Squid

From Leo's Notes
Last edited on 14 June 2020, at 22:03.

Squid is an open source caching and forwarding HTTP proxy server.

Quick Usage Guide

To quickly get Squid set up as a HTTP proxy server with caching enabled, install squid and configure it like so:

## Install squid
# yum -y install squid

Configure squid. The configuration located at /etc/squid/squid.conf should have at least the following lines:

# Allow localhost and our local network
http_access allow localhost
http_access allow localnet

# Our local network IP subnet. Adjust this accordingly
acl localnetsrc 10.1.1.0/22

# Use DNS IPv4 lookups first
dns_v4_first on

# Amount of memory used for caching objects
cache_mem 1024 MB

# Maximum object size to cache
maximum_object_size 4096 MB

# Maximum size of cached objects in memory
maximum_object_size_in_memory 8192 KB

# Location of the cache directory
# 2nd parameter is the size of the cache. 10240 = 10 GB
cache_dir ufs /mnt/cache/squid 10240 16 256

Transparent Proxy

To make the squid server a transparent proxy, put it on the gateway and create an IPtables rule that forwards all traffic destined to port 80 to the squid server.

With the squid server above set up, set up the IPtable rules like so:

#!/bin/sh

# squid server IP
SQUID_SERVER="192.168.1.1"

# Interface connected to Internet
INTERNET="eth0"

# Interface connected to LAN
LAN_IN="eth1"

# Squid port
SQUID_PORT="3128"


# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# For win xp ftp client
#modprobe ip_nat_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow all existing connections through
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Other

Force Yum/DNF to use Squid

Specify the proxy option in /etc/yum.conf or /etc/dnf/dnf.conf with the URL of the HTTP proxy.

Eg:

proxy=http://squid.home.steamr.com:3128

Alternatively, set the http_proxy value in the environment.