How to build a Squid transparent Web Proxy System on CentOS or RHEL?

How to build a Squid transparent Web Proxy System on CentOS or RHEL?

Bkjia: In the previous tutorial, we introduced how to build a gateway using the user space application iptables. For details, see http://xmodulo.com/2014/06/internet-connection-sharing-iptables-linux.html. This tutorial will focus on turning the gateway into a transparent proxy server. If the client does not realize that the request is processed by a proxy, the proxy is called a "Transparent" proxy.

There are several benefits to using transparent proxy. First, for end users, transparent proxy can improve the Internet browsing experience, because it caches frequently accessed website content and minimizes the configuration overhead. For administrators, transparent proxy can be used to execute various management policies, such as content/URL/IP filtering and Rate limiting.

The proxy server acts as an intermediary between the client and the destination server. The client sends the request to the proxy server. Then, the proxy server evaluates the request and takes necessary actions. In this tutorial, we will use Squid to build a Web proxy server, while Squid is a robust, customizable, and stable proxy server. Personally, I managed a Squid server with more than 400 client workstations in the past year. Although on average I have to restart the Service about once a month, the processor and storage usage, throughput, and client response time are both good.

We will configure Squid to obtain the following topology. The CentOS/RHEL device has a network adapter eth0) connected to the VPC, And the other network adapter eth1) connected to the Internet.

Install Squid

To use Squid to build a transparent proxy system, we must first add necessary iptables rules. These rules should help you get started, but make sure they do not conflict with any existing configuration.

 
 

  
  
# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE  
  
  
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 
 
 

The first rule will cause all outbound packets from the eth1 wan interface to have the source IP address of eth1, that is, enable NAT ). The second rule will redirect all inbound HTTP packets from the eth0 LAN interface to TCP 80) to the Squid listening port TCP 3128 instead of directly forwarding the packets to the WAN interface.

We use yum to start installing Squid.

 
 

  
  
# yum install squid 
 
 

Now we will change the Squid configuration to a transparent proxy system. We define a LAN subnet, for example, 10.10.10.0/24) as a valid client network. Access to any traffic that is not from the LAN subnet will be denied.

 
 

  
  
# Vim/etc/squid. conf
  
  
Visible_hostname proxy. example. tst
  
  
Http_port 3128 transparent
  
  
# Define our network # acl our_network src 10.10.10.0/24
  
  
# Ensure that our network is accessible # http_access allow our_network
  
  
# Reject all other traffic # http_access deny all
 
 

Now we enable the Squid service to make sure it has been added to the startup Item.

 
 

  
  
# service squid start  
  
  
# chkconfig squid on 
 
 

As Squid has been set up and run, we can test its function. Therefore, we only need to monitor Squid logs. Access any URL from the computer connected to the LAN. You should see the following content in the log.

 
 

  
  
# tailf /var/log/squid/access.log  
  
  
1402987348.816 1048 10.10.10.10 TCP_MISS/302 752  
  
  
GET http://www.google.com/ - DIRECT/173.194.39.178  
  
  
text/html  
  
  
1402987349.416 445 10.10.10.10 TCP_MISS/302 762  
  
  
GET http://www.google.com.bd/? - DIRECT/173.194.78.  
  
  
94 text/html 
 
 

According to the log file, the machine with the IP address 10.10.10.10 tried to access google.com and Squid processed the request.

A basic Squid Proxy Server is now ready. For the rest of this tutorial, we will adjust some Squid parameters to control outbound traffic. Note: This is only for demonstration. Actual policies should be customized to meet your specific requirements.

Preparations

Before starting configuration, let's clarify several key points.

Squid configuration Parsing

While reading the configuration file, Squid parses the file in a top-down manner. Resolve rules from top to bottom until matching is found. Once a match is found, the rule is executed. Any other rules under the rule will be ignored. Therefore, the best practice for adding filter rules is to specify rules in the following order.

Explicit allow

Explicit deny

Allow entire LAN

Deny all

Squid restart and Squid Reconfiguration

Once the Squid configuration has been changed, the Squid service needs to be restarted. It may take several minutes to restart the service, depending on the number of active connections. During this period, LAN users cannot access the Internet. To avoid service interruption, we can use the following command instead of "service squid restart ".

 
 

  
  
# squid -k reconfigure 
 
 

This command allows Squid to run with updated parameters without restarting itself.

Filter LAN hosts by IP Address

In this demonstration, we want to set up a Squid to prohibit hosts with IP addresses 10.10.10.24 from accessing the Internet. Therefore, we created a text file "denied-ip-file", which contains the ip addresses of all hosts that are denied access, and then added the file to the Squid configuration.

