1.

- create file with host ip address

vi /etc/squid/ip-group1.txt
# Listados de Pcs
192.168.2.20
192.168.2.33
192.168.2.50

2.- create file with domains and host

vi /etc/squid/website1.txt

# nombre de dominios
mail.google.com
www.sport.es
.marca.com
.microsoft.com
.peoplenet.com.gt

3.- create file with ip destination host

vi /etc/squid/website1ip.txt

#sitios destino a nivel de IP

190.4.33.202
200.49.168.84
216.230.128.32

4.- edit /etc/squid/squid.conf

acl ip-group1 src "/etc/squid/ip-group1.txt"

acl website1 dstdomain "/etc/squid/website1.txt"
acl website1ip dst "/etc/squid/website1ip.txt"

http_access allow localhost

http_access allow ip-group1 website1
http_access allow ip-group1 website1ip
http_access deny ip-group1
http_access allow webconfig_to_lan
http_access allow webconfig_lan
http_access deny all

5.- squid -k reconfigure

Requirements:
Some websites will only be blocked during office hours (8am to
12pm and 1:30pm to 6pm).
Websites will be only blocked for specific IPs.
Deny websites using keywords.
Edit /etc/squid/squid.conf

# vi /etc/squid/squid.conf

Find the line "INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR
CLIENTS" and add the following:

acl morning_hours time M T W H F 8:00-12:00

acl evening_hours time M T W H F 13:30-18:00

acl deniedDomains url_regex src "/etc/squid/deniedDomains"

acl blacklistIP src "/etc/squid/blacklistIP"

http_access deny deniedDomains morning_hours blacklistIP

http_access deny deniedDomains evening_hours blacklistIP

acl myNetwork src "/etc/squid/acl"

http_access allow myNetwork

Create the list of domain name separated by line to be blocked:

# vi /etc/squid/deniedDomains 

friendster
metacafe
myspace
videos.google
youtube
facebook
chatenabled.mail.google.com

Create the list of users IP who's having rescticted access:

# vi /etc/squid/blacklistIP

192.168.0.254
192.168.1.221
192.168.1.236
172.16.70.0/24

Create the list of IP who can access your squid proxy:

# vi /etc/squid/acl
192.168.1.0/24
172.16.70.0/24
213.44.2.126

Restart squid:

# /etc/init.d/squid reload

SETTING UP SQUID AUTHENTICATION AND WEB FILTERING

This section will allow you to set up a web site filter for kids. The first time an address is entered in
the browser's address bar, an authentication dialog will pop-up, prompting for a username and
password. We will set-up two usernames, one with full and another with restricted access.

First, open the /etc/squid/squid.conf and add the following line in the auth_param section:

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd

Now create the user accounts using htpasswd (use -c only for the first user):
CODE
$ sudo htpasswd -c /etc/squid/passwd dad
Enter a password for user 'dad':
Again:

$ sudo htpasswd /etc/squid/passwd kid

Another password:
Again:

Create the ACLs by adding the following lines in the ACCESS CONTROLS (acl) sections in
Squid.conf:
CODE
acl dadUser proxy_auth dad
acl kidUser proxy_auth kid
acl whitelist dstdomain "/etc/squid/whitelist"
http_access allow dadUser
http_access allow kidUser whitelist

Create the whitelist by opening a text editor, adding allowed domains like this:

.google.com
.kids-play.com
.yahoo.com
.msn.com

and save it as /etc/squid/whitelist.

Finally, search for http_access allow all in the Squid config file and modify it so it looks like this:
http_access deny all

This is how my Squid config sections look like:

CODE
# NETWORK OPTIONS
# Squid normally listens to port 3128
http_port 192.168.0.1:3128
# TAG: auth_param
#Recommended minimum configuration per scheme:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd

# ACCESS CONTROLS
# TAG: acl
acl dadUser proxy_auth dad
acl kidUser proxy_auth kid
acl whitelist dstdomain "/etc/squid/whitelist"
http_access allow dadUser
http_access allow kidUser whitelist

# TAG: http_access
# And finally deny all other access to this proxy
http_access deny all

Use deny all for squid with authentication and allow all for basic squid configuration.

