Chapter 16. Configuring the Squid Caching Proxy Server
Squid is a proxy server that caches content to reduce bandwidth and load web pages more quickly. This chapter describes how to set up Squid as a proxy for the HTTP, HTTPS, and FTP protocol, as well as authentication and restricting access.
16.1. Setting up Squid as a Caching Proxy Without Authentication
This section describes a basic configuration of Squid as a caching proxy without authentication. The procedure limits access to the proxy based on IP ranges.
Prerequisites
- The procedure assumes that the
/etc/squid/squid.conf
file is as provided by the squid package. If you edited this file before, remove the file and reinstall the package.
Procedure
- Install the squid package:
# yum install squid
- Edit the
/etc/squid/squid.conf
file:- Adapt the
localnet
access control lists (ACL) to match the IP ranges that should be allowed to use the proxy:acl localnet src 192.0.2.0/24 acl localnet 2001:db8::/32
By default, the/etc/squid/squid.conf
file contains thehttp_access allow localnet
rule that allows using the proxy from all IP ranges specified inlocalnet
ACLs. Note that you must specify alllocalnet
ACLs before thehttp_access allow localnet
rule.Important
Remove all existingacl localnet
entries that do not match your environment. - The following ACL exists in the default configuration and defines
443
as a port that uses the HTTPS protocol:acl SSL_ports port 443
If users should be able to use the HTTPS protocol also on other ports, add an ACL for each of these port:acl SSL_ports port port_number
- Update the list of
acl Safe_ports
rules to configure to which ports Squid can establish a connection. For example, to configure that clients using the proxy can only access resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the followingacl Safe_ports
statements in the configuration:acl Safe_ports port 21 acl Safe_ports port 80 acl Safe_ports port 443
By default, the configuration contains thehttp_access deny !Safe_ports
rule that defines access denial to ports that are not defined inSafe_ports
ACLs. - Configure the cache type, the path to the cache directory, the cache size, and further cache type-specific settings in the
cache_dir
parameter:cache_dir ufs /var/spool/squid 10000 16 256
With these settings:- Squid uses the
ufs
cache type. - Squid stores its cache in the
/var/spool/squid/
directory. - The cache grows up to
10000
MB. - Squid creates
16
level-1 sub-directories in the/var/spool/squid/
directory. - Squid creates
256
sub-directories in each level-1 directory.
If you do not set acache_dir
directive, Squid stores the cache in memory.
- If you set a different cache directory than
/var/spool/squid/
in thecache_dir
parameter:- Create the cache directory:
# mkdir -p path_to_cache_directory
- Configure the permissions for the cache directory:
# chown squid:squid path_to_cache_directory
- If you run SELinux in
enforcing
mode, set thesquid_cache_t
context for the cache directory:# semanage fcontext -a -t squid_cache_t "path_to_cache_directory(/.*)?" # restorecon -Rv path_to_cache_directory
If thesemanage
utility is not available on your system, install the policycoreutils-python-utils package.
- Open the
3128
port in the firewall:# firewall-cmd --permanent --add-port=3128/tcp # firewall-cmd --reload
- Start the
squid
service:# systemctl start squid
- Enable the
squid
service to start automatically when the system boots:# systemctl enable squid
Verification Steps
To verify that the proxy works correctly, download a web page using the
curl
utility:
# curl -O -L "https://www.redhat.com/index.html" -x "proxy.example.com:3128"
If
curl
does not display any error and the index.html
file was downloaded to the current directory, the proxy works.