Squid
Squid
Squid
vi /etc/squid/ip-group1.txt
# Listados de Pcs
192.168.2.20
192.168.2.33
192.168.2.50
vi /etc/squid/website1.txt
# nombre de dominios
mail.google.com
www.sport.es
.marca.com
.microsoft.com
.peoplenet.com.gt
vi /etc/squid/website1ip.txt
# vi /etc/squid/squid.conf
Find the line "INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR
CLIENTS" and add the following:
# vi /etc/squid/deniedDomains
friendster
metacafe
myspace
videos.google
youtube
facebook
chatenabled.mail.google.com
# vi /etc/squid/blacklistIP
192.168.0.254
192.168.1.221
192.168.1.236
172.16.70.0/24
# vi /etc/squid/acl
192.168.1.0/24
172.16.70.0/24
213.44.2.126
Restart squid:
# /etc/init.d/squid reload
This section will allow you to set up a web site filter for kids. The first time an address is entered in
the browser's address bar, an authentication dialog will pop-up, prompting for a username and
password. We will set-up two usernames, one with full and another with restricted access.
First, open the /etc/squid/squid.conf and add the following line in the auth_param section:
Now create the user accounts using htpasswd (use -c only for the first user):
CODE
$ sudo htpasswd -c /etc/squid/passwd dad
Enter a password for user 'dad':
Again:
Create the ACLs by adding the following lines in the ACCESS CONTROLS (acl) sections in
Squid.conf:
CODE
acl dadUser proxy_auth dad
acl kidUser proxy_auth kid
acl whitelist dstdomain "/etc/squid/whitelist"
http_access allow dadUser
http_access allow kidUser whitelist
Finally, search for http_access allow all in the Squid config file and modify it so it looks like this:
http_access deny all
# ACCESS CONTROLS
# TAG: acl
acl dadUser proxy_auth dad
acl kidUser proxy_auth kid
acl whitelist dstdomain "/etc/squid/whitelist"
http_access allow dadUser
http_access allow kidUser whitelist
# TAG: http_access
# And finally deny all other access to this proxy
http_access deny all
Use deny all for squid with authentication and allow all for basic squid configuration.
—————————————————————————————————-
Now create block file and service restart
cat >/etc/squid/block_list.txt
www.hotmail.com
www.ibm.com
www.hp.com
#3: Create an acl office time for Mon-Sat, 10:00 to 17:00 (24hrs)
acl officetime time MTWHFA 10:00-17:00
#4: Deny access to “http” facebook to accountant only in office times
http_reply_access deny fb accountant officetime
#5: The below line will deny access to “https” secured facebook to the proxy user
“accountant” in office times. Squid proxy will deny access to “https” facebook to
accountant only in office times.
http_access deny CONNECT fb accountant officetime
reply_body_max_size 30 MB
sudo mkdir -p /home/precise/cache/
sudo chmod 777 /home/precise/cache/
sudo chown proxy:proxy /home/precise/cache/
Squid3 configuration:
#
# NETWORK OPTIONS
#
#
http_port 3128
#
# OPTIONS WHICH AFFECT THE CACHE SIZE
# ==============================
#
cache_mem 1000 MB
maximum_object_size_in_memory 100 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir aufs /home/precise/cache 10000 14 256
maximum_object_size 128000 KB
cache_swap_low 950
cache_swap_high 990
#
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# ==================================
#
access_log /var/log/squid3/access.log
cache_log /cache/cache.log
#cache_log /dev/null
cache_store_log none
logfile_rotate 5
log_icp_queries off
#
# OPTIONS FOR TUNING THE CACHE
# ========================
#
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080 reload-into-ims
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i .(gif|png|jp?g|ico|bmp|tiff?)$ 10080 95% 43200 override-
expire override-lastmod reload-into-ims ignore-no-cache ignore-private
refresh_pattern -i .(rpm|cab|deb|exe|msi|msu|zip|tar|xz|bz|bz2|lzma|gz|tgz|
rar|bin|7z|doc?|xls?|ppt?|pdf|nth|psd|sis)$ 10080 90% 43200 override-expire
override-lastmod reload-into-ims ignore-no-cache ignore-private
refresh_pattern -i .(avi|iso|wav|mid|mp?|mpeg|mov|3gp|wm?|swf|flv|x-flv|axd)$
43200 95% 432000 override-expire override-lastmod reload-into-ims ignore-no-
cache ignore-private
refresh_pattern -i .(html|htm|css|js)$ 1440 75% 40320
refresh_pattern -i .index.(html|htm)$ 0 75% 10080
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 1440 90% 10080
#
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
store_avg_object_size 1355 KB
#
# HTTP OPTIONS
# ===========
vary_ignore_expire on
#
# ANONIMITY OPTIONS
# ===============
#
request_header_access From deny all
request_header_access Server deny all
request_header_access Link deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
#
# TIMEOUTS
# =======
#
forward_timeout 240 second
connect_timeout 30 second
peer_connect_timeout 5 second
read_timeout 600 second
request_timeout 60 second
shutdown_lifetime 10 second
#
# ADMINISTRATIVE PARAMETERS
# =====================
#
cache_mgr admin@bdlinux.com
cache_effective_user proxy
cache_effective_group proxy
httpd_suppress_version_string on
visible_hostname bdlinux_proxy
#
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
#
# DNS OPTIONS
# ==========
#
dns_timeout 10 seconds
dns_nameservers 192.168.1.1 8.8.8.8 8.8.4.4 # DNS Server
#
# MISCELLANEOUS
# ===========
#
memory_pools off
client_db off
reload_into_ims on
coredump_dir /cache
pipeline_prefetch on
offline_mode off
#
#Marking ZPH
#==========
zph_mode tos
zph_local 0x04
zph_parent 0
zph_option 136
### END CONFIGURATION ###
squid3 -z
Restart squid3:
Your squid proxy server installation and configuration is complete . You have to set ip and
port (which is by default 3128) in your firefox.