Blocking IP,Domain,Time to Access Websites in Squid Proxy

Server !
2 Replies
We can control website or ip to access or accessed by squid proxy server . We can set
timely access rule or some ip range to acccess the server or also can block some website or
ip for a range of ip or for  some limited time .

#To block a particular Network:

acl my_net src 192.168.0.0/24 192.168.1.0/24
http_access allow my_net

#To block a particular ip:

acl bad_ip src 192.168.0.21
acl bad_ip src 192.168.0.22
http_access deny bad_ip

#To block a particular URL:

acl bad_site dst www.yahoo.com
http_access deny bad_site
#To block only one domain:
acl block_orkut dstdomain .orkut.com
http_access deny block_orkut

#To block a list of sites from / specified in a file:

acl block_list url_regex "/etc/squid/block_list.txt"
http_access deny block_list
#Blocking web access by time:
#acl aclname time [day-abbrevs] [h1:m1-h2:m2]
#h1:m1 must be less than h2:m2
#Day-abbrevs:
#S – Sunday,M – Monday,T – Tuesday,W – Wednesday,H –
Thursday,F – Friday,A – Saturday
acl mynetwork src 192.168.0.0/255.255.255.0
acl Break time MTWHFA 02:32-03:00
http_access deny mynetwork Break

#To block the URLs contains the word “word”:

acl block_word_url url_regex sex
http_access deny block_word_url

#To prevent downloading files:

acl block_exe url_regex .*.exe$
http_access deny block_exe

#To block access to some TLDs:

acl block_tld dstdom_regex .uk$
http_access deny block_tld

—————————————————————————————————-
Now create block file and service restart
cat >/etc/squid/block_list.txt

www.hotmail.com
www.ibm.com
www.hp.com

[root@ubuntu Desktop]# /etc/init.d/squid3 restart

Stopping squid: [FAILED]
Starting squid: . [ OK ]
[root@ubuntu Desktop]# chkconfig squid3 on

#1: Create an acl for proxy clients.

acl accountant src 192.168.10.50/32
#2: Create an acl for facebook domain  (any required sites)
acl fb dstdomain .facebook.com

 
#3: Create an acl office time for Mon-Sat, 10:00 to 17:00 (24hrs)
acl officetime time MTWHFA 10:00-17:00
#4: Deny access to “http” facebook to accountant only in office times
http_reply_access deny  fb accountant officetime
#5: The below line will deny access to “https” secured facebook to the proxy user
“accountant” in office times. Squid proxy will deny access to “https” facebook to
accountant only in office times.
http_access deny CONNECT fb accountant officetime

Squid Proxy Server Download/Upload Limit

2 Replies
We can limit the download/upload limit for particular user/ip range/time . This will help to not
to create high load in the server during ofice time or some particular time or maybe some
users .

To limit for all :

 

reply_body_max_size 30 MB

User or User group based download and upload limit :

acl Group1 proxy_auth user1 user2
acl Group2 proxy_auth user3 user4
reply_body_max_size 20480 KB Group2
reply_body_max_size 10240 KB Group1
reply_body_max_size 5120 KB all

IP based download limit :

 

acl Group1 src 10.5.0.1-10.5.0.10/32

acl Group2 src 10.5.2.1-10.5.2.10/32
reply_body_max_size 20480 KB Group2
reply_body_max_size 10240 KB Group1
reply_body_max_size 5120 KB all

Time Based Download Limit :

 
acl WorkingHours time 08:00-17:00
reply_body_max_size 10240 KB WorkingHours

Installing Squid Proxy Server with User & Password

Leave a reply
If you work remotely, or have to handle corporate files on the road, then chances are you’ve
used a specific type of proxy and may not even be aware of it. In fact, proxies are used by
workers all over the world in the form of a VPN. A virtual private network is one specific type
of proxy which provides you with the ability to work remotely and securely.So , here i will help
you to install and configure squid proxy server in your vps or server .

