HO ME ABOUT C O NTA C T HO WTO S I NTELLI G ENTMI R R O R MEMEP O S T MEMEP R ES S V I D EO C A C HE SUBSC RIBE

C H EC K OU T M Y BOOK ON
How To: Configure Squid Proxy Server S QU ID P R OXY S ER VER
by K U L B I R S A I NI
in A D M I NI S T R A T I O N, C O NF I G U R A T I O N, H O W T O , I NS T A L L A T I O N, P R O X Y S ER V ER ,
S ER V ER , S Q U I D

P OP U LAR P OST S
How To: Install ATI
C atalyst (fglrx) Drivers
How To: C onfigure VNC
Server
Fedora 12 ATI C atalyst
Drivers
How To: C onfigure Squid
Proxy Server
R EADER S / FOLLOW ER S
R EC ENT C OM M ENTS
Sandcaster on How To:
Recover Deleted Files in
Linux Using Photorec

vaibhav on How To: FAVOR IT E LIN K S

open in browser customize free license pdfcrowd.com

 vaibhav on How To: FAVOR IT E LIN K S
C onfigure Squid Proxy C ache Youtube Videos
Server Best Web Hosting
Mayur Pipaliya on How To:
Install PHP 5.3 on C entOS
5.1 or RHEL 5.1
Mayur Pipaliya on How To:
Install PHP 5.3 on C entOS
5.1 or RHEL 5.1
XV22 on How To: Install S EAR C H FEDOR A
ATI C atalyst (fglrx) Drivers Search
T AG C LOU D

ATI Drivers S P ON SOR S

Exchange Hosting
ATI Radeon ATI C heap Hosting
Radeon Drivers Bash
Beta Caching
Catalyst Mission
Command C rash DEB
Features Fedora 12 To configure squid for simple proxying without caching anything.
fglrx Font Funny
Graphics Use Cases
FAVOR IT E LIN K S

Card Humour IMAP 1. When you want to have control on what people browse on your lan.
Review Linux
Tux Machines
Indic Fonts Instant Ubuntu Guides and
Messaging Javascript 2. When number of machine is more than the number of IP addresses
Tutorials
Level One Library Linux you can afford to buy. UnixMen
Graphics Drivers Live C D
3. When you want to help this holy world in saving some IPV4 addresses A R C HIVES
Mail Filter Microsoft MSN
Padma Plugin Select Month

Python Ralink C AT EGOR IES

Release RPM Assumptions

Administration (5)

RT2500 Screenshots Adobe (1)

1. You have a machine connected directly to internet that you are going
Script Search Engine AMD (11)
Spicebird Streaming Tips - to use as a proxy server for other machines on your network.
ATI (12)
Tricks Windows WNC 2. The machines on your network are using 192.168.0.0/16 as private
0301 Yahoo Yahoo address space. You can use anyone/multiple address spaces of the
Beryl (1)
Meme Bug (9)
available but for this howto we assume 192.168.0.0/16 as the local
C ompiz (5)
network.
MA RC H 2011
C onfiguration (26)
M T W T F S S 3. The local IP address of the machine which will run squid proxy server
Drivers (20)
open in browser customize free license pdfcrowd.com
 Drivers (20)
1 2 3 4 5 6 is 192.168.36.204. You can have any IP, but for this howto we
7 8 9 10 11 12 13 Drupal (1)
assume this.
14 15 16 17 18 19 20 Eclipse (5)
21 22 23 24 25 26 27 Email C lient (7)
28 29 30 31
How to proceed
Fedora (26)
« F EB First of all ensure that you have squid installed. After installing squid, you
FFMPEG (1)
need to set access control in squid configuration file which resides in
Firefox (5)
/etc/squid by default. Open /etc/squid/squid.conf and add/edit following
Extensions (4)
lines according to your preferences. Few lines already exist in the
Fonts (4)
configuration file, you can add the rest.
FTP (2)

Gaim (2)
# The port on which squid will listen for requests Games (1)
http_port 8080 Git (2)
# If 'cgi-bin' or '?' is in query, squid should not check with neighbours'/parents' cache GNOME (4)
# and should go to target web-server.
Google (8)
hierarchy_stoplist cgi­bin ?
Graphics (16)
# If url contains 'cgi-bin' or '?', then it must not be cached
Grub (2)
acl QUERY urlpath_regex cgi­bin \?
cache deny QUERY GSOC (5)

acl apache rep_header Server ^Apache GTalk (3)

broken_vary_encoding allow apache Hacks (35)

