Squid is an open source caching and forwarding HTTP proxy server.

Quick Usage Guide[edit | edit source]

To quickly get Squid set up as a HTTP proxy server with caching enabled, install squid and configure it like so:

## Install squid
# yum -y install squid

Configure squid. The configuration located at /etc/squid/squid.conf should have at least the following lines:

# Allow localhost and our local network
http_access allow localhost
http_access allow localnet

# Our local network IP subnet. Adjust this accordingly
acl localnetsrc

# Use DNS IPv4 lookups first
dns_v4_first on

# Amount of memory used for caching objects
cache_mem 1024 MB

# Maximum object size to cache
maximum_object_size 4096 MB

# Maximum size of cached objects in memory
maximum_object_size_in_memory 8192 KB

# Location of the cache directory
# 2nd parameter is the size of the cache. 10240 = 10 GB
cache_dir ufs /mnt/cache/squid 10240 16 256

Transparent Proxy[edit | edit source]

To make the squid server a transparent proxy, put it on the gateway and create an IPtables rule that forwards all traffic destined to port 80 to the squid server.

With the squid server above set up, set up the IPtable rules like so:


# squid server IP

# Interface connected to Internet

# Interface connected to LAN

# Squid port

# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# For win xp ftp client
#modprobe ip_nat_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT DROP

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow all existing connections through
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Other[edit | edit source]

Force Yum/DNF to use Squid[edit | edit source]

Specify the proxy option in /etc/yum.conf or /etc/dnf/dnf.conf with the URL of the HTTP proxy.



Alternatively, set the http_proxy value in the environment.