Log in on Ubuntu Server, then type command below to Install squid :

sudo apt-get install squid3 ccze bind9 dnsutils apache2-utils

Create directory for Cache, on this case cache directory placed on

directory /home/precise/cache/. Then change
the permissions cache directory to 777 and owner proxy:proxy

 
sudo mkdir -p /home/precise/cache/
sudo chmod 777 /home/precise/cache/
sudo chown proxy:proxy /home/precise/cache/

Before editing squid configuration, Make a backup of your

/etc/squid3/squid.conf file for future reference. Squid.conf has
nearly all the options listed and it is recommended to go through that
file to know more about squid options.

sudo cp /etc/squid3/squid.conf /etc/squid3/squid.conf.origin

sudo chmod a-w /etc/squid3/squid.conf.origin

Now edit /etc/squid3/squid.conf file, delete all options

in /etc/squid3/squid.conf then replace with squid3 configuration below :

sudo nano /etc/squid3/squid.conf

Squid3 configuration:

# ACCESS CONTROLS OPTIONS

# ====================
#
acl QUERY urlpath_regex -i cgi-
bin ? .php$ .asp$ .shtml$ .cfm$ .cfml$ .phtml$ .php3$ localhost
acl all src
acl localnet src 10.0.0.0/8
acl localnet src 192.168.1.0/24 # Your network here
acl localhost src 127.0.0.1/32
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 81 3128 1025-
65535
acl sslports port 443 563 81 2087 10000
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT

http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports
http_access allow localhost
http_access allow localnet
#http_access deny all
http_access allow all

#
# NETWORK OPTIONS
#
#
http_port 3128
#
# OPTIONS WHICH AFFECT THE CACHE SIZE
# ==============================
#
cache_mem 1000 MB
maximum_object_size_in_memory 100 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir aufs /home/precise/cache 10000 14 256
maximum_object_size 128000 KB
cache_swap_low 950
cache_swap_high 990
#
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# ==================================
#
access_log /var/log/squid3/access.log
cache_log /cache/cache.log
#cache_log /dev/null
cache_store_log none
logfile_rotate 5
log_icp_queries off
#
# OPTIONS FOR TUNING THE CACHE
# ========================
#
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080 reload-into-ims
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i .(gif|png|jp?g|ico|bmp|tiff?)$ 10080 95% 43200 override-
expire override-lastmod reload-into-ims ignore-no-cache ignore-private
refresh_pattern -i .(rpm|cab|deb|exe|msi|msu|zip|tar|xz|bz|bz2|lzma|gz|tgz|
rar|bin|7z|doc?|xls?|ppt?|pdf|nth|psd|sis)$ 10080 90% 43200 override-expire
override-lastmod reload-into-ims ignore-no-cache ignore-private
refresh_pattern -i .(avi|iso|wav|mid|mp?|mpeg|mov|3gp|wm?|swf|flv|x-flv|axd)$
43200 95% 432000 override-expire override-lastmod reload-into-ims ignore-no-
cache ignore-private
refresh_pattern -i .(html|htm|css|js)$ 1440 75% 40320
refresh_pattern -i .index.(html|htm)$ 0 75% 10080
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 1440 90% 10080
#
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
store_avg_object_size 1355 KB
#
# HTTP OPTIONS
# ===========
vary_ignore_expire on
#
# ANONIMITY OPTIONS
# ===============
#
request_header_access From deny all
request_header_access Server deny all
request_header_access Link deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
#
# TIMEOUTS
# =======
#
forward_timeout 240 second
connect_timeout 30 second
peer_connect_timeout 5 second
read_timeout 600 second
request_timeout 60 second
shutdown_lifetime 10 second
#
# ADMINISTRATIVE PARAMETERS
# =====================
#
cache_mgr admin@bdlinux.com
cache_effective_user proxy
cache_effective_group proxy
httpd_suppress_version_string on
visible_hostname bdlinux_proxy
#
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
#
# DNS OPTIONS
# ==========
#
dns_timeout 10 seconds
dns_nameservers 192.168.1.1 8.8.8.8 8.8.4.4 # DNS Server
#
# MISCELLANEOUS
# ===========
#
memory_pools off
client_db off
reload_into_ims on
coredump_dir /cache
pipeline_prefetch on
offline_mode off
#
#Marking ZPH
#==========
zph_mode tos
zph_local 0x04
zph_parent 0
zph_option 136
### END CONFIGURATION ###

Create swap directory,

squid3 -z

Restart squid3:

sudo /etc/init.d/squid3 restart

Your squid proxy server installation and configuration is complete . You have to set ip and
port (which is by default 3128) in your firefox.