Note : Above we have used precise is red marked and that is the default user . You have to
use yours username . There is also Blue marked texts on that configuration file . One is
email which you should use your own or servers email and also name of the server owner.
Now if you want to use user and password to access your proxy
server then do as below .
###########################################################
acl QUERY urlpath_regex -i cgi-
bin ? .php$ .asp$ .shtml$ .cfm$ .cfml$ .phtml$ .php3$ localhost
acl all src
acl localnet src 10.0.0.0/8
acl localnet src 192.168.1.0/24 # Your network here
acl localhost src 127.0.0.1/32
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 81 3128 1025-
65535
acl sslports port 443 563 81 2087 10000
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT
#
# NETWORK OPTIONS
#
#
http_port 3128
#
# OPTIONS WHICH AFFECT THE CACHE SIZE
# ==============================
#
cache_mem 1000 MB
maximum_object_size_in_memory 100 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir aufs /home/precise/cache 10000 14 256
maximum_object_size 128000 KB
cache_swap_low 950
cache_swap_high 990
#
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# ==================================
#
access_log /var/log/squid3/access.log
cache_log /cache/cache.log
#cache_log /dev/null
cache_store_log none
logfile_rotate 5
log_icp_queries off
#
# OPTIONS FOR TUNING THE CACHE
# ========================
#
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080 reload-into-ims
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i .(gif|png|jp?g|ico|bmp|tiff?)$ 10080 95% 43200 override-
expire override-lastmod reload-into-ims ignore-no-cache ignore-private
refresh_pattern -i .(rpm|cab|deb|exe|msi|msu|zip|tar|xz|bz|bz2|lzma|gz|tgz|
rar|bin|7z|doc?|xls?|ppt?|pdf|nth|psd|sis)$ 10080 90% 43200 override-expire
override-lastmod reload-into-ims ignore-no-cache ignore-private
refresh_pattern -i .(avi|iso|wav|mid|mp?|mpeg|mov|3gp|wm?|swf|flv|x-flv|axd)$
43200 95% 432000 override-expire override-lastmod reload-into-ims ignore-no-
cache ignore-private
refresh_pattern -i .(html|htm|css|js)$ 1440 75% 40320
refresh_pattern -i .index.(html|htm)$ 0 75% 10080
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 1440 90% 10080
#
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
store_avg_object_size 1355 KB
#
# HTTP OPTIONS
# ===========
vary_ignore_expire on
#
# ANONIMITY OPTIONS
# ===============
#
request_header_access From deny all
request_header_access Server deny all
request_header_access Link deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
#
# TIMEOUTS
# =======
#
forward_timeout 240 second
connect_timeout 30 second
peer_connect_timeout 5 second
read_timeout 600 second
request_timeout 60 second
shutdown_lifetime 10 second
#
# ADMINISTRATIVE PARAMETERS
# =====================
#
cache_mgr fahad@obakfahad.com
cache_effective_user proxy
cache_effective_group proxy
httpd_suppress_version_string on
visible_hostname Fahad_Ahammed
#
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
#
# DNS OPTIONS
# ==========
#
dns_timeout 10 seconds
dns_nameservers 192.168.1.1 8.8.8.8 8.8.4.4 # DNS Server
#
# MISCELLANEOUS
# ===========
#
memory_pools off
client_db off
reload_into_ims on
coredump_dir /cache
pipeline_prefetch on
offline_mode off
#
#Marking ZPH
#==========
zph_mode tos
zph_local 0x04
zph_parent 0
zph_option 136
### END CONFIGURATION ###
squid3 -z
Restart squid3:
Your squid proxy server installation and configuration is complete . You have to set ip and
port (which is by default 3128) in your firefox. After this when you will try to connect you will
be notified to put username and password .
2. Create web folder under /etc/squid. This is to store any anonymous files such as
Bad_Websites.squid.
#List in /etc/squid/web/Bad_Websites.squid
www.porn.com
www.badwebsites.com
4. Define surfing_hour group’s name, surfing time and restricted websites file list.
Starting squid: . [ OK ]
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
# web applications running on the proxy server who think the only
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_port 3128
hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
coredump_dir /var/spool/squid
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0