Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 6. Configuring the Squid caching proxy server

Squid is a proxy server that caches content to reduce bandwidth and load web pages more quickly. This chapter describes how to set up Squid as a proxy for the HTTP, HTTPS, and FTP protocol, as well as authentication and restricting access.

You can configure Squid as a caching proxy without authentication. The procedure limits access to the proxy based on IP ranges.

Prerequisites

  • The procedure assumes that the /etc/squid/squid.conf file is as provided by the squid package. If you edited this file before, remove the file and reinstall the package.

Procedure

  1. Install the squid package: 

    # yum install squid
    Copy to Clipboard Toggle word wrap

  2. Edit the /etc/squid/squid.conf file:

    1. Adapt the localnet access control lists (ACL) to match the IP ranges that should be allowed to use the proxy: 

      acl localnet src 192.0.2.0/24
acl localnet 2001:db8:1::/64
      Copy to Clipboard Toggle word wrap

      By default, the /etc/squid/squid.conf file contains the http_access allow localnet rule that allows using the proxy from all IP ranges specified in localnet ACLs. Note that you must specify all localnet ACLs before the http_access allow localnet rule.

      Important

      Remove all existing acl localnet entries that do not match your environment.

    2. The following ACL exists in the default configuration and defines 443 as a port that uses the HTTPS protocol: 

      acl SSL_ports port 443
      Copy to Clipboard Toggle word wrap

      If users should be able to use the HTTPS protocol also on other ports, add an ACL for each of these port: 

      acl SSL_ports port port_number
      Copy to Clipboard Toggle word wrap

    3. Update the list of acl Safe_ports rules to configure to which ports Squid can establish a connection. For example, to configure that clients using the proxy can only access resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the following acl Safe_ports statements in the configuration: 

      acl Safe_ports port 21
acl Safe_ports port 80
acl Safe_ports port 443
      Copy to Clipboard Toggle word wrap

      By default, the configuration contains the http_access deny !Safe_ports rule that defines access denial to ports that are not defined in Safe_ports ACLs.

    4. Configure the cache type, the path to the cache directory, the cache size, and further cache type-specific settings in the cache_dir parameter: 

      cache_dir ufs /var/spool/squid 10000 16 256
      Copy to Clipboard Toggle word wrap

      With these settings:

      • Squid uses the ufs cache type.
      • Squid stores its cache in the /var/spool/squid/ directory.
      • The cache grows up to 10000 MB.
      • Squid creates 16 level-1 sub-directories in the /var/spool/squid/ directory.

      • Squid creates 256 sub-directories in each level-1 directory.

        If you do not set a cache_dir directive, Squid stores the cache in memory.

  3. If you set a different cache directory than /var/spool/squid/ in the cache_dir parameter:

    1. Create the cache directory: 

      # mkdir -p path_to_cache_directory
      Copy to Clipboard Toggle word wrap

    2. Configure the permissions for the cache directory: 

      # chown squid:squid path_to_cache_directory
      Copy to Clipboard Toggle word wrap

    3. If you run SELinux in enforcing mode, set the squid_cache_t context for the cache directory: 

      # semanage fcontext -a -t squid_cache_t "path_to_cache_directory(/.*)?"
# restorecon -Rv path_to_cache_directory
      Copy to Clipboard Toggle word wrap

      If the semanage utility is not available on your system, install the policycoreutils-python-utils package.

  4. Open the 3128 port in the firewall: 

    # firewall-cmd --permanent --add-port=3128/tcp
# firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

  5. Enable and start the squid service: 

    # systemctl enable --now squid
    Copy to Clipboard Toggle word wrap

Verification

To verify that the proxy works correctly, download a web page using the curl utility: 

# curl -O -L "https://www.redhat.com/index.html" -x "proxy.example.com:3128"
Copy to Clipboard Toggle word wrap

If curl does not display any error and the index.html file was downloaded to the current directory, the proxy works.

You can configure Squid as a caching proxy that uses LDAP to authenticate users. The procedure configures that only authenticated users can use the proxy.

