- Published on
RHEL Squid Proxy Server
- Authors
- Name
- Jackson Chen
Squid is a proxy server that caches content to reduce bandwidth and load web pages more quickly. This chapter describes how to set up Squid as a proxy for the HTTP, HTTPS, and FTP protocol, as well as authentication and restricting access.
CONFIGURING THE SQUID CACHING PROXY SERVER
https://computingforgeeks.com/install-and-configure-squid-proxy-on-centos-rhel-linux/
# Process
dnf update # Update the server Yum repositories
dnf install squid -y # Install squid
sudo dnf install squid -y
cp /etc/squid/squid.conf /etc/squid/squid.conf.org
vi /etc/squid/squid.conf # Update squid configuration
# Configure cache type, path to the cache directory, cache size
# Example
cache_dir ufs /var/spool/squid 10000 16 256
# Configure firewall-cmd if using firewall-cmd
firewall-cmd --add-service=squid --permanent
firewall-cmd --reload
# Test access internet via proxy
curl -O -L "https://www.redhat.com/index.html" -x "localhost:3128"
Example of squid.conf
# Comment out the default network ACLs
#acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
#acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
#acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
#acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
#acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
#acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
# Add the subnet that will be using the proxy. This is typically your local area network(s).
acl my_proxynet src 172.20.0.0/24
acl my_testservers src 10.0.10.0/24
acl testSystem01 src 192.168.10.100
# Add allow external websites
acl Microsoft dstdomain .microsoft.com
acl Microsoft dstdomain .azurewebsites.net
acl Microsoft dstdomain .windows.com
acl Microsoft dstdomain .windowsupdate.com
# Example rule allowing access from your local networks
http_access allow my_proxynet Microsoft
http_access allow my_testservers Microsoft
http_access allow testSystem01 Microsoft
http_access deny to_localhost
#Comment out the line below
#http_access allow localnet
# Finally deny all other access to this proxy
http_access deny all
#Hide your IP address
forwarded_for off
#Extra Settings
request_header_access From deny all
request_header_access Server deny all
request_header_access Referer deny all
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all
# Squid normally listens to port 3128
#http_port 3128
http_port 8080
How to set up a transparent proxy on Linux
https://www.xmodulo.com/how-to-set-up-transparent-proxy-on-linux.html
iptable Configuration for squid
https://vprhlabs.blogspot.com/p/iptables-configuration-for-squid.html
https://www.ssltrust.com.au/help/setup-guides/setup-squid-proxy
CONFIGURING THE SQUID SERVICE TO LISTEN ON A SPECIFIC PORT OR IP ADDRESS
1. Edit the /etc/squid/squid.conf file
# To set the port on which the Squid service listens, set the port number in the http_port parameter
http_port 8080
# To configure on which IP address the Squid service listens, set the IP address and port number in the http_port parameter
http_port 192.0.2.1:8080
# Add multiple http_port parameters to the configuration file to configure that Squid listens on multiple ports and IP addresses
http_port 192.0.2.1:3128
http_port 192.0.2.1:8080
2. Open the port in firewall
# if managed by firewall-cmd
firewall-cmd --permanent --add-port=port_number/tcp
firewall-cmd --reload
#** if managed by iptable
dnf -y remove firewalld # uninstall firewalld package
# Edit /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
systemctl restart iptables
3. Restart the squid service
systemctl restart squid # whenever making changes to squid.conf, need to restart squid service
systemctl status squid # or systemctl status squid.service
Load Balancing Squid / HA
http://www.linux-ha.org/wiki/Haresources
http://wiki.kolmisoft.com/index.php/Heartbeat_configuration
The easiest way to do this would be to have another squid server on the same network segment, and use heartbeat to share a virtual IP between them. Then you configure the clients to use the VIP, and when the primary server goes down it transparently fails over to the secondary, requiring no change on the user's machine at all.
