Squid Configuration Installation

Download as pdf or txt
Download as pdf or txt
You are on page 1of 5

Squid : Install

2014/07/21

Install Squid to configure Proxy server.


[1] Install Squid.
[root@prox ~]# yum -y install squid
[2] This is general forward proxy settings.
[root@prox ~]# vi /etc/squid/squid.conf
acl CONNECT method CONNECT
# line 26: add ( define new ACL )

acl lan src 10.0.0.0/24


http_access allow localhost
# line 54: add ( allow defined ACL above )

http_access allow lan


# add follows to the end

request_header_access Referer deny all


request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all
# do not display IP address

forwarded_for off
[root@prox ~]# systemctl start squid

[root@prox ~]# systemctl enable squid

[3] If Firewalld is running, allow Proxy service.


[root@dlp ~]# firewall-cmd --add-service=squid --permanent

success
[root@dlp ~]# firewall-cmd --reload

success

Squid : Basic Authentication


2014/07/24

Set Basic Authentication and limit squid for users to require authentication.
[1] Install a package which includes htpasswd.
[root@prox ~]# yum -y install httpd-tools
[2] Configure Squid to set Basic Auth.
[root@prox ~]# vi /etc/squid/squid.conf
acl CONNECT method CONNECT
# line 26: add follows for Basic Auth

auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/.htpasswd


auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 5 hours
acl password proxy_auth REQUIRED
http_access allow password
# add a user : create a new file with "-c" ( add the "-c" option only for the initial registration )

[root@prox ~]# htpasswd -c /etc/squid/.htpasswd hnh

New password: # set password

Re-type new password:


Adding password for user hnh
systemctl restart squid

# install from EPEL

[root@prox ~]# yum --enablerepo=epel -y install clamav-scanner clamav-scanner-systemd


[root@prox ~]# vi /etc/clamd.d/scan.conf
# line 8: comment out

#
Example
# line 14: uncomment

LogFile /var/log/clamd.scan
# line 66: uncomment

PidFile /var/run/clamd.scan/clamd.pid
# line 70: uncomment

TemporaryDirectory /var/tmp
# line 85: uncomment

LocalSocket /var/run/clamd.scan/clamd.sock
# line 101: uncomment

TCPSocket 3310
[root@prox ~]# touch /var/log/clamd.scan

[root@prox ~]# chown clamscan. /var/log/clamd.scan

[root@prox ~]# systemctl start clamd@scan

[root@prox ~]# systemctl enable clamd@scan

[3] If SELinux is enabled, configure like follows to start clamd.


[root@prox ~]# restorecon -v /var/log/clamd.scan
[4] Install c-icap.
[root@prox ~]# yum -y install gcc make

[root@prox ~]# curl -L -O http://downloads.sourceforge.net/project/c-icap/c-icap/0.4.x/c_icap-


0.4.2.tar.gz
[root@prox ~]# tar zxvf c_icap-0.4.2.tar.gz

[root@prox ~]# cd c_icap-0.4.2

[root@prox c_icap-0.4.2]# ./configure

[root@prox c_icap-0.4.2]# make

[root@prox c_icap-0.4.2]# make install

[root@prox c_icap-0.4.2]# cd

[root@prox ~]# cp /usr/local/etc/c-icap.conf /etc

[root@prox ~]# vi /etc/c-icap.conf


# line 161: change admin address

ServerAdmin [email protected]
# line 170: change hostname

ServerName prox.srv.world
# line 568: add

Service squidclamav squidclamav.so


[root@prox ~]# vi /etc/tmpfiles.d/c-icap.conf
# create new

d /var/run/c-icap 0755 root root -


[root@prox ~]# vi /usr/lib/systemd/system/c-icap.service
# create new

[Unit]
Description=c-icap service
After=network.target

[Service]
Type=forking
PIDFile=/var/run/c-icap/c-icap.pid
ExecStart=/usr/local/bin/c-icap -f /etc/c-icap.conf
KillMode=process

[Install]
WantedBy=multi-user.target

[5] Install SquidClamav ( Download latest version of it from the following link ).
http://sourceforge.net/projects/squidclamav/files/squidclamav/
[root@prox ~]# curl -L -O
http://downloads.sourceforge.net/project/squidclamav/squidclamav/6.14/squidclamav-6.14.tar.gz

[root@prox ~]# tar zxvf squidclamav-6.14.tar.gz

[root@prox ~]# cd squidclamav-6.14


[root@prox squidclamav-6.14]# ./configure --with-c-icap

[root@prox squidclamav-6.14]# make

[root@prox squidclamav-6.14]# make install

[root@prox squidclamav-6.14]# cd

[root@prox ~]# ln -s /usr/local/etc/squidclamav.conf /etc/squidclamav.conf

[root@prox ~]# vi /etc/squidclamav.conf


# line 18: change( destination URL for redirect. Create it first )

redirect http://www.srv.world/error.html
# line 27: change( same with clamd )

clamd_local /var/run/clamd.scan/clamd.sock
[6] Configure Squid.
[root@prox ~]# vi /etc/squid/squid.conf
# add follows to the end

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all
[root@prox ~]# systemctl start c-icap

[root@prox ~]# systemctl enable c-icap

[root@prox ~]# systemctl restart squid

Squid : Squid + SquidGuard


2014/09/30

Configure Squid + SquidGuard to set contents filtering.


[1] Install SquidGuard.
# install from EPEL

[root@prox ~]# yum --enablerepo=epel -y install squidGuard


[root@prox ~]# mv /etc/squid/squidGuard.conf /etc/squid/squidGuard.conf.org

[root@prox ~]# vi /etc/squid/squidGuard.conf


# create new

dbhome /var/lib/squidGuard/db
logdir /var/log/squidGuard
# define 'deny' category

dest deny {
# define prohibited domain list in 'deny' category

domainlist deny/domains
# define prohibited URL list in 'deny' category

urllist deny/urls
}
acl {
default {
# permit all except 'deny' category

pass !deny all


# the redirected URL if matches 'deny'

redirect http://www.srv.world/error.html
}
}
[root@prox ~]# mkdir -p /var/lib/squidGuard/db/deny

[root@prox ~]# vi /var/lib/squidGuard/db/deny/domains


# write domains you'd like to prohibit to access

yahoo.co.jp
example.com
[root@prox ~]# vi /var/lib/squidGuard/db/deny/urls
# write URLs you'd like to prohibit to access

www.yahoo.co.jp/deny/
www.example.com/
[root@prox ~]# squidGuard -C all

[root@prox ~]# chown -R squid. /var/lib/squidGuard/db/deny

[root@prox ~]# vi /etc/squid/squid.conf


# add follows to the end

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf


[root@prox ~]# systemctl restart squid

[2] If SELinux is enabled, change rules like follows.


[root@prox ~]# chcon -R -t squid_cache_t /var/lib/squidGuard

[root@prox ~]# semanage fcontext -a -t squid_cache_t /var/lib/squidGuard

You might also like