Prerequisites

  • The procedure assumes that the /etc/squid/squid.conf file is as provided by the squid package. If you edited this file before, remove the file and reinstall the package.
  • An service user, such as uid=proxy_user,cn=users,cn=accounts,dc=example,dc=com exists in the LDAP directory. Squid uses this account only to search for the authenticating user. If the authenticating user exists, Squid binds as this user to the directory to verify the authentication.

Procedure

  1. Install the squid package: 

    # yum install squid
    Copy to Clipboard Toggle word wrap

  2. Edit the /etc/squid/squid.conf file:

    1. To configure the basic_ldap_auth helper utility, add the following configuration entry to the top of /etc/squid/squid.conf: 

      auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "cn=users,cn=accounts,dc=example,dc=com" -D "uid=proxy_user,cn=users,cn=accounts,dc=example,dc=com" -W /etc/squid/ldap_password -f "(&(objectClass=person)(uid=%s))" -ZZ -H ldap://ldap_server.example.com:389
      Copy to Clipboard Toggle word wrap

      The following describes the parameters passed to the basic_ldap_auth helper utility in the example above:

      • -b base_DN sets the LDAP search base.
      • -D proxy_service_user_DN sets the distinguished name (DN) of the account Squid uses to search for the authenticating user in the directory.
      • -W path_to_password_file sets the path to the file that contains the password of the proxy service user. Using a password file prevents that the password is visible in the operating system’s process list.

      • -f LDAP_filter specifies the LDAP search filter. Squid replaces the %s variable with the user name provided by the authenticating user.

        The (&(objectClass=person)(uid=%s)) filter in the example defines that the user name must match the value set in the uid attribute and that the directory entry contains the person object class.

      • -ZZ enforces a TLS-encrypted connection over the LDAP protocol using the STARTTLS command. Omit the -ZZ in the following situations:

        • The LDAP server does not support encrypted connections.
        • The port specified in the URL uses the LDAPS protocol.
      • The -H LDAP_URL parameter specifies the protocol, the host name or IP address, and the port of the LDAP server in URL format.

    2. Add the following ACL and rule to configure that Squid allows only authenticated users to use the proxy: 

      acl ldap-auth proxy_auth REQUIRED
http_access allow ldap-auth
      Copy to Clipboard Toggle word wrap
      Important

      Specify these settings before the http_access deny all rule.

    3. Remove the following rule to disable bypassing the proxy authentication from IP ranges specified in localnet ACLs: 

      http_access allow localnet
      Copy to Clipboard Toggle word wrap

    4. The following ACL exists in the default configuration and defines 443 as a port that uses the HTTPS protocol: 

      acl SSL_ports port 443
      Copy to Clipboard Toggle word wrap

      If users should be able to use the HTTPS protocol also on other ports, add an ACL for each of these port: 

      acl SSL_ports port port_number
      Copy to Clipboard Toggle word wrap

    5. Update the list of acl Safe_ports rules to configure to which ports Squid can establish a connection. For example, to configure that clients using the proxy can only access resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the following acl Safe_ports statements in the configuration: 

      acl Safe_ports port 21
acl Safe_ports port 80
acl Safe_ports port 443
      Copy to Clipboard Toggle word wrap

      By default, the configuration contains the http_access deny !Safe_ports rule that defines access denial to ports that are not defined in Safe_ports ACLs.

    6. Configure the cache type, the path to the cache directory, the cache size, and further cache type-specific settings in the cache_dir parameter: 

      cache_dir ufs /var/spool/squid 10000 16 256
      Copy to Clipboard Toggle word wrap

      With these settings:

      • Squid uses the ufs cache type.
      • Squid stores its cache in the /var/spool/squid/ directory.
      • The cache grows up to 10000 MB.
      • Squid creates 16 level-1 sub-directories in the /var/spool/squid/ directory.

      • Squid creates 256 sub-directories in each level-1 directory.

        If you do not set a cache_dir directive, Squid stores the cache in memory.

  3. If you set a different cache directory than /var/spool/squid/ in the cache_dir parameter:

    1. Create the cache directory: 

      # mkdir -p path_to_cache_directory
      Copy to Clipboard Toggle word wrap

    2. Configure the permissions for the cache directory: 

      # chown squid:squid path_to_cache_directory
      Copy to Clipboard Toggle word wrap

    3. If you run SELinux in enforcing mode, set the squid_cache_t context for the cache directory: 

      # semanage fcontext -a -t squid_cache_t "path_to_cache_directory(/.*)?"
# restorecon -Rv path_to_cache_directory
      Copy to Clipboard Toggle word wrap

      If the semanage utility is not available on your system, install the policycoreutils-python-utils package.