1. Install heartbeat package
2. Update two files
/etc/ha.d/ha.cf
/etc/ha.d/hareresources
a. On proxy-A squid server
# Update /etc/ha.d/ha.cf # add following
ucast eth0 1.2.3.12
node <node02-fqdn> node <node02-fqnd>
b. On proxy-B squid server
# update /etc/ha.d/ha.cf # add following
ucast eth0 1.2.3.11
node <proxyA-fqdn> node <proxyB-fqnd>
3. In haresources on both squid servers
<proxy-A-fqdn> 1.2.3.10/24/eth0 # 1.2.3.10 is the VIP
4. Restart heartbeat service, configure squid to listen on all interfaces
systemctl enable heartbeat-elastic # enable heartbeat auto start
systemctl restart heartbeat-elastic
5. log
journalctl -u heartbeat-elastic.service
6. forcing the primary server into standby mode
/usr/lib/heartbeat/hb_standby
7. copy all configuration to slave squid server
scp -r /etc/ha.d root@node2:/etc/
8. Testing
ifconfig eth0 down # watch failover to node02
Loading Balancing Squid Proxy Servers using F5
When using F5 to load balancing squid proxy services, update /etc/squid/squid.conf
# F5 internal IPs and internal floating IP
acl F5ips src <squid-1 ip>
acl F5ips src <squid-2 ip>
acl F5ips src <squid-internal floating ip>
# add F5ips to the allow traffic rule for all the requires external sites
Squid proxy troubleshooting
1. Enable and start squid service
systemctl enable --now squid
2. Verify squid access log for access troubleshooting
tail -f /var/log/squid/squid.log
tail -f /var/log/squid/squid.log | grep www.microsoft.com
tail -f /var/log/squid/squid.log | grep <client-IP>
3. Verify other logs and outputs
journalctl # see all output from systemd logs
journalctl -xe # check journald with explanatory explanations (error or events)
journalctl --since "1 hour ago" # see journald entry from within 60 minutes
journalctl -u squid.service # view journald entries relating to squid service
4. Check process
ps -eZ | grep squid # view squid processes
5. Check listening ports
semanage port -l | grep -w -i squid # find ports that squid is listen on
6. Browse/download a web page using curl
curl -O -L "https://www.redhat.com/index.html" -x "proxy.example.com:3218"
7. Check iptables for firewall rules
iptables --list
iptables -nL
systemctl restart iptables # restart iptables if making any changes to iptables
8. Find out ethernet adapter used
ls /etc/sysconfig/network-script
ifcfg-ens192 # use "ens192" for tcpdump package capture
9. tcpdump for SYNC, ACT
tcpdump -nnpi <net-adapter> port <proxy-port>
# nnpi - no name, no service port resolution, and no promiscous mode,
# i - capture interfacce
tcpdump -nnpi ens192 port 8080 or port 443
# capture any traffic on proxy port
tcpdump -nnpi any port 8080
tcpdump -nnpi any port 3128 # if proxy port 3128
# capture any traffic relating to host 1.2.3.4
tcpdump -nnpi any host 1.2.3.4
start and stop squid proxy service
After making any changes to /etc/squid/squid.conf, need to restart squid service
systemclt reload squid # reload configuration after update
systemctl restart squid
Configure Squid Proxy HA with IP failover - keepalived
http://woshub.com/keepalived-high-availability-with-ip-failover/
Keepalived is a system daemon in Linux systems that enables service failover and load balancing. Failover is provided by a floating IP address switched to another server if the main one fails. To automatically switch the IP address between the servers, keepalived is using the VRRP (Virtual Router Redundancy Protocol – https://www.ietf.org/rfc/rfc2338.txt).
- VIP — Virtual IP, a virtual IP address able to automatically switch between the servers in case of a failure;
- Master — a server the VIP is currently active on;
- Backup — servers the VIP will switch to in case of a Master failure;
- VRID — Virtual Router ID, the servers that share a virtual IP (VIP) form a so-called virtual router and its unique identifier may have a value between 1 and 255. A server may belong to multiple VRIDs at a time, but every VRID must have a unique virtual IP address.
Network requirement - multicast
To make servers work in the multicasting mode, your network equipment must support multicast traffic.
