]#

Best Practice: before edit or make any changes to any config file, it's recommended that you backup the file first. 

Edit the squid.conf, the Squid Cache Proxy configuration file.


1. Open the squid config file (squid.conf) that is located on the /etc/squid directory with your own choice of text editor. 

[root@linux fedora]# vi /etc/squid/squid.conf

or you can use the gedit program...

[root@linux fedora]# gedit /etc/squid/squid.conf

 Warning:  If you don't need to change the default configuration on squid.conf file, you shouldn't uncomment the line and leave it like it is.

2.  Fist of all, we need to setup on which port Squid should listen for client proxy request.  By default Squid will listen on port 3128 on all IP address on the machine

   On this project, we setup (configure) our Squid proxy to bind with the internal Ethernet card which is using internal IP 10.2.0.5 and listen on port 8080 on that internal IP address.  With this configuration, Squid should only visible and listen to our internal address only.

Configuration example on squid.conf file:


Customize the socket address where your Squid proxy should listen for HTTP client request: Change the address to fit your network layout.

# NETWORK OPTIONS
........................
#Default:
# http_port 3128
http_port 10.2.0.5:8080

Improve Squid performances.


   To improve Squid proxy performance edit the default configuration file to utilize system hardware capability.  The configuration below show the process of increasing the size of cache memory and the size of cache directory of squid proxy.

3. Scroll down the page and find #  TAG: cache_mem (bytes), To increase the Squid cache memory capacity, edit the default setting and put the appropriate memory size base on your system capabilities. The example below show that the Squid cache memory setting increase up to 256 MB.  Take note that, before you change this setting make sure your hardware can support the size of memory  that you specify here.

# OPTIONS WHICH AFFECT THE CACHE SIZE
# -----------------------------------
#  TAG: cache_mem (bytes)
# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
#
# 'cache_mem' specifies the ideal amount of memory to be used
# for:
# * In-Transit objects
# * Hot Objects
# * Negative-Cached objects
------- +++++  ---------------------------
#Default:
# cache_mem 8 MB
cache_mem 256 MB
4.  Then find tag # TAG: cache_dir, then increase the size of cache directory to 2000 MB, also make sure that you have enough disk space before you change the size value.
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# -----------------------------------------------------------------------------
# TAG: cache_dir
# Usage:
#
# cache_dir Type Directory-Name Fs-specific-data [options]
#
------- +++++  ---------------------------
#
#Default:
# cache_dir ufs /var/spool/squid 100 16 256
cache_dir ufs /var/spool/squid 2000 16 256

Set Proxy to find DNS servers:


5.  Adjust the list of DNS name servers.   Squid cache proxy used this list of  DNS servers to query domain name.

#  TAG: dns_nameservers
# Use this if you want to specify a list of DNS name servers
# (IP addresses) to use instead of those given in your
# /etc/resolv.conf file.
# On Windows platforms, if no value is specified here or in
# the /etc/resolv.conf file, the list of DNS name servers are
# taken from the Windows registry, both static and dynamic DHCP
# configurations are supported.
#
# Example: dns_nameservers 10.0.0.1 192.172.0.4
#
#Default:
# none
dns_nameservers 203.106.93.91 161.142.227.17 192.228.128.16 201.188.0.16

Adding aux port:


6. Add required port to "Acess Control List".  This example show that the port number 2083 port is add to safe_ports list.

# ACCESS CONTROLS
# ---------------------------
----------- **** +++++
#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 2083 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 2083 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

Adding Internal network to ACL:


7.   To control access to the Squid  proxy or who can use your Squid proxy, find and add the list of your Squid clients.  The example of Access Control  List rules below only allow only the internal IP network to access and use the Squid proxy.

