Fedora iTOps Tube

Friday, November 25, 2011

Configuring Squid Proxies

Configuring Squid Proxies

Squid offers many options to manage the access to the web for security, legal, resource utilization reasons. We'll cover a few of these in the sections that follow.

Access Control Lists

You can limit users' ability to browse the Internet with access control lists (ACLs). Each ACL line defines a particular type of activity, such as an access time or source network, they are then linked to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL.


Squid matches each Web access request it receives by checking the http_access list from top to bottom. If it finds a match, it enforces the allow or deny statement and stops reading further. You have to be careful not to place a deny statement in the list that blocks a similar allow statement below it. The final http_access statement denies everything, so it is best to place new http_access statements above it


Note: The very last http_access statement in the squid.conf file denies all access. You therefore have to add your specific permit statements above this line. In the chapter's examples, I've suggested that you place your statements at the top of the http_access list for the sake of manageability, but you can put them anywhere in the section above that last line.


Squid has a minimum required set of ACL statements in the ACCESS_CONTROL section of the squid.conf file. It is best to put new customized entries right after this list to make the file easier to read.

Restricting Web Access By Time

You can create access control lists with time parameters. For example, you can allow only business hour access from the home network, while always restricting access to host 192.168.1.23.



#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
acl RestrictedHost src 192.168.1.23

#
# Add this at the top of the http_access section of squid.conf
#
http_access deny RestrictedHost
http_access allow home_network business_hours

Or, you can allow morning access only:


#
# Add this to the bottom of the ACL section of squid.conf
#
acl mornings time 08:00-12:00
 
#
# Add this at the top of the http_access section of squid.conf
#
http_access allow mornings

Restricting Access to specific Web sites

Squid is also capable of reading files containing lists of web sites and/or domains for use in ACLs. In this example we create to lists in files named /usr/local/etc/allowed-sites.squid and /usr/local/etc/restricted-sites.squid.


# File: /usr/local/etc/allowed-sites.squid

# File: /usr/local/etc/restricted-sites.squid

These can then be used to always block the restricted sites and permit the allowed sites during working hours. This can be illustrated by expanding our previous example slightly.


#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
acl GoodSites dstdomain "/usr/local/etc/allowed-sites.squid"
acl BadSites  dstdomain "/usr/local/etc/restricted-sites.squid"

#
# Add this at the top of the http_access section of squid.conf
#
http_access deny BadSites
http_access allow home_network business_hours GoodSites

Restricting Web Access By IP Address

You can create an access control list that restricts Web access to users on certain networks. In this case, it's an ACL that defines a home network of 192.168.1.0.


#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/255.255.255.0

You also have to add a corresponding http_access statement that allows traffic that matches the ACL:


#
# Add this at the top of the http_access section of squid.conf
#
http_access allow home_network

Password Authentication Using NCSA

You can configure Squid to prompt users for a username and password. Squid comes with a program called ncsa_auth that reads any NCSA-compliant encrypted password file. You can use the htpasswd program that comes installed with Apache to create your passwords. Here is how it's done:

1) Create the password file. The name of the password file should be /etc/squid/squid_passwd, and you need to make sure that it's universally readable.


[root@bigboy tmp]# touch /etc/squid/squid_passwd
[root@bigboy tmp]# chmod o+r /etc/squid/squid_passwd

2) Use the htpasswd program to add users to the password file. You can add users at anytime without having to restart Squid. In this case, you add a username called www:


[root@bigboy tmp]# htpasswd /etc/squid/squid_passwd www
New password:
Re-type new password:
Adding password for user www
[root@bigboy tmp]#

3) Find your ncsa_auth file using the locate command.


[root@bigboy tmp]# locate ncsa_auth
/usr/lib/squid/ncsa_auth
[root@bigboy tmp]#

4) Edit squid.conf; specifically, you need to define the authentication program in squid.conf, which is in this case ncsa_auth. Next, create an ACL named ncsa_users with the REQUIRED keyword that forces Squid to use the NCSA auth_param method you defined previously. Finally, create an http_access entry that allows traffic that matches the ncsa_users ACL entry. Here's a simple user authentication example; the order of the statements is important:


#
# Add this to the auth_param section of squid.conf
#
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
 
#
# Add this to the bottom of the ACL section of squid.conf
#
acl ncsa_users proxy_auth REQUIRED
 
#
# Add this at the top of the http_access section of squid.conf
#
http_access allow ncsa_users

5) This requires password authentication and allows access only during business hours. Once again, the order of the statements is important:


#
# Add this to the auth_param section of squid.conf
#
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
 
#
# Add this to the bottom of the ACL section of squid.conf
#
acl ncsa_users proxy_auth REQUIRED
acl business_hours time M T W H F 9:00-17:00

#
# Add this at the top of the http_access section of squid.conf
#
http_access allow ncsa_users business_hours

Remember to restart Squid for the changes to take effect.

General Squid Configuration Guidelines

General Squid Configuration Guidelines

Each Squid server in your administrative zone has to be uniquely identifiable by either its hostname listed in the /etc/hosts file or the value set in the visible_hostname directive in squid.conf. This is especially important in more complex configurations where clusters of Squid servers pool their resources in order to achieve some common caching goal.

