How-To: Configuring Squid Caching Server (CentOS 7) | Zak Emerick's IT Blog

My IT blog for random ideas and solutions.

How-To: Configuring Squid Caching Server (CentOS 7)

Tags: , , ,

I had an interest in setting up a Squid caching server to see if I could save any bandwidth in my home environment. I found that the information online was lacking in this area so I decided to do a quick write up on the matter.
This post is not to configure an intercepting proxy server. This setup will have the proxy sitting out-of-line of the internet traffic that it’s caching. If you’re looking for a tutorial for an inline proxy– this is not it. . . .On to the meat.

First, you need a server to host the squid server on. I chose a CentOS 7 VM. This box is configured with just 4096MB of RAM and 2 vCPUs. This is definitely on the light side of what a squid proxy could use, but given my home needs, this should be sufficient.
I’m not going to walk through installing CentOS or setting up the networking since there is a plethora of tutorials on that aspect of the configuration.

NOTE: I’m assuming you are logged in as root

  • Disable SELinux
  • nano /etc/selinux/config
    

    Look for SELINUX= line and change it to SELINUX=disabled

  • Disable Firewalld
  • systemctl disable firewalld
    systemctl stop firewalld
    
  • Reboot the server
  • reboot
    

    When the server comes back up you need to update the OS.

    yum upgrade
    

    Now to install squid

    yum install squid
    

    Now we need to edit the squid configuration file.

    nano /etc/squid/squid.conf
    

    NOTE: The below configuration is taken straight from a working config file. All you should have to do is modify for your environment. The main portions that need modified have been denoted with <>‘s. I have also denoted in comments what I have changed outside of the default config.

    #
    # Recommended minimum configuration:
    #
    visible_hostname <HOSTNAME (can be FQDN)>
    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    # I do not need any of these subnets to be allowed so I commented them out with the exception of the 192.168.0.0/16 subnet.
    #acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
    #acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
    acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
    #acl localnet src fc00::/7       # RFC 4193 local private network range
    #acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
    
    # This line is to configure who can access the cacheManager
    acl managerAdmin src 192.168.0.0/16
    
    acl SSL_ports port 443
    acl Safe_ports port 80		# http
    acl Safe_ports port 21		# ftp
    acl Safe_ports port 443		# https
    acl Safe_ports port 70		# gopher
    acl Safe_ports port 210		# wais
    acl Safe_ports port 1025-65535	# unregistered ports
    acl Safe_ports port 280		# http-mgmt
    acl Safe_ports port 488		# gss-http
    acl Safe_ports port 591		# filemaker
    acl Safe_ports port 777		# multiling http
    acl CONNECT method CONNECT
    
    #
    # Recommended minimum Access Permission configuration:
    #
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports
    
    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports
    
    # Only allow cachemgr access from localhost
    http_access allow localhost manager
    # Added this line for cache administration from alternate subnets
    http_access allow managerAdmin manager
    http_access deny manager
    
    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user
    #http_access deny to_localhost
    
    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #
    
    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    http_access allow localnet
    http_access allow localhost
    
    # And finally deny all other access to this proxy
    # The default here is to default to deny. I don't care who accesses the proxy (it's not for security) so I allow all
    http_access allow all
    
    # Squid normally listens to port 3128
    # ALWAYS declare the IP of the server. Otherwise, it will most likely default to IPv6
    http_port <IP OF SERVER>:3128
    
    
    # Uncomment and adjust the following to add a disk cache directory.
    # I changed this to 5000 from 100 (MBs). This is the amount of space that Squid will use on disk.
    cache_dir ufs /var/spool/squid 5000 16 256
    
    # Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid
    
    #
    # Add any of your own refresh_pattern entries above these.
    #
    refresh_pattern ^ftp:		1440	20%	10080
    refresh_pattern ^gopher:	1440	0%	1440
    refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
    refresh_pattern .		0	20%	4320
    

    After all this is configured save the file and close it.

  • Set squid to always start
  • chkconfig squid on
    
  • Start squid
  • service squid start
    

    If everything went ok you can do a quick test.

    First, watch the access.log

    tail -f /var/log/squid/access.log
    

    Next try to visit the proxy directly by opening up a browser from another computer.

    http://<IP OF Server>:3128
    

    If you see the access.log get a new entry your proxy is up and running!

    85 Total Views 1 Views Today


    Post a Comment

    Your email address will not be published. Required fields are marked *

     characters available