Install and configure keepalived
# yum install -y keepalived # install keepalive
dnf install -y keepalived
#**** Configure firewall
# Configure iptables if iptables is used
iptables -A INPUT -i ens192 -d 224.0.0.0/8 -j ACCEPT
iptables -A INPUT -p vrrp -i eth0 -j ACCEPT
# Configure firewall-cmd if required
firewall-cmd --add-protocol=vrrp --permanent
# vrrp is required, otherwise both squid server will both have VIP address active
# VIP active on both squid servers, switching/routing will not able to deliver the packet,
# client connection to VIP will failed
firewall-cmd --add-port=8080/tcp --permanent
# firewall-cmd --add-port=3126/tcp --permanent # This is not required
# firewall-cmd --add-port=3127/tcp --permanent # This is not required
firewall-cmd --reload
firewall-cmd --list-all
# verification
firewall-cmd --get-active-zones # see the active zones
firewall-cmd --zones=internal --list-all # Check settings for internal zone
firewall-cmd --direct --get-all-rules # check the settings direct rules
#**** update keepalived.conf
---------------------------------------------
# keepalive master
# ens192 IP address: 192.168.10.78
# floating IP/virtual IP: 192.168.10.80
---------------------------------------------
! Configuration File for keepalived
global_defs {
router_id squid1
vrrp_skip_check_adv_addr
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state MASTER
interface ens192
virtual_router_id 51
priority 105
advert_int 1
authentication {
auth_type PASS
auth_pass squid_float
}
virtual_ipaddress {
192.168.10.80
}
}
---------------------------------------------
# keepalive backup
# ens192 IP address: 192.168.10.79
# floating IP/virtual IP: 192.168.10.80
---------------------------------------------
! Configuration File for keepalived
global_defs {
router_id squid2
vrrp_skip_check_adv_addr
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state BACKUP
interface ens192
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass squid_float
}
virtual_ipaddress {
192.168.10.80
}
}
# Explain
1. vrrp_instance <name>
# section that defines a VRRP instance
2. nterface <interface name>
# the interface VRRP is running on
3. virtual_router_id <number from 0 to 255>
# unique VRRP instance identifier, it must be the same on all servers;
4. priority <number from 0 to 255>
# sets the server priority, a server with a higher priority becomes a MASTER
5. virtual_ipaddress
# It is a block of virtual IP addresses active on a server in the MASTER state.
They must be the same on all servers inside the VRRP instance
#**** Enable keepalive services, and start the service
systemctl enable keepalived --now
# When making changes to squid.conf, run command to reload the config
squid -k reconfigure
# Check virtual IP address assignment
ip a show ens192
ip a
# look at message log
cat /var/log/messages | grep -i keepalived
# ******* Check SSL connection **********
openssl s_client -connect <hostname>:<port>
Example: openssl s_client -connect access.test.lab:443
# Simulation of a Squid failure. To do it, stop the service manually using this command:
systemctl stop squid
Testing keepalived failover
# Verify the ip address configuration on the proxy servers
# Check the VIP address
ip a show ens192
nmcli
# Check keepalived message
cat /var/log/messages | grep -i keepalived
# Stop squid service on one of the server, then verify keepalived messages
systemctl stop squid
# Verify client connection
tcpdump -nnpi any port 8080
tcpdump -nnpvi any host 1.2.3.4
tcpdump -nnpi any net x.x.x.x/24
cat /var/log/squid/access.log | grep "TCP_DENIED" # check the denied access
# Verify dns lookup
nslookup host-fqdn
hostname host-fqdn
cat /etc/resolv.conf # verify dns server configuration
route -n # verify routing table
Troubleshooting squid proxy and client connection
# Verify client or server listening TCP port
netstat -na | grep tcp # On windows - netstat -na | findstr tcp
# Check squid access log for client connection
tail -f /var/log/squid/access.log | grep <client-ip>
# If making any squid configuration change, restart squid service
systemctl restart squid
systemctl status squid
journalctl -xe
# Verify squid proxy configuration file - squid.conf
# View message log
tail -f /var/log/message
# Using tcpdump to troubleshooting connections
tcpdump -nnpi ens192 port 8080 or port 443 # ens192 or the network adapter cofigured
tcpdump -nnpi ens192 port 8080 | 443
Note: To verify the network interface used
ls /etc/sysconfig/network-scripts # It will list all the network interface used
# Verify the rules
ls /usr/lib/udev/rules.d/
# If iptable is used
iptable -L
iptable --list
Squid Access Denied page
Squid response to user for access denied using the response file
/usr/share/squid/error/en/ERR_ACCESS_DENIED