Your /etc/hosts file should be configured with your server's hostname at the end of the localhost line. In this example the server name "bigboy" has been correctly added.


# File: /etc/hosts
127.0.0.1   localhost localhost.localdomain bigboy

If you want to give your Squid process a name that is different from your hostname, then add the visible_hostname directive to your squid.conf file. In this example, we give the server the hostname "cache-001".


# File: squid.conf
visible_hostname cache-001

Misconfigured Squid instances will give an error like this when the hostname isn't correctly defined


WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'.


Now it's time to configure proxies and reverse proxies.

Squid Configuration Files

Squid Configuration Files

You can define most of Squid's configuration parameters in the squid.conf file which may be located in either the /etc or /etc/squid directory depending on your version of Linux.

Remember to restart Squid after you make any changes to your configuration files. This is the only way to activate the new settings.

Starting Squid

Starting Squid

The methodologies vary depending on the variant of Linux you are using as you'll see next.


Fedora / CentOS / RedHat

With these flavors of Linux you can use the chkconfig command to get squid configured to start at boot:


[root@bigboy tmp]# chkconfig squid on


To start, stop, and restart squid after booting use the service command:


[root@bigboy tmp]# service squid start
[root@bigboy tmp]# service squid stop
[root@bigboy tmp]# service squid restart

To determine whether squid is running you can issue either of these two commands. The first will give a status message. The second will return the process ID numbers of the squid daemons.


[root@bigboy tmp]# service squid status
[root@bigboy tmp]# pgrep spam

Note: Remember to run the chkconfig command at least once to ensure squid starts automatically on your next reboot.


Ubuntu / Debian

With these flavors of Linux the commands are different. Try installing the sysv-rc-conf and sysvinit-utils DEB packages as they provide commands that simplify the process. For help on downloading and installing the packages, see Chapter 6, "Installing Linux Software".) You can use the sysv-rc-conf command to get squid configured to start at boot:


user@ubuntu:~$ sudo sysv-rc-conf squid on


To start, stop, and restart squid after booting the service command is the same:


user@ubuntu:~$ sudo service squid start
user@ubuntu:~$ sudo service squid stop
user@ubuntu:~$ sudo service squid restart

To determine whether squid is running you can issue either of these two commands. The first will give a status message. The second will return the process ID numbers of the squid daemons.


user@ubuntu:~$ sudo service squid status
user@ubuntu:~$ pgrep squid

Note: Remember to run the sysv-rc-conf command at least once to ensure squid starts automatically on your next reboot.

Download and Install The Squid Package

Download and Install The Squid Package

Most RedHat and Fedora Linux software product packages are available in the RPM format, whereas Debian and Ubuntu Linux use DEB format installation files. When searching for these packages remember that the filename usually starts with the software package name and is followed by a version number, as in squid-3.1.9-3.fc14.i686.rpm. (For help on downloading and installing the package, see Chapter 6, "Installing Linux Software").

Reasons to Create a Squid Reverse Proxy

Reasons to Create a Squid Reverse Proxy

The Apache web server distributes its load across multiple sister threads. When the number of queries from web surfers gets too high, more httpd short lived thread processes are created to handle the increased connections. The creation of the threads is usually CPU intensive and can make your server sluggish in extreme cases.

Squid can reduce the need to create these threads by aggregating incoming requests from multiple web surfers and convert them into a single stream encapsulated in a single connection.

In the reverse proxy configuration, Squid caches the Apache httpd responses in memory. It will respond with this stored data instead of querying Apache whenever possible.

The combination of caching and reverse proxying makes Squid an asset in reducing load, and increasing the responsiveness of your Apache server.

Reasons to Create a Squid Proxy

Reasons to Create a Squid Proxy

Two important goals of many small businesses are to:

  • Reduce Internet bandwidth charges
  • Limit access to the Web to only authorized users.

The Squid web caching proxy server can achieve these fairly easily.

Users configure their web browsers to use the Squid proxy server instead of going to the web directly. The Squid server then checks its web cache for the web information requested by the user. It will return any matching information that finds in its cache, and if not, it will go to the web to find it on behalf of the user. Once it finds the information, it will populate its cache with it and also forward it to the user's web browser.

As you can see, this reduces the amount of data accessed from the web. Another advantage is that you can configure your firewall to only accept HTTP web traffic from the Squid server and no one else. Squid can then be configured to request usernames and passwords for each user that users its services. This provides simple access control to the Internet.

Introduction - Controlling Web Access with Squid

Introduction

In a vote, a proxy is a single person who represents the interests of many others and votes on their behalf. For example, in the United States, a single vote from a senator represents all the voters in his or her state.


Squid is a proxy in a different sense. It aggregates the requests of many web surfers that use it into a single stream of requests. When the Squid server aggregates multiple outbound connections, it is called a proxy. When it aggregates multiple inbound connections it is called a reverse proxy. This is also called "accelerator mode". There are many reasons to configure Squid to function in either role. Some of them will be discussed next.