Note : Above we have used precise is red marked and that is the default user . You have to
use yours username . There is also Blue marked texts on that configuration file . One is
email which you should use your own or servers email and also name of the server owner.

Now if you want to use user and password to access your proxy
server then do as below .

Step # 1: Create a username/password

First create a NCSA password file using htpasswd command. htpasswd is used to create
and update the flat-files used to store usernames and password for basic authentication of
squid users.
htpasswd /etc/squid3/passwd user1
Output:
New password:
Re-type new password:
Adding password for user user1
Make sure squid can read passwd file:
chmod o+r /etc/squid3/passwd
Step # 2: Locate nsca_auth authentication helper
Usually nsca_auth is located at /usr/lib/squid/ncsa_auth. You can find out location using rpm
(Redhat,CentOS,Fedora) or dpkg (Debian and Ubuntu) command:
dpkg -L squid3 | grep ncsa_auth
Output:
/usr/lib/squid/ncsa_auth
If you are using RHEL/CentOS/Fedora Core or RPM based distro try:
rpm -ql squid | grep ncsa_auth
Output:
/usr/lib/squid/ncsa_auth

Step # 3: Configure nsca_auth for squid proxy authentication

Now open /etc/squid3/squid.conf file
nano /etc/squid3/squid.conf
Put this and save :
Squid3 configuration:

# ACCESS CONTROLS OPTIONS

# ====================
#
###########################################################

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid3/passwd

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl ncsa_users proxy_auth REQUIRED

http_access allow ncsa_users

###########################################################
acl QUERY urlpath_regex -i cgi-
bin ? .php$ .asp$ .shtml$ .cfm$ .cfml$ .phtml$ .php3$ localhost
acl all src
acl localnet src 10.0.0.0/8
acl localnet src 192.168.1.0/24 # Your network here
acl localhost src 127.0.0.1/32
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 81 3128 1025-
65535
acl sslports port 443 563 81 2087 10000
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT

http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports
http_access allow localhost
http_access allow localnet
#http_access deny all
http_access allow all