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
acl FE_networks src 10.2.0.0/255.255.0.0
acl LABS_networks src 10.3.0.0/255.255.0.0
acl GENSUB_networks src 10.4.0.0/255.255.0.0
acl ADM_networks src 10.5.0.0/255.255.0.0
acl LABS_networks src 10.6.0.0/255.255.0.0
acl TKM_networks src 10.7.0.0/255.255.0.0
acl TKP_networks src 10.8.0.0/255.255.0.0
acl TKE_networks src 10.9.0.0/255.255.0.0
acl TKK_networks src 10.10.0.0/255.255.0.0
http_access allow FE_networks
http_access allow LABS_networks
http_access allow GENSUB_networks
http_access allow ADM_networks
http_access allow LIB_networks
http_access allow TKM_networks
http_access allow TKP_networks
http_access allow TKE_networks
http_access allow TKK_networks

# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all

==========================================
other example for Squid acl:

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
acl our_networks src 172.16.160.0/24 172.16.161.0/24 172.16.162.0/24 172.16.163.0/24 172.16.164.0/24 172.16.165.0/24 172.16.166.0/24 172.16.167.0/24 172.16.168.0/24 172.16.169.0/24 172.16.170.0/24
acl bad_url dstdomain "/etc/squid/bad-sites.squid"
http_access allow our_networks
http_access deny bad_url

8. To allow  FTP request from client.

# TAG: always_direct
# Usage: always_direct allow|deny [!]aclname ...
#
# Here you can use ACL elements to specify requests which should
# ALWAYS be forwarded by Squid to the origin servers without using
# any peers. For example, to always directly forward requests for
# local servers ignoring any parents or siblings you may have use
# something like:
#
# acl local-servers dstdomain my.domain.net
# always_direct allow local-servers
#
# To always forward FTP requests directly, use
#
# acl FTP proto FTP
# always_direct allow FTP
+++++++++++++++++++++
#
#Default:
# none
acl FTP proto FTP
always_direct allow FTP

DONE
RECHECK THE CONFIGURATION SETTING.
SAVE THE SQUID CONFIGURATION FILE (squid.conf)

Step-by-step how to start and using Squid for the first time.


   In order to make sure that the configuration and your Squid proxy server running smoothly, test to start Squid proxy server in debugging mode; The command example below show the step by step to create the Squid cache directory and then running Squid proxy server in debugging mode.

1.  Create squid cache directory by issuing this command:

[root@linux fedora]# /usr/sbin/squid -z
2006/03/16 10:33:00| Creating Swap Directories

2.  Then test run your Squid cache proxy by running Squid in debug-mode

[root@linux fedora]# /usr/sbin/squid -NCd1
Output example:
2006/03/16 10:33:02| Starting Squid Cache version 2.5.STABLE9 for i386-redhat-linux-gnu...
2006/03/16 10:33:02| Process ID 5192
2006/03/16 10:33:02| With 1024 file descriptors available
2006/03/16 10:33:02| Performing DNS Tests...
2006/03/16 10:33:02| Successful DNS name lookup tests...
2006/03/16 10:33:02| DNS Socket created at 0.0.0.0, port 32778, FD 4
2006/03/16 10:33:02| Adding nameserver 203.106.93.91 from squid.conf
2006/03/16 10:33:02| Adding nameserver 161.142.227.17 from squid.conf
2006/03/16 10:33:02| Adding nameserver 192.228.128.16 from squid.conf
2006/03/16 10:33:02| Adding nameserver 201.188.0.16 from squid.conf
2006/03/16 10:33:02| User-Agent logging is disabled.
2006/03/16 10:33:02| Referer logging is disabled.
2006/03/16 10:33:02| Unlinkd pipe opened on FD 9
2006/03/16 10:33:02| Swap maxSize 102400 KB, estimated 7876 objects
2006/03/16 10:33:02| Target number of buckets: 393
2006/03/16 10:33:02| Using 8192 Store buckets
2006/03/16 10:33:02| Max Mem size: 18432 KB
2006/03/16 10:33:02| Max Swap size: 102400 KB
2006/03/16 10:33:02| Rebuilding storage in /var/spool/squid (CLEAN)
2006/03/16 10:33:02| Using Least Load store dir selection
2006/03/16 10:33:02| Set Current Directory to /var/spool/squid
2006/03/16 10:33:02| Loaded Icons.
2006/03/16 10:33:47| Accepting HTTP connections at 172.16.160.55, port 8080, FD 11.
2006/03/16 10:33:47| Accepting HTTP connections at 172.16.160.55, port 80, FD 12.
2006/03/16 10:33:47| Accepting ICP messages at 0.0.0.0, port 3130, FD 13.
2006/03/16 10:33:47| WCCP Disabled.
2006/03/16 10:33:47| Ready to serve requests.
2006/03/16 10:33:47| Store rebuilding is 52.5% complete
2006/03/16 10:33:47| Done reading /var/spool/squid swaplog (7796 entries)
2006/03/16 10:33:47| Finished rebuilding storage from disk.
2006/03/16 10:33:47| 7796 Entries scanned
2006/03/16 10:33:47| 0 Invalid entries.
2006/03/16 10:33:47| 0 With invalid flags.
2006/03/16 10:33:47| 7796 Objects loaded.
2006/03/16 10:33:47| 0 Objects expired.
2006/03/16 10:33:47| 0 Objects cancelled.
2006/03/16 10:33:47| 0 Duplicate URLs purged.
2006/03/16 10:33:47| 0 Swapfile clashes avoided.
2006/03/16 10:33:47| Took 44.8 seconds ( 174.1 objects/sec).
2006/03/16 10:33:47| Beginning Validation Procedure
2006/03/16 10:33:47| Completed Validation Procedure
2006/03/16 10:33:47| Validated 7796 Entries
2006/03/16 10:33:47| store_swap_size = 92144k
2006/03/16 10:33:48| storeLateRelease: released 0 objects

