Squid is a free caching proxy server that runs on Linux and many other operating systems. Squid can be deployed in two scenarios, forward or reverse proxy.
Squid as a forward proxy helps to save network resources by directly supplying common data access by clients, providing authentication and authorization, logging of internet usage, enforcing organization internet policy enforcement and managing of organization network resource.
Squid as a reverse proxy helps to manage and optimize resources of outgoing resources from a web server farm, by caching and serving frequently used static contents, act as a middle man for slower remote clients so as to quickly free up resources for faster clients (SpoonFeeding), perform requesting filtering to enhance web security or act as an IPv4-IPv6 gateway.
Feature
Squid is a robust service as it provides organization with many features. In this section we shall cover the more popular features used by organization to secure or optimize their network.
Transparent Proxy
The most basic reason to use Squid is its ability to act as a transparent proxy. This is when the organization wants the users and clients within the network to use the proxy without their knowing and without having the need to configure their browser to use the proxy.
Squid make this possible by acting as either a gateway router, or having the gateway redirecting traffic to a Linux server that is hosting
Access Control Lists (ACL)
Squid is able to control access of the clients within the organization by filtering source/destination IP address, time of access, URLs, port number or transfer protocol. Below is a list of how Squid can be configured for ACL:
1.Restricting access to local network users.
2.Blocking specific computers
3.Restriction of certain web sites during office hours
4.Blocking pornography or phishing websites
Proxy authentication
Squid allows to be configured so that only authorized users are allowed to access the network or internet within the organization, by using one of the three techniques listed below:
1.HTTP Basic authentication
2.HTTP Digest
3.NTLM
To use proxy authentication, Squid also provide API, auth_param to query a number of standard databases to verify the credentials.
Proxy authentication is not covered in this document.
Install Squid
Sendmail requires 3 packages to work; sendmail, sendmail-cf and m4.
There are 3 ways to install Squid:
1.Installing through Yum
2.Install RPM packages
3.Build from source
Yum (Yellowdog Updater Modified)
Install through Yum is simple. Just execute the following command to install.
~]# Yum Install squid
RPM Package Manager
Installing through RPM Package manager requires a bit more work. Normally we will install from the CD/DVD-ROM provided. If in any case a CD/DVD-ROM is not available, we might have to download the rpm file from online source.
a.Navigate to the source, which most like be the CD/DVD-ROM. The source CD/DVD-ROM have to be inserted first
~]# cd / media/RHEL_5.3\ x86_64\ DVD/Server
b.Install the rpm
~]# rpm –Uvh squid*
Install from source
a.Download the source
~]# wget ftp://squid.cbn.net.id/pub/squid/squid-3.1.1.tar.gz
b.Unzip the source
~]# tar –zxv squid-3.1.1.tar.gz
c.Compile the source
~]# cd squid-3.1.1
~]# ./configure
~]# make
~]# make install
Squid Configuration
Enter the following command to edit squid configuration file
~]#nano /etc/squid/squid.conf
Modify or add the following squid directives:
Httpd_accel_host virtual
Httpd_accel_port 80
Httpd_accel_with_proxy on
Httpd_accel_uses_host_header on
Acl lan src 192.168.1.1 192.168.100.1/24
Http_access allow localhost
http_access allow lan
Add the following lines at the bottom of the squid configuration files. Save and exit text editor.
•To allow access from local networks
~]#acl internalNetwork src 192.168.1.0/24
~]# http_access allow internalNetwork
•Deny user from accessing website
~]#acl blocksites www .google.com
~]#http_access deny blocksites
•Deny user who browses to a URL with the word ‘hack’ in it.
~]#acl blockword url_regex – i hack
~]#http_access deny blockword
•Filtering content
Start squid proxy server
~]# chkconfig squid on
~]#/etc/init.d/squid restart
Confirm that port
~]#netstat –tuna grep XXXX
Ensure that iptable allows access to squid server by editing the iptables configuration files. Save and Exit
~]#nano /etc/sysconfig/iptables -A RH-Firewall-1-INPUT –m state –state NEW,ESTABLISHED,RELATED –m tcp –p tcp – dport XXXX –j ACCEPT
Restart iptables
~]#/etc/init.d/iptables restart
Squid Testing
Read the squid proxy access log to confirm that the acl set is working according to what you required
~]#nano –f /var/log/squid/access.log
See access log file /var/log/squid/access.log:
~]# tail -f /var/log/squid/access.log
No comments:
Post a Comment