#
# NETWORK OPTIONS
#
#
http_port 3128
#
# OPTIONS WHICH AFFECT THE CACHE SIZE
# ==============================
#
cache_mem 1000 MB
maximum_object_size_in_memory 100 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir aufs /home/precise/cache 10000 14 256
maximum_object_size 128000 KB
cache_swap_low 950
cache_swap_high 990
#
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# ==================================
#
access_log /var/log/squid3/access.log
cache_log /cache/cache.log
#cache_log /dev/null
cache_store_log none
logfile_rotate 5
log_icp_queries off
#
# OPTIONS FOR TUNING THE CACHE
# ========================
#
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080 reload-into-ims
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i .(gif|png|jp?g|ico|bmp|tiff?)$ 10080 95% 43200 override-
expire override-lastmod reload-into-ims ignore-no-cache ignore-private
refresh_pattern -i .(rpm|cab|deb|exe|msi|msu|zip|tar|xz|bz|bz2|lzma|gz|tgz|
rar|bin|7z|doc?|xls?|ppt?|pdf|nth|psd|sis)$ 10080 90% 43200 override-expire
override-lastmod reload-into-ims ignore-no-cache ignore-private
refresh_pattern -i .(avi|iso|wav|mid|mp?|mpeg|mov|3gp|wm?|swf|flv|x-flv|axd)$
43200 95% 432000 override-expire override-lastmod reload-into-ims ignore-no-
cache ignore-private
refresh_pattern -i .(html|htm|css|js)$ 1440 75% 40320
refresh_pattern -i .index.(html|htm)$ 0 75% 10080
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 1440 90% 10080
#
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
store_avg_object_size 1355 KB
#
# HTTP OPTIONS
# ===========
vary_ignore_expire on
#
# ANONIMITY OPTIONS
# ===============
#
request_header_access From deny all
request_header_access Server deny all
request_header_access Link deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
#
# TIMEOUTS
# =======
#
forward_timeout 240 second
connect_timeout 30 second
peer_connect_timeout 5 second
read_timeout 600 second
request_timeout 60 second
shutdown_lifetime 10 second
#
# ADMINISTRATIVE PARAMETERS
# =====================
#
cache_mgr fahad@obakfahad.com
cache_effective_user proxy
cache_effective_group proxy
httpd_suppress_version_string on
visible_hostname Fahad_Ahammed
#
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
#
# DNS OPTIONS
# ==========
#
dns_timeout 10 seconds
dns_nameservers 192.168.1.1 8.8.8.8 8.8.4.4 # DNS Server
#
# MISCELLANEOUS
# ===========
#
memory_pools off
client_db off
reload_into_ims on
coredump_dir /cache
pipeline_prefetch on
offline_mode off
#
#Marking ZPH
#==========
zph_mode tos
zph_local 0x04
zph_parent 0
zph_option 136
### END CONFIGURATION ###

Create swap directory,

squid3 -z

Restart squid3:

sudo /etc/init.d/squid3 restart

Your squid proxy server installation and configuration is complete . You have to set ip and
port (which is by default 3128) in your firefox. After this when you will try to connect you will
be notified to put username and password .

1. Open the squid.conf configuration file :

[root@centos62 ~]# vi /etc/squid/squid.conf

2. Create web folder under /etc/squid. This is to store any anonymous files such as
Bad_Websites.squid.

[root@centos62 ~]# mkdir /etc/squid/web

3.Create Bad_Websites.squid and add the bad websites list.

 [root@centos62 ~]# vi /etc/squid/web/Bad_Websites.squid

Example Bad website list :

#List in /etc/squid/web/Bad_Websites.squid

www.porn.com

www.badwebsites.com

4. Define surfing_hour group’s name, surfing time and restricted websites file list.

#Add this at the bottom of the ACL Section

acl surfing_hours time M T W H F 08:00-17:00

acl Bad_Websites dstdomain "/etc/squid/web/Bad_Websites.squid"

5. Always restricting access to ehowstuff.com network and Bad_Wesites, but allow

surfing during surfing_hours group’s only if the sites does not in Bad_Websites
(other that Bad_Websites).

# Only allow cachemgr access from ehowstuff.com

http_access allow ehowstuff.com surfing_hours !Bad_Websites

http_access deny Bad_Websites

 http_access deny ehowstuff.com

6. Restart Squid proxy server to take effect :

[root@centos62 ~]# service squid restart

Stopping squid: ................ [ OK ]

Starting squid: . [ OK ]

Full Configuration of the Squid Cache Proxy Configuration :

# Recommended minimum configuration:

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl localnet src fc00::/7 # RFC 4193 local private network range

acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl ehowstuff.com src 192.168.1.0/24 # Your internal network

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

#Add this at the bottom of the ACL Section

acl surfing_hours time M T W H F 08:00-17:00

acl Bad_Websites dstdomain "/etc/squid/web/Bad_Websites.squid"

# Recommended minimum Access Permission configuration:

# Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager

# Only allow cachemgr access from ehowstuff.com

http_access allow ehowstuff.com surfing_hours !Bad_Websites

http_access deny Bad_Websites

http_access deny ehowstuff.com

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

#http_access allow localnet

http_access allow localhost

# And finally deny all other access to this proxy

http_access deny all

# Squid normally listens to port 3128

http_port 3128

# We recommend you to use at least the following line.

hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir

coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher:1440 0% 1440

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern . 0 20% 4320