 
 

  
  
# Vim/etc/squid/denied-ip-file
  
  
10.10.10.24
  
  
10.10.10.25
  
  
# Vim/etc/squid. conf
  
  
# First create an access control list ACL) to isolate the ip addresses that are denied access # acl denied-ip-list src "/etc/squid/denied-ip-file"
  
  
# Then, we apply ACL # http_access deny denied-ip-list # explicitly deny # http_access allow our_network
  
  
# Allow LAN # http_access deny all # reject all deny all ##
 
 

Now we need to restart the Squid service. Squid no longer recognizes requests from these IP addresses. If we check the squid log, we will find that requests from these hosts are in the "TCP_DENIED" status.

Filter websites in the blacklist

This method will only apply to HTTP. Suppose we want to block badsite.com and denysite.com, we can add these two URLs to the file and add references to squid. conf.

 
 

  
  
# Vim/etc/squid/badsite-file
  
  
Badsite
  
  
Denysite
  
  
# Vim/etc/squid. conf
  
  
# ACL definition # acl badsite-list url_regex "/etc/squid/badsite-file"
  
  
# ACL application # http_access deny badsite-list
  
  
Http_access deny denied-ip-list # previously set, but this does not work # http_access allow our_network
  
  
Http_access deny all
 
 

Note: We use the ACL type "url_regex", which will match the "badsite" and "denysite" Words in the requested URL. That is to say, all requests containing "badsite" or "denysite" such as badsite.org, newdenysite.com, or otherbadsite.net in the URL will be blocked.

Merge multiple ACLs

We will create an access list to block clients with IP addresses 10.10.10.200 and clients with IP addresses 10.10.201 from accessing the custom-block-site.com. Any other client can access this website. Therefore, we will first create an access list to isolate the two IP addresses, and then create another access list to isolate the desired website. Finally, we will use both access lists to meet the requirements.

 
 

  
  
# Vim/etc/squid/custom-denied-list-file
  
  
10.10.10.200
  
  
10.10.10.201
  
  
# Vim/etc/squid/custom-block-website-file
  
  
Custom-block-site
  
  
# Vim/etc/squid. conf
  
  
Acl custom-denied-list src "/etc/squid/custom-denied-list-file"
  
  
Acl custom-block-site url_regex "/etc/squid/custom-block-website-file"
  
  
# ACL application # http_access deny custom-denied-list custom-block-site
  
  
Http_access deny badsite-list # previously set, but this does not work # http_access deny denied-ip-list # previously set, but this does not work # http_access allow our_network
  
  
Http_access deny all
  
  
# Squid-k reconfigure
 
 

The blocked host cannot access the above website now. The log file/var/log/squid/access. log should contain the "TCP_DENIED" of the corresponding request ".

Set the maximum size of the downloaded file

Squid can be used to control the maximum size of downloadable files. We want to limit the maximum download size of hosts whose IP address is 10.10.10.200 to 50 MB. We have previously created an ACL "custom-denied-list" to isolate traffic from these source addresses. Now, we will use the same access list to limit the size of the downloaded files.

 
 

  
  
# vim /etc/squid/squid.conf  
  
  
reply_body_max_size 50 MB custom-denied-list  
  
  
# squid -k reconfigure 
 
 

Establish a Squid cache hierarchy

Squid supports caching by storing frequently accessed files in a local storage system. Imagine that 100 users are visiting google.com on your LAN. If the cache function is not available, you need to obtain the Google logo or graffiti for each request. Squid can store identifiers or graffiti in the cache so that they can be provided from the cache. This not only improves the user's perceived performance, but also reduces bandwidth usage. This can be said to be two-pronged.

To enable the caching function, we can change the configuration file squid. conf.

 
 

  
  
# vim /etc/squid/squid.conf  
  
  
cache_dir ufs /var/spool/squid 100 16 256 
 
 

Numbers 100, 16, and 256 have the following meanings.

• Allocate 100 MB of storage space for the Squid cache. If you want to, you can increase the allocated space.

• 16 directories each containing 256 subdirectories) will be used to store cached files. This parameter should not be changed.

We can use the log file/var/log/squid/access. log to verify whether the Squid cache is enabled. If the cache is hit successfully, we should see the item marked with "TCP_HIT.

All in all, Squid is a powerful, industry-standard Web Proxy server that is widely used by system administrators around the world. Squid provides a simple access control function to manage traffic from the LAN. It can be deployed either on a large enterprise network or on a small enterprise network. This tutorial only describes a small part of all Squid functions. For full functionality, see its official documentation http://wiki.squid-cache.org/Features ).

I hope this article will help you.

Http://xmodulo.com/2014/06/squid-transparent-web-proxy-centos-rhel.html.