How to configure SQUID Proxy server in debian wheezy (advance configuration)

Posted by Md. Mahidul Hasan on 6:50 AM with 1 comment

How to configure SQUID Proxy server in debian wheezy (advance configuration)

Objectives:
1. Questions?
2. Concept
3. System requirements
4. Scenatrio
5. Configuration
6. Log files location
7. Troubleshooting
8. Reference
9. Real life-Script
10. Follow our vedio tutorial at the youtube link

Questions?
. What is a proxy server?
. Why do we need it?
. How its works?
. How its cache works?
. What kinds of restriction we can implement with squid?
. Can squid restrict https? how?
. What is the "Storage LRU Expiration Age?"
. How does Squid decide when to refresh a cached object?
. How come some objects do not get cached?
. difference between url_regex, url_regex -i, url_regex_path, dstdomain and dst.

Squid Proxy Server Setup & Configuration:
1. root@proxy:~# apt-get install squid   [it will download & install squid package]

2. root@proxy:~# vim /etc/squid/squid.conf
recommended minimum configuration:
** search manager through this command
           /manager
** Look carefully two 'acl' declared of having Class B & Class C network named as 'localnet'
** So we have to just uncomment or enable the line 'http_access allow localnet' that's it.
N.B.R.- Don't disable this two 'acl'named as 'localnet' otherwise proxy will give fatal Error message...(localnet not defined)
** Again search http_port through this command
   /http_port [we will find like 'http_port 3128']
   change it to http_port 8080

** W0W!!!squid minimum configuration done.
** Now restart the squid: /etc/init.d/squid restart

3. Allow Specific ip address and Block specific websites in squid proxy:
Create ACL:
acl localhost src 127.0.0.1/32
acl allowip src "/etc/squid/allowip"
                        acl fullaccessip src "/etc/squid/fullaccessip"
  acl baddomain url_regex "/etc/squid/baddomain"

Now HTTP ACCESS \ DENY:
http_access allow localhost
http_access allow fullaccessip
http_access deny baddomain
http_access allow allowip

FINALLY :
http-access deny all

4. Don't forget to restart squid:
root@proxy:~# /etc/init.d/squid restart

SQUID PROXY ADVANCED TUNING:
*** Restrict ip address, fully allowed ip adress(for all websites not all extentioned files)
blocked websites,non-downloadbale extenton file or blocked extention files..
1. Create ACL:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl allowedip src "/etc/squid/allowedip"
acl fullaccessip src "/etc/squid/fullaccessip"
acl blockedsite url_regex "/etc/squid/blockedsite"
acl blockedext url_regex "/etc/squid/blockedext"
acl ncsa_users proxy_auth REQUIRED   [For username & password authentication prompt]

2.Now HTTP ACCESS \ DENY:
#http_access allow localnet
http_access deny blockedext
http_access allow ncsa_users  [For username & password authentication prompt]
http_access allow localhost
http_access allow fullaccessip
http_access deny blockedsite
http_access allow allowedip

FINALLY :
http-access deny all

3. Don't forget to restart squid:
/etc/init.d/squid restart

4. way to create acl declared files:
~# vim /etc/squid/allowip
The configuration script should look like this
192.168.0.20
192.168.0.27
192.168.0.33
192.168.0.57
192.168.0.110

~# vim /etc/squid/blockedsite
The configuration script should look like this
.yahoo.com
.facebook.com
.bing.com

N.B.R.- don't forget dot (.)mark at the beginning of the each domain.

~# vim /etc/squid/blockedext
The configuration script should look like this
.exe$
.avi$
.mpg$
.mpeg$
.mp33$

Or you can specify extentions as follows: (not recommeded)
\.[Ee][Xx][Ee]$
\.[Aa][Vv][Ii]$
\.[Mm][Pp][Gg]$
\.[Mm][Pp][Ee][Gg]$
\.[Mm][Pp]3$

Setting Maximum Size of Downloadable File:
This task is managed by the reply_body_max_size parameter. The value next to it is the maximum size expressed in bits.
reply_body_max_size 100000000 deny all   #100M

The above line doesn’t allow anyone to download any file that is greater than roughly 100MB.

Blocking a specific MAC Address:
Create ACL:
acl localhost src 127.0.0.1/32
acl allowip src "/etc/squid/allowip"
                        acl fullaccessip src "/etc/squid/fullaccessip"
acl baddomain url_regex "/etc/squid/baddomain"
acl badmac arp 00:C0:26:8A:5F:06

Now HTTP ACCESS \ DENY:
http_access allow localhost
http_access deny badmac
http_access allow fullaccessip
http_access deny baddomain
http_access allow allowip

FINALLY :
http-access deny all

Blocking  Multiple MAC Adress:
Firstly We have to create a file which will contain the list of Bad Mac's.
root@proxy:~# vim /etc/squid/badmac
The configuration script should look like this,
00:C0:26:8A:5F:06
00:19:DB:BD:C9:F4
89:12:5C:KM:E5:L3

