Squid Server Installation & Configuration

Base Operating System Installation

CentOS or Red Hat Enterprise Linux For installing any Linux distro we need minimum 2 partitions; but we can make more partitions according to our need. / partition is the root partition which is ext3 or ext4 related with the distro we -are using; we can give maximum space for / partition. /boot Boot loader (The start-up files and the kernel, vmlinuz. In some recent distributions also grub data. Grub is the GRand Unified Boot loader and is an attempt to get rid of the many different boot-loaders we know today.) /tmp Partition is the temporary partition used for storing temp files. Swap Partition is the virtual memory; must be twice the size of system -memory (RAM).

Installation Step
You will get detailed installation instruction from the below given website http://www.howtoforge.com/installation-guide-centos5.1-desktop

YUM Server Configuration

Installation of packages in CentOS or RHEL is done by the help of YUM. YUM - Yum (short for Yellow Dog Update Manager) is a package manager for Yellow Dog and a few other Linux distributions. It is used to install, update, and remove programs. We can create local YUM Repository as below Step1: Copy packages from CD or DVD which come along with Distro. CentOS package resides in CentOS folder inside CD and for RHEL you will get packages from Server named folder inside the distro cd. Copy packages --> make a folder named Package in / cd /Package -> Enter rpm -ivh createrepo* --> Enter cd --> Enter createrepo -v /Package --> Enter Step2: For configuring Installation directory for MB-System MB-System packages is available on # http://sts.ucsd.edu/repos/centos-5/local/i386/RPMS/ # http://sts.ucsd.edu/repos/centos-5/local/x86_64/RPMS/ Step3: Create a yum repo on /etc/yum.repos.d gedit /etc/yum.repos.d/a.repo a.repo file contains the following lines [YumServer] name=Packages baseurl=file:///Package/

enabled=1 gpgcheck=0 yum clean all -> Enter yum update -> Enter

Installation of SQUID Server

Step1: Install Squid on Server yum install squid Step2: Start the squid Service service squid start service squid restart Step3: Permanently on the squid service chkconfig squid on Step4: Configuration and Customisation of squid configuration file Squid configuration file resides in /etc/squid/squid.conf. This is the main configuration file for squid. We can give specific rules for squid server by using this file. *Before editing the configuration file you must take the backup of default configuration file of squid by using the following command cp /etc/squid/squid.conf /etc/squid/squid.conf_back For editing the configuration file gedit /etc/squid/squid.conf The default configuration for squid is to only allow connections from the localhost. acl localhost src 127.0.0.1/255.255.255.255 http_access allow localhost http_access allow password http_access deny all We still need a way for us to connect externally. For that, we will add an acl that will prompt us for a password and if we're authenticated it will let us in. We'll add the acl right before the "deny all" portion in squid.conf file. Syntax: acl <acl name> src <network> http_access <allow/deny> <acl name>

Restricting Web Access By Time

We can create access control lists with time parameters. For example, you can allow only business hour access from the home network, while always restricting access to host 192.168.1.23. Add this to the bottom of the ACL section of squid.conf acl home_network src 192.168.0.0/24 acl business_hours time M T W H F 9:00-17:00 acl RestrictedHost src 192.168.1.23 Add this at the top of the http_access section of squid.conf http_access deny RestrictedHost http_access allow home_network business_hours Or, you can allow morning access only: Add this to the bottom of the ACL section of squid.conf acl mornings time 08:00-12:00 Add this at the top of the http_access section of squid.conf http_access allow mornings

Restricting Access to specific Web sites

Squid is also capable of reading files containing lists of web sites and/or domains for use in ACL. We can create list of allowed and denied sites or domain in files named /usr/local/etc/allowedsites.squid and /usr/local/etc/restricted-sites.squid. File: /usr/local/etc/allowed-sites.squid www.openfree.org linuxhomenetworking.com

/usr/local/etc/restricted-sites.squid www.porn.com illegal.com These can then be used to always block the restricted sites and permit the allowed sites during working hours. This can be illustrated by expanding our previous example slightly. Add this to the bottom of the ACL section of squid.conf acl home_network src 192.168.0.0/24 acl business_hours time M T W H F 9:00-17:00 acl GoodSites dstdomain "/usr/local/etc/allowed-sites.squid" acl BadSites dstdomain "/usr/local/etc/restricted-sites.squid" Add this at the top of the http_access section of squid.conf http_access deny BadSites http_access allow home_network business_hours GoodSites

File:

Restricting Web Access By IP Address

We can create an access control list that restricts Web access to users on certain networks. In this case, it's an ACL that defines a home network of 192.168.0.0. Add this to the bottom of the ACL section of squid.conf acl home_network src 192.168.0.0/255.255.255.0 You also have to add a corresponding http_access statement that allows traffic that matches the ACL: Add this at the top of the http_access section of squid.conf http_access allow home_network

Password Authentication for Squid using NCSA Authentication

We can configure Squid to prompt users for a username and password. Squid comes with a program called ncsa_auth that reads any NCSA-compliant encrypted password file. We can use the htpasswd program that comes installed with Apache to create your passwords. Here is how it's done: Step1: Create the password file. The name of the password file should be /etc/squid/squid_passwd, and you need to make sure that it's universally readable. touch /etc/squid/squid_passwd chmod o+r /etc/squid/squid_passwd Step2: Use the htpasswd program to add users to the password file. You can add users at anytime without having to restart Squid. In this case, you add a username called www: htpasswd /etc/squid/squid_passwd www New password: Re-type new password: Adding password for user www Step3: Find your ncsa_auth file using the locate command. locate ncsa_auth /usr/lib/squid/ncsa_auth Step4: Edit squid.conf; specifically, you need to define the authentication program in squid.conf, which is in this case ncsa_auth. Next, create an ACL named ncsa_users with the REQUIRED keyword that forces Squid to use the NCSA auth_param method you defined previously. Finally, create an http_access entry that allows traffic that matches the ncsa_users ACL entry. Here's a simple user authentication example; the order of the statements is important: Add this to the auth_param section of squid.conf auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd Add this to the bottom of the ACL section of squid.conf acl ncsa_users proxy_auth REQUIRED

Add this at the top of the http_access section of squid.conf http_access allow ncsa_users Step5: This requires password authentication and allows access only during business hours. Once again, the order of the statements is important: Add this to the auth_param section of squid.conf auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd Add this to the bottom of the ACL section of squid.conf acl ncsa_users proxy_auth REQUIRED acl business_hours time M T W H F 9:00-17:00 Add this at the top of the http_access section of squid.conf http_access allow ncsa_users business_hours Remember to restart Squid (service squid restart) for the changes to take effect..............