  4. Store the password of the LDAP service user in the /etc/squid/ldap_password file, and set appropriate permissions for the file: 

    # echo "password" > /etc/squid/ldap_password
# chown root:squid /etc/squid/ldap_password
# chmod 640 /etc/squid/ldap_password
    Copy to Clipboard Toggle word wrap

  5. Open the 3128 port in the firewall: 

    # firewall-cmd --permanent --add-port=3128/tcp
# firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

  6. Enable and start the squid service: 

    # systemctl enable --now squid
    Copy to Clipboard Toggle word wrap

Verification

To verify that the proxy works correctly, download a web page using the curl utility: 

# curl -O -L "https://www.redhat.com/index.html" -x "user_name:password@proxy.example.com:3128"
Copy to Clipboard Toggle word wrap

If curl does not display any error and the index.html file was downloaded to the current directory, the proxy works.

Troubleshooting steps

To verify that the helper utility works correctly:

  1. Manually start the helper utility with the same settings you used in the auth_param parameter: 

    # /usr/lib64/squid/basic_ldap_auth -b "cn=users,cn=accounts,dc=example,dc=com" -D "uid=proxy_user,cn=users,cn=accounts,dc=example,dc=com" -W /etc/squid/ldap_password -f "(&(objectClass=person)(uid=%s))" -ZZ -H ldap://ldap_server.example.com:389
    Copy to Clipboard Toggle word wrap

  2. Enter a valid user name and password, and press Enter: 

    user_name password
    Copy to Clipboard Toggle word wrap

    If the helper utility returns OK, authentication succeeded.

You can configure Squid as a caching proxy that authenticates users to an Active Directory (AD) using Kerberos. The procedure configures that only authenticated users can use the proxy.

Prerequisites

  • The procedure assumes that the /etc/squid/squid.conf file is as provided by the squid package. If you edited this file before, remove the file and reinstall the package.

Procedure

  1. Install the following packages: 

    # yum install squid krb5-workstation
    Copy to Clipboard Toggle word wrap

  2. Authenticate as the AD domain administrator: 

    # kinit administrator@AD.EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

  3. Create a keytab for Squid, store it in the /etc/squid/HTTP.keytab file and add the HTTP service principal to the keytab: 

    # export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
# net ads keytab CREATE -U administrator
# net ads keytab ADD HTTP -U administrator
    Copy to Clipboard Toggle word wrap

  4. Optional: If system is initially joined to the AD domain with realm (via adcli), use following instructions to add HTTP principal and create a keytab file for squid:

    1. Add the HTTP service principal to the default keytab file /etc/krb5.keytab and verify: 

      # adcli update -vvv --domain=ad.example.com --computer-name=PROXY --add-service-principal="HTTP/proxy.ad.example.com" -C
# klist -kte /etc/krb5.keytab | grep -i HTTP
      Copy to Clipboard Toggle word wrap

    2. Load the /etc/krb5.keytab file, remove all service principals except HTTP, and save the remaining principals into the /etc/squid/HTTP.keytab file: 

      # ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  l -e
slot | KVNO | Principal
-----------------------------------------------------------------------------
1 |    2 |            PROXY$@AD.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 |    2 |            PROXY$@AD.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
3 |    2 |         host/PROXY@AD.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
4 |    2 |         host/PROXY@AD.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
5 |    2 | host/proxy.ad.example.com@AD.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
6 |    2 | host/proxy.ad.example.com@AD.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
7 |    2 | HTTP/proxy.ad.example.com@AD.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
8 |    2 | HTTP/proxy.ad.example.com@AD.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
      Copy to Clipboard Toggle word wrap

      In the interactive shell of ktutil, you can use the different options, until all unwanted principals are removed from keytab, for example: 

      ktutil:  delent 1
      Copy to Clipboard Toggle word wrap 
      ktutil:  l -e

slot | KVNO | Principal
-------------------------------------------------------------------------------
1 |   2 | HTTP/proxy.ad.example.com@AD.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 |   2 | HTTP/proxy.ad.example.com@AD.EXAMPLE.COM (aes256-cts-hmac-sha1-96)

ktutil:  wkt /etc/squid/HTTP.keytab
ktutil:  q
      Copy to Clipboard Toggle word wrap
      Warning

      The keys in /etc/krb5.keytab might get updated if SSSD or Samba/winbind will update the machine account password. After the update, the key in /etc/squid/HTTP.keytab will stop working, and you will need to perform the ktutil steps again to copy the new keys into the keytab.