Now Create ACL:
acl localhost src 127.0.0.1/32
acl allowip src "/etc/squid/allowip"
                        acl fullaccessip src "/etc/squid/fullaccessip"
acl baddomain url_regex "/etc/squid/baddomain"
acl badmac arp "/etc/squid/badmac"

Now HTTP ACCESS\DENY:
http_access allow localhost
http_access deny badmac
http_access allow fullaccessip
http_access deny baddomain
http_access allow allowip

FINALLY :
http-access deny all

Bind  Specific MAC Adress With Specific IP:
Now Create ACL:
acl localhost src 127.0.0.1/32
acl mac1 arp 00:C0:26:8A:5F:06
acl mac2 arp 00:19:DB:BD:C9:F5
acl mac3 arp 00:19:DB:BD:C9:F6
acl ip1 src 172.16.0.2
acl ip2 src 172.16.0.3
acl ip3 src 172.16.0.4

Now HTTP ACCESS \ DENY:
http_access allow localhost
http_access allow mac1 ip1
http_access allow mac2 ip2
http_access allow mac3 ip3

FINALLY :
http-access deny all

Special Note:
NOTE: Squid can only determine the MAC address for clients that are on the same subnet.
If the client is on a different subnet, then Squid cannot find out its MAC address.

To Know Cleint Pc Mac Address from Debian Linux Server:
# arp 192.168.0.4 (The cleint host shoud be up & pingable)

Setting Specific Time & Day for Browsing:
The following lines have been taken from the file squid.conf. Each day can be represented by an alphabet.
Moreover, browsing time can be limited using h1:m1 – h2:m2 parameters, where h1:m1 > h2:m2.
#acl aclname time     [day-abbrevs]  [h1:m1-h2:m2]
               # day-abbrevs:
               # S - Sunday
               # M - Monday
               # T - Tuesday
               # W - Wednesday
               # H - Thursday
               # F - Friday
               # A - Saturday
               # h1:m1 must be less than h2:m2\

Now Create ACL:
acl localhost src 127.0.0.1/32
acl allowip src "/etc/squid/allowip"
   acl allowedhour time S M T W H 10:00 – 16:00

Now HTTP ACCESS \ DENY:
http_access allow localhost
http_access allow allowip allowedhour

FINALLY :
http-access deny all

Example: allow browsing during office hours only 
#vim /etc/squid/squid.conf
                acl localhost src 127.0.0.1/32
                acl to_localhost dst 127.0.0.0/8
                acl office_hours time S M T W H 08:00-18:00
                acl non_office_hours time S M T W H F A 17:01-00:00
                acl non_office_hours time S M T W H F A 00:00-08:59
                acl our_network src 192.168.200.0/24

                http_access deny our_network non_office_hours
                http_access allow our_network office_hours
                http_access deny all
               #Note: make sure deny is put before allow allowing our network

Restrict access to multiple website for defined time:
For example here we will restrict access www.facebook .com from 9:00am to 5:00am.
                acl morninghours time M T W H F 8:00-12:00
                acl eveninghours time M T W H F 13:30-18:00
                acl blacklistdomain url_regex src "/etc/squid/ blacklist.domain"
                acl blacklistip src "/etc/squid/blacklist.ip"

                http_access deny blacklistdomain morninghours blacklistIP
                http_access deny blacklistdomain eveninghours blacklistIP

                http_access allow our_network
                http_access deny all

Configure an NCSA-style PROXY USERNAME and PASSWORD promt authentication 

Remember: Squid proxy username & password authentication does not support transparent proxy.

STEP 1: First of all install apache2
# apt-get install apache2

STEP 2: Create a username/password
First create a NCSA password file using htpasswd command. htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of squid users.
# htpasswd -c /etc/squid/passwd mithu   [here (-c) is used to create passwd file to save mithu user.]

Output:
New password:
Re-type new password:
Adding password for user mithu

Make sure squid can read passwd file:
# chmod o+r /etc/squid/passwd

STEP 3: Locate nsca_auth authentication helper
Usually nsca_auth is located at /usr/lib/squid/ncsa_auth. You can find out location using rpm (Redhat,CentOS,Fedora) or
 dpkg (Debian and Ubuntu) command:
# dpkg -L squid | grep ncsa_auth

Output:
/usr/lib/squid/ncsa_auth

If you are using RHEL/CentOS/Fedora Core or RPM based distro try:
# rpm -ql squid | grep ncsa_auth

Output:
/usr/lib/squid/ncsa_auth

STEP 4: Configure nsca_auth for squid proxy authentication
Now open /etc/squid/squid.conf file
~# vim /etc/squid/squid.conf
Append  following configuration directive:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

****N.B.R.- Search by /auth_param go to the ending section of auth_param portion...then append

STEP 5:
1. Create ACL:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl allowedip src "/etc/squid/allowedip"
acl ncsa_users proxy_auth REQUIRED

2. Now HTTP ACCESS DENY:
#http_access allow localnet
http_access allow ncsa_users
http_access allow localhost
http_access allow allowedip