# Absolute path to squid access log. Hardware (24)
access_log /var/log/squid/access.log squid Hard Disk (2)
refresh_pattern ^ftp: 1440 20% 10080 Motherboard (1)
refresh_pattern ^gopher: 1440 0% 1440 Wireless (8)
refresh_pattern . 0 20% 4320
HowTo (41)
# Access control list to control every IP address
Installation (26)
acl all src 0.0.0.0/0.0.0.0
IntelligentMirror (5)
# Access control list for source machine in LAN
acl lan_src src 192.168.0.0/16 Internet (20)

# Access control list for destination machine in LAN Java (2)

acl lan_dst dst 192.168.0.0/16 KDE (3)

# Access control list to manage squid cache Kernel (10)
acl manager proto cache_object Kopete (3)
open in browser customize free license pdfcrowd.com
 Kopete (3)
# Access control list to define IP address allowed for source localhost LAMP (4)
acl localhost src 127.0.0.1/255.255.255.255 Laptop (1)
# Access control list to define IP addresses allowed for localhost as destination
Linux (45)
acl to_localhost dst 127.0.0.0/8
Messenger (3)
# Access control list to define Safe ports that should be allowed by default
MySQL (1)
acl SSL_ports port 443 563 1863 5190 5222 5050 6667
acl Safe_ports port 80 # http Ndiswrapper (2)

acl Safe_ports port 21 # ftp News (20)

acl Safe_ports port 443 # https NVIDIA (4)

acl Safe_ports port 70 # gopher Open Source (12)
acl Safe_ports port 210 # wais PHP (7)
acl Safe_ports port 1025­65535 # unregistered ports Programming (15)
acl Safe_ports port 280 # http-mgmt
Python (5)
acl Safe_ports port 488 # gss-http
Rails (1)
acl Safe_ports port 591 # filemaker
Remote Desktop (4)
acl Safe_ports port 777 # multiling http
Review (7)
acl CONNECT method CONNECT
# Allow cache management only from localhost Ruby (1)

http_access allow manager localhost Screenshot (15)

# Deny cache management from remote hosts Security (4)

http_access deny manager Server (20)
# Deny http access via all the ports which are not listed as safe Apache (4)
http_access deny !Safe_ports FTP Server (1)
# Deny all connections via all ports which are not listed as safe
Nameserver (1)
http_access deny CONNECT !SSL_ports
Proxy Server (11)
# Allow http access from localhost
Shell (6)
http_access allow localhost
Sound (1)
# Allow http access from machines on LAN
http_access allow lan_src Spam (2)

http_access deny all Squid (10)

http_reply_access allow all SSH (1)

icp_access allow all Themes (2)
# Deny caching for everyone so that there is not caching at all Tips – Tricks (29)
cache deny all Twitter (2)

open in browser customize free license pdfcrowd.com

 Twitter (2)
coredump_dir /var/spool/squid
Video (1)
# Never allow direct connection to machines on the internet
Virtualization (2)
prefer_direct off
VNC Server (2)
never_direct allow all
VNC Viewer (3)
# Allow direct connetion if the destination machine is on LAN
always_direct allow lan_dst Wordpress (4)

# Delete this line if you don't have /etc/hosts file Memepress (3)

hosts_file /etc/hosts Xorg (9)

# Allow AIM connections Yum (1)
# Delete the following 9 lines if you don't want people to connect to AIM
acl AIM_ports port 5190 9898 6667
acl AIM_domains dstdomain .oscar.aol.com .blue.aol.com .freenode.net
acl AIM_domains dstdomain .messaging.aol.com .aim.com
acl AIM_hosts dstdomain login.oscar.aol.com login.glogin.messaging.aol.com toc.oscar.aol.com irc.freenode.net
acl AIM_nets dst 64.12.0.0/255.255.0.0
acl AIM_methods method CONNECT
http_access allow AIM_methods AIM_ports AIM_nets
http_access allow AIM_methods AIM_ports AIM_hosts
http_access allow AIM_methods AIM_ports AIM_domains
# Allow connections to Yahoo Messenger
# Delete the following 6 lines if you don't want people to connect to Yahoo Messenger
acl YIM_ports port 5050
acl YIM_domains dstdomain .yahoo.com .yahoo.co.jp
acl YIM_hosts dstdomain scs.msg.yahoo.com cs.yahoo.co.jp
acl YIM_methods method CONNECT
http_access allow YIM_methods YIM_ports YIM_hosts
http_access allow YIM_methods YIM_ports YIM_domains
# Allow connections to Google Talk
# Delete the following 6 lines if you don't want people to connect to Google Talk
acl GTALK_ports port 5222 5050
acl GTALK_domains dstdomain .google.com
acl GTALK_hosts dstdomain talk.google.com
acl GTALK_methods method CONNECT
http_access allow GTALK_methods GTALK_ports GTALK_hosts

open in browser customize free license pdfcrowd.com

 http_access allow GTALK_methods GTALK_ports GTALK_domains
# Allow connections to MSN
# Delete the following 6 lines if you don't want people to connect to Google Talk
acl MSN_ports port 1863 443 1503
acl MSN_domains dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com
acl MSN_hosts dstdomain messenger.hotmail.com
acl MSN_nets dst 207.46.111.0/255.255.255.0
acl MSN_methods method CONNECT
http_access allow MSN_methods MSN_ports MSN_hosts

