Chapter 16. Configuring the Squid Caching Proxy Server
Squid is a proxy server that caches content to reduce bandwidth and load web pages more quickly. This chapter describes how to set up Squid as a proxy for the HTTP, HTTPS, and FTP protocol, as well as authentication and restricting access.
16.1. Setting up Squid as a Caching Proxy Without Authentication
This section describes a basic configuration of Squid as a caching proxy without authentication. The procedure limits access to the proxy based on IP ranges.
Prerequisites
- The procedure assumes that the
/etc/squid/squid.conffile is as provided by the squid package. If you edited this file before, remove the file and reinstall the package.
Procedure
- Install the squid package:
# yum install squid
- Edit the
/etc/squid/squid.conffile:- Adapt the
localnetaccess control lists (ACL) to match the IP ranges that should be allowed to use the proxy:acl localnet src 192.0.2.0/24 acl localnet 2001:db8::/32
By default, the/etc/squid/squid.conffile contains thehttp_access allow localnetrule that allows using the proxy from all IP ranges specified inlocalnetACLs. Note that you must specify alllocalnetACLs before thehttp_access allow localnetrule.Important
Remove all existingacl localnetentries that do not match your environment. - The following ACL exists in the default configuration and defines
443as a port that uses the HTTPS protocol:acl SSL_ports port 443
If users should be able to use the HTTPS protocol also on other ports, add an ACL for each of these port:acl SSL_ports port port_number
- Update the list of
acl Safe_portsrules to configure to which ports Squid can establish a connection. For example, to configure that clients using the proxy can only access resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the followingacl Safe_portsstatements in the configuration:acl Safe_ports port 21 acl Safe_ports port 80 acl Safe_ports port 443
By default, the configuration contains thehttp_access deny !Safe_portsrule that defines access denial to ports that are not defined inSafe_portsACLs. - Configure the cache type, the path to the cache directory, the cache size, and further cache type-specific settings in the
cache_dirparameter:cache_dir ufs /var/spool/squid 10000 16 256
With these settings:- Squid uses the
ufscache type. - Squid stores its cache in the
/var/spool/squid/directory. - The cache grows up to
10000MB. - Squid creates
16level-1 sub-directories in the/var/spool/squid/directory. - Squid creates
256sub-directories in each level-1 directory.
If you do not set acache_dirdirective, Squid stores the cache in memory.
- If you set a different cache directory than
/var/spool/squid/in thecache_dirparameter:- Create the cache directory:
# mkdir -p path_to_cache_directory
- Configure the permissions for the cache directory:
# chown squid:squid path_to_cache_directory
- If you run SELinux in
enforcingmode, set thesquid_cache_tcontext for the cache directory:# semanage fcontext -a -t squid_cache_t "path_to_cache_directory(/.*)?" # restorecon -Rv path_to_cache_directory
If thesemanageutility is not available on your system, install the policycoreutils-python-utils package.
- Open the
3128port in the firewall:# firewall-cmd --permanent --add-port=3128/tcp # firewall-cmd --reload
- Start the
squidservice:# systemctl start squid
- Enable the
squidservice to start automatically when the system boots:# systemctl enable squid
Verification Steps
To verify that the proxy works correctly, download a web page using the
curl utility:
# curl -O -L "https://www.redhat.com/index.html" -x "proxy.example.com:3128"
If
curl does not display any error and the index.html file was downloaded to the current directory, the proxy works.
