Configuring SQUID Proxy Server on LINUX

Introduction:

Squid server is a popular open source proxy and web cache. It has a variety of uses, from speeding up a web server by caching repeated requests, to caching web, name server query, and other network lookups for a group of people sharing network resources.

It is primarily designed to run on Linux / Unix-like systems. Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process.

Prerequisites:

a. Linux Machine Ex: RHEL5
b. squid-2.6.STABLE6-3.el5.i386.rpm

Installation on Linux
Use the following command to install SQUID RPM

# Rpm –ivh squid-2.6.STABLE6-3.el5.i386.rpm
Squid Basic Configuration
Squid configuration file located at /etc/squid/squid.conf. Open file using a text editor: with the following command.
# vi /etc/squid/squid.conf
Squid Configuration:
-------------------------------------------------------------------------------------------------------
Basic SQUID Config file: Uncommented lines

Cmd : > grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d' Port

http_port 3128 # Port

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY


ACL Parameters :
acl password proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

Access Parameters
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow password
http_access deny all
icp_access allow all
visible_hostname CARMASQUIDProxy #You can change the name of the Proxy Server

No Authentication Configuration:
Specify the command for the external authenticator. Such a program reads a line containing "username password" and replies “OK" or "ERR" in an endless loop. If you use an authenticator, make sure you have 1 acl of type proxy_auth. By default, the authenticator_program is not used.
Change the http Access Parameter from http_access deny all to http_access allow all
Restart SQUID Proxy Server process

# /etc/ini.d/squid restart

Stopping squid: ................ [ OK ]
Starting squid: . [ OK ]

IE Proxy Server Configuration:

1. Open Internet Explorer
2. Go to Internet Options > Connections Tab > LAN Settings > Proxy Server
3. Enter IPAddress and Port of the SQUID Proxy Server
4. Try Accessing http://www.google.com
5. Done.
-------------------------------------------------------------------------------------------------------
Basic Authentication Configuration:

Specify the command for the external authenticator. Such a program reads a line containing "username password" and replies "OK" or "ERR" in an endless loop. If you use an authenticator, make sure you have 1 acl of type proxy_auth. By default, the authenticator_program is not used.
Add the following configuration parameter to squid config file enable Basic Authentication.

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/basic_passwd

Generate a basic authentication password file for any user “basic”

# htpasswd -c /etc/squid/basic_passwd basic
New password:
Re-type new password:
Adding password for user basic

Username: basic
Password file: /etc/squid/basic_passwd

Restart SQUID Proxy Server process
# /etc/ini.d/squid restart

Stopping squid: ................ [ OK ]
Starting squid: . [ OK ]

IE Proxy Server Configuration:

1. Open Internet Explorer
2. Go to Internet Options > Connections Tab > Lan Settings > Proxy Server
3. Enter IPAddress and Port of the SQUID Proxy Server
4. Try Accessing http://www.google.com > Enter Username and password (basic) > Authenticate it
5. Done.

Digest Authentication Configuration:

Specify the command for the external authenticator. Such a program reads a line containing "username password" and replies "OK" or "ERR" in an endless loop. If you use an authenticator, make sure you have 1 acl of type proxy_auth. By default, the authenticator_program is not used.
Add the following configuration parameter to the squid config file to enable Digest Authentication.

auth_param digest program /usr/lib/squid/digest_pw_auth -c /etc/squid/digest

Create a digest.sh file to generate digest using the following script.

/etc/squid/Digest.sh
-------------------------------------------------------------------------------------------------------
#!/bin/sh
user=$1
pass=$2
realm=$3

if [ -z "$1" -o -z "$2" -o -z "$3" ] ; then
echo "Usage: $0 user password 'realm'";
exit 1
fi

ha1=$(echo -n "$user:$realm:$pass"|md5sum |cut -f1 -d' ')
echo "$user:$realm:$ha1"
-------------------------------------------------------------------------------------------------------
Give executable permissions to the above create file.

# chmod +rwx /etc/squid/digest.sh
#./digest.sh username password 'Squid proxy-caching web server' >>/etc/squid/digest

Generate a digest for the user “Admin” with the password “password”

#./digest.sh admin password 'Squid proxy-caching web server' >>/etc/squid/digest

Restart SQUID Proxy Server process

# /etc/ini.d/squid restart

Stopping squid: ................ [ OK ]
Starting squid: . [ OK ]

IE Proxy Server Configuration:

1. Open Internet Explorer
2. Go to Internet Options > Connections Tab > LAN Settings > Proxy Server
3. Enter IPAddress and Port of the SQUID Proxy Server
4. Try Accessing http://www.google.com > Enter Username and password (Digest) > Authenticate it
5. Done.