   FINALLY :
http-access deny all

3. Don't forget to restart squid:
/etc/init.d/squid restart

Showing log reports:
root@ns2:~# tail -f /var/log/squid/access.log : Most log file analysis program are based on the entries in access.log. You can use this file to find out who is using squid server and what they are doing etc

root@ns2:~# tail -f /var/log/squid/cache.log : The cache.log file contains the debug and error messages that Squid generates. If you start your Squid using the default RunCache script, or start it with the -s command line option, a copy of certain messages will go into your syslog facilities. It is a matter of personal preferences to use a separate file for the squid log data.

root@ns2:~# tail -f /var/log/squid/store.log : The store.log file covers the objects currently kept on disk or removed ones. As a kind of transaction log it is ususally used for debugging purposes. A definitive statement, whether an object resides on your disks is only possible after analysing the complete log file. The release (deletion) of an object may be logged at a later time than the swap out (save to disk).

This is how you will get the log report with date/time format,
# tail -f /var/log/squid/access.log | perl -pe 's/[\d\.]+/localtime($&)/e'
# grep 192.168.0.14 /var/log/squid/access.log | perl -pe 's/[\d\.]+/localtime($&)/e'

Changing the Error page contents:
Generally Sqid error page derectory location is "/usr/share/squid/errors/en". Change the squid Error page contents as per your requirements.

root@mail:vim /usr/share/squid/errors/en/ERR_FORWARDING_DENIED

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>ERROR: The requested URL could not be retrieved</title> <style type="text/css"><!--   %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; float: right; }  --></style> </head><body> <div id="titles"> <h1>ERROR</h1> <h2>The requested URL could not be retrieved</h2> </div> <hr>  <div id="content"> <p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>  <blockquote id="error"> <p><b>Forwarding Denied.</b></p> </blockquote>  <p>This cache will not forward your request because it is trying to enforce a sibling relationship. Perhaps the client at %i is a cache which has been misconfigured.</p>  <p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>  <br> </div>  <hr> <div id="footer"> <p>Generated %T by %h (%s)</p> <!-- %c --> </div> </body></html>

Troubleshooting:
1. "http_access allow perameter1 !perameter2" will not work if you allow your network.
2. There are some diffrence between url_regex, url_regex -i, url_regex_path, dstdomain and dst.
url_regex =
url_regex -i =
url_regex_path =
dstdomain =
dst =
dstdom_regex =


Real life-Script
mail:/etc/squid# vim squid.conf
# Squid normally listens to port 3128
#http_port 3128
http_port 8080 transparent

#Recommended minimum configuration:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.2/32
acl mylan src 192.168.0.0/24
acl windowsip src "/etc/squid/windowsip"
acl windows url_regex "/etc/squid/windows"
acl allowip src "/etc/squid/allowip"
acl limited src "/etc/squid/limitedip"
acl limitedsite url_regex "/etc/squid/limitedsite"
acl baddom dstdomain "/etc/squid/baddom"
acl hrip src "/etc/squid/hrip"
acl hrsite url_regex "/etc/squid/hrsite"
acl to_localhost dst 127.0.0.0/8

acl onlysite url_regex "/etc/squid/onlysite"
acl spec_ip src 192.168.0.54
acl spec_site url_regex "/etc/squid/spec_site"


http_access deny CONNECT baddom
http_access deny CONNECT limitedsite
http_access deny CONNECT hrsite

http_access allow windowsip windows
http_access allow spec_ip spec_site
http_access allow allowip !baddom
http_access allow limited !limitedsite
http_access allow hrip !hrsite
http_access allow localhost
http_access allow mylan onlysite

# And finally deny all other access to this proxy
http_access deny all

mail:/etc/squid# vim onlysite
.mahidul.com
.kaspersky.com

mail:/etc/squid# vim windowsip
192.168.0.90-192.168.0.100

mail:/etc/squid# vim windows
.download.windowsupdate.com

mail:/etc/squid# vim spec_ip
192.168.0.101-192.168.0.150

mail:/etc/squid# vim spec_site
.yahoo.com
.prothom-alo.com
.eprothom-alo.com

mail:/etc/squid# vim hrip
#192.168.0.31
192.168.0.32
192.168.0.33
192.168.0.81

mail:/etc/squid# vim hrsite
.somewhereintheblog.com
.bbc.com
.thedailystar.net
.dailyjanakantha.com

mail:/etc/squid# vim limitedip
192.168.0.151-192.168.0.200

mail:/etc/squid# vim limitedsite
.ip-adress.com
.dsemobile.com
.googleads.g.doubleclick.net
.bd-pratidin.com
.jobsinbd.com
.banglanews.com
.dailyinqilab.com

mail:/etc/squid# vim allowip
192.168.0.201-192.168.0.254

mail:/etc/squid# vim baddom
#give the block site web address like below. Put a dot(.) infront every domain
.baddomain.com

Note: Though it will open the https://youtube.com but it will not play the vedio also show you an error like An error occurred please try again later. Please note that if you allow your network at the last this configuration will not work.