Try access any web page trough the debug mode squid proxy
Press Ctrl+c key to end the debug mode testing

2006/03/16 10:43:22| Preparing for shutdown after 39 requests
2006/03/16 10:43:22| Waiting 0 seconds for active connections to finish
2006/03/16 10:43:22| FD 11 Closing HTTP connection
2006/03/16 10:43:22| FD 12 Closing HTTP connection
2006/03/16 10:43:24| Shutting down...
2006/03/16 10:43:24| FD 13 Closing ICP connection
2006/03/16 10:43:24| Closing unlinkd pipe on FD 9
2006/03/16 10:43:24| storeDirWriteCleanLogs: Starting...
2006/03/16 10:43:25| Finished. Wrote 7796 entries.
2006/03/16 10:43:25| Took 0.1 seconds (89056.4 entries/sec).
[root@linux fedora]#

3.  In case of a problem of starting your Squid cache proxy try read the Squid log file in these following directory:

[root@linux fedora]# /var/logs/squid/access.log
and
[root@linux fedora]# /var/logs/squid/cache.log

Step by step example, start, stop and automatic restart Squid proxy server.


Use the following command to start and stop Squid.

[root@linux fedora]# /sbin/service squid start
[root@linux fedora]# /sbin/service squid stop

To make sure Squid automatic start after the system reboot, use the chkconfig command to On Squid on runlevel 3 and 5. (Setting of automatic start on runlevel 3 and 5)

[root@linux fedora]# /sbin/chkconfig --level 35 squid on

(Confirmation of automatic start)

[root@linux fedora]# /sbin/chkconfig --list squid
squid 0:off 1: off 2: off 3: on 4: off 5:on 6: off

Step-by-step configure client browser to use Squid Cache Proxy.


1.  Open Web Browser on client machine.
2.  On connection setting, click on manual proxy configuration.
3.  On Http Proxy text box, key in IP 10.2.0.5 and Port to 8080
4.  Click on  the checkbox to use the same proxy for all protocols and click the OK button.

Mozilla Firefox Browser Connection Settings.
Note:  The IP 10.2.0.5 using Port 8080 is the IP address used in this Squid cache proxy project.  Adjust that IP address and Port to fits your Proxy configuration.

   The example of the squid configuration on this project aim to make Squid cache proxy working to support the internal client with the most basic configuration, you can customize and adding more option to squid by edit the config file /etc/squid/squid.conf .

Step-by-step how to procedure above tested on:
Operating System: GNU/Linux Fedora Core 4, Fedora Core 5, Fedora Core 6
Kernel Name: Linux
Machine Hardware:  i686
Machine Processor:  i686
Hardware Platform:  i386
Shell: GNU bash
Installation Type: Full  Installation (Custom)
SELinux: Disable

Good Luck...

1 comments:

sahil said...

can we use this for Rhel5.4 ?

Post a Comment

Total Pageviews