  5. Set the owner of the keytab file to the squid user: 

    # chown squid /etc/squid/HTTP.keytab
    Copy to Clipboard Toggle word wrap

  6. Optional: Verify that the keytab file contains the HTTP service principal for the fully-qualified domain name (FQDN) of the proxy server: 

    # klist -k /etc/squid/HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
---- ---------------------------------------------------
...
   2 HTTP/proxy.ad.example.com@AD.EXAMPLE.COM
...
    Copy to Clipboard Toggle word wrap

  7. Edit the /etc/squid/squid.conf file:

    1. To configure the negotiate_kerberos_auth helper utility, add the following configuration entry to the top of /etc/squid/squid.conf: 

      auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/HTTP.keytab -s HTTP/proxy.ad.example.com@AD.EXAMPLE.COM
      Copy to Clipboard Toggle word wrap

      The following describes the parameters passed to the negotiate_kerberos_auth helper utility in the example above:

      • -k file sets the path to the key tab file. Note that the squid user must have read permissions on this file.

      • -s HTTP/host_name@kerberos_realm sets the Kerberos principal that Squid uses.

        Optionally, you can enable logging by passing one or both of the following parameters to the helper utility:

      • -i logs informational messages, such as the authenticating user.

      • -d enables debug logging.

        Squid logs the debugging information from the helper utility to the /var/log/squid/cache.log file.

    2. Add the following ACL and rule to configure that Squid allows only authenticated users to use the proxy: 

      acl kerb-auth proxy_auth REQUIRED
http_access allow kerb-auth
      Copy to Clipboard Toggle word wrap
      Important

      Specify these settings before the http_access deny all rule.

    3. Remove the following rule to disable bypassing the proxy authentication from IP ranges specified in localnet ACLs: 

      http_access allow localnet
      Copy to Clipboard Toggle word wrap

    4. The following ACL exists in the default configuration and defines 443 as a port that uses the HTTPS protocol: 

      acl SSL_ports port 443
      Copy to Clipboard Toggle word wrap

      If users should be able to use the HTTPS protocol also on other ports, add an ACL for each of these port: 

      acl SSL_ports port port_number
      Copy to Clipboard Toggle word wrap

    5. Update the list of acl Safe_ports rules to configure to which ports Squid can establish a connection. For example, to configure that clients using the proxy can only access resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the following acl Safe_ports statements in the configuration: 

      acl Safe_ports port 21
acl Safe_ports port 80
acl Safe_ports port 443
      Copy to Clipboard Toggle word wrap

      By default, the configuration contains the http_access deny !Safe_ports rule that defines access denial to ports that are not defined in Safe_ports ACLs.

    6. Configure the cache type, the path to the cache directory, the cache size, and further cache type-specific settings in the cache_dir parameter: 

      cache_dir ufs /var/spool/squid 10000 16 256
      Copy to Clipboard Toggle word wrap

      With these settings:

      • Squid uses the ufs cache type.
      • Squid stores its cache in the /var/spool/squid/ directory.
      • The cache grows up to 10000 MB.
      • Squid creates 16 level-1 sub-directories in the /var/spool/squid/ directory.

      • Squid creates 256 sub-directories in each level-1 directory.

        If you do not set a cache_dir directive, Squid stores the cache in memory.