Now, start the squid proxy server as

service squid start

Also, if you want squid to be started every time you boot the machine,
execute the following command

chkconfig ­­level 345 squid on

You have a squid proxy server running now. You can ask clients to
configure there browsers to use 192.168.36.204 as a proxy server with
8080 as proxy port. Command line utilities like elinks, lynx, yum, wget
etc. can be asked to use proxy by exporting http_proxy variable as
below. Users can also add these lines to ~/.bashrc file to avoid exporting
every-time.

export http_proxy='http://192.168.36.204:8080'
export ftp_proxy='http://192.168.36.204:8080'

open in browser customize free license pdfcrowd.com

 I highly recommend the book “Squid: The Definitive Guide
(Paperback)” for further reading.

[amazon-product alink="0000FF" bordercolor="000000"

height="240"]0596001622[/amazon-product]

open in browser customize free license pdfcrowd.com

 Related Posts
IntelligentMirror: RPM and DEB Caching Improved (0.5)
How To: Configure Caching Nameserver (named)
IntelligentMirror Gets Even More Intelligent (1.0.1)
IntelligentMirror: RPM and DEB Caching Improved (0.4)
IntelligentMirror: Available for Testing

Tagged as: Caching, Traffic Monitoring

{ 1 trackback }

A problen with iptables and proxy server

July 1, 2010 at 1:57 PM

{ 56 comments… read them below or add one }

← P R EV I O U S C O M M ENT S

open in browser customize free license pdfcrowd.com

 peyank April 27, 2010 at 5:09 PM 1

how to cache for dinamic content like video from youtube

R EP LY

Adnan May 31, 2010 at 11:13 AM 2

Hi ,
i have configured squid proxy server with two NIC in fedora 12.
Network configuration scenario:
Router-> proxy server-> switch -> clients(LAN)
where
Router = 172.15.0.1

Porxy server:
eth0:
ip= 172.15.0.2
mask=255.255.0.0
gateway=172.15.0.1

eth1:
ip= 172.16.1.1
mask=255.255.0.0
gateway= 172.15.0.2

clients:
ip= 172.16.1.10
mask=255.255.0.0
gateway= 172.16.1.1

open in browser customize free license pdfcrowd.com

 proxy ip address= 172.16.1.1
port number= 8080

iptables:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -m state –state NEW,ESTABLISHED,RELATED -
m tcp -p tcp –dport 8080 -j ACCEPT
COMMIT

my problem is that i cannot open websites from Client. Did I miss

something or wrong config? any idea?
thanks

R EP LY

Kennedy Mwanza September 19, 2010 at 2:03 PM 3

open in browser customize free license pdfcrowd.com

 How can I use a Proxy server to connect other people world wide
with my internet connection on my ubuntu lucid 10.04 server.

R EP LY

Parashuram December 21, 2010 at 5:07 AM 4

hello,

My requirment is to use squid proxy for wireless sensor nodes, here

squid should collect data from wireless sensor nodes and store it in
cache and provide it to external internet world when requested, how do
i do it???
I want to setup this configuration on blackfin BF537 STAMP BOARD…
HOW TO DO THIS ANY HELP WILL BE GREATLY APPRICIATED

THANKS,,
PARASHURAM

R EP LY

vaibhav February 23, 2011 at 1:02 PM 5

Dear all,

solution required for (104) connection reset by peer .

kindly note we are using squid 2.5 stable1

Vaibhav

open in browser customize free license pdfcrowd.com

 R EP LY

← P R EV I O U S C O M M ENT S

Leave a Comment

Name *

E-mail *

Website

You can use these HTML tags and attributes: <a href="" title=""> <abbr
title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del
datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line=""
escaped="">

Notify me of followup comments via e-mail

Submit

open in browser customize free license pdfcrowd.com

 P R EVI O U S P O ST : How To: Write Custom Redirector or Rewritor Plugin
For Squid in Python

NEX T P O S T : Review: Spicebird – A Collaboration Platform

Fedora, the Fedora logo, Fedora Project and Red Hat are trademarks of Red Hat, Inc. The Fedora logo is used by permission.
All the articles on this blog are licensed under a Creative Commons Attribution-Share Alike 3.0 License.

open in browser customize free license pdfcrowd.com