  8. If you set a different cache directory than /var/spool/squid/ in the cache_dir parameter:

    1. Create the cache directory: 

      # mkdir -p path_to_cache_directory
      Copy to Clipboard Toggle word wrap

    2. Configure the permissions for the cache directory: 

      # chown squid:squid path_to_cache_directory
      Copy to Clipboard Toggle word wrap

    3. If you run SELinux in enforcing mode, set the squid_cache_t context for the cache directory: 

      # semanage fcontext -a -t squid_cache_t "path_to_cache_directory(/.*)?"
# restorecon -Rv path_to_cache_directory
      Copy to Clipboard Toggle word wrap

      If the semanage utility is not available on your system, install the policycoreutils-python-utils package.

  9. Open the 3128 port in the firewall: 

    # firewall-cmd --permanent --add-port=3128/tcp
# firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

  10. Enable and start the squid service: 

    # systemctl enable --now squid
    Copy to Clipboard Toggle word wrap

Verification

  • To verify that the proxy works correctly, download a web page using the curl utility: 

    # curl -O -L "https://www.redhat.com/index.html" --proxy-negotiate -u : -x "proxy.ad.example.com:3128"
    Copy to Clipboard Toggle word wrap

    If curl does not display any error and the index.html file exists in the current directory, the proxy works.

Troubleshooting steps

  1. Obtain a Kerberos ticket for the AD account: 

    # kinit user@AD.EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

  2. Optional: Display the ticket: 

    # klist
    Copy to Clipboard Toggle word wrap

  3. Use the negotiate_kerberos_auth_test utility to test the authentication: 

    # /usr/lib64/squid/negotiate_kerberos_auth_test proxy.ad.example.com
    Copy to Clipboard Toggle word wrap

    If the helper utility returns a token, the authentication succeeded: 

    Token: YIIFtAYGKwYBBQUCoIIFqDC...
    Copy to Clipboard Toggle word wrap

6.4. Configuring a domain deny list in Squid
Copier lien

Frequently, administrators want to block access to specific domains. This section describes how to configure a domain deny list in Squid.

Prerequisites

  • Squid is configured, and users can use the proxy.

Procedure

  1. Edit the /etc/squid/squid.conf file and add the following settings: 

    acl domain_deny_list dstdomain "/etc/squid/domain_deny_list.txt"
http_access deny all domain_deny_list
    Copy to Clipboard Toggle word wrap
    Important

    Add these entries before the first http_access allow statement that allows access to users or clients.

  2. Create the /etc/squid/domain_deny_list.txt file and add the domains you want to block. For example, to block access to example.com including subdomains and to block example.net, add: 

    .example.com
example.net
    Copy to Clipboard Toggle word wrap
    Important

    If you referred to the /etc/squid/domain_deny_list.txt file in the squid configuration, this file must not be empty. If the file is empty, Squid fails to start.

  3. Restart the squid service: 

    # systemctl restart squid
    Copy to Clipboard Toggle word wrap

By default, the Squid proxy service listens on the 3128 port on all network interfaces. You can change the port and configuring Squid to listen on a specific IP address.

Prerequisites

  • The squid package is installed.

Procedure

  1. Edit the /etc/squid/squid.conf file:

    • To set the port on which the Squid service listens, set the port number in the http_port parameter. For example, to set the port to 8080, set: 

      http_port 8080
      Copy to Clipboard Toggle word wrap

    • To configure on which IP address the Squid service listens, set the IP address and port number in the http_port parameter. For example, to configure that Squid listens only on the 192.0.2.1 IP address on port 3128, set: 

      http_port 192.0.2.1:3128
      Copy to Clipboard Toggle word wrap

      Add multiple http_port parameters to the configuration file to configure that Squid listens on multiple ports and IP addresses: 

      http_port 192.0.2.1:3128
http_port 192.0.2.1:8080
      Copy to Clipboard Toggle word wrap

  2. If you configured that Squid uses a different port as the default (3128):

    1. Open the port in the firewall: 

      # firewall-cmd --permanent --add-port=port_number/tcp
# firewall-cmd --reload
      Copy to Clipboard Toggle word wrap

    2. If you run SELinux in enforcing mode, assign the port to the squid_port_t port type definition: 

      # semanage port -a -t squid_port_t -p tcp port_number
      Copy to Clipboard Toggle word wrap

      If the semanage utility is not available on your system, install the policycoreutils-python-utils package.

  3. Restart the squid service: 

    # systemctl restart squid
    Copy to Clipboard Toggle word wrap
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat