Squid is a web caching proxy that allows a computer without internet access to proxy through another computer with internet access. It supports HTTP, HTTPS, FTP, and other popular network protocols. It is a forward proxy that provides proxy services to a client or group of clients mostly in an internal network. It aims to reduce bandwidth and load web pages quickly.
When a client makes a request to a server, say a File server, it has to pass through the proxy first, and depending on the proxy settings, the request can be allowed or denied. If allowed, the request is forwarded to the firewall and then to the file server which in return the File server responds to the Proxy. The proxy then sends the response to the client that sent the request earlier.
This guide will show you how to configure Squid Proxy Server on CentOS 9|AlmaLinux 9|RHEL 9.
Installing Squid Proxy Server on CentOS 9|AlmaLinux 9|RHEL 9
Update your system packages.
sudo dnf update -yTo install Squid, use the following command.
sudo dnf install squidStart and enable the service
sudo systemctl enable --now squidCheck the status of the service.
$ systemctl status squid
● squid.service - Squid caching proxy
Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor pre>
Active: active (running) since Wed 2022-06-29 13:07:33 EAT; 10s ago
Docs: man:squid(8)
Process: 4972 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, s>
Main PID: 4974 (squid)
Tasks: 3 (limit: 48771)
Memory: 15.1M
CPU: 161ms
CGroup: /system.slice/squid.service
├─4974 /usr/sbin/squid --foreground -f /etc/squid/squid.conf
├─4976 "(squid-1)" --kid squid-1 --foreground -f /etc/squid/squid.>
└─4977 "(logfile-daemon)" /var/log/squid/access.log
Configure Squid Proxy Server
Edit the configuration file.
sudo vi /etc/squid/squid.confA sample of the configuration is shown below.
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged>
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged>
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling httpIt has different ports and IP addresses that are allowed. To configure the client’s IP address to use the proxy, add the following line. Ensure to replace the IP with your actual IP address.
acl localnet src 192.168.200.40You can also allow a range of IP addresses that are allowed to use the proxy.
acl localnet src 192.168.200.0/24You can add ACL ports that define different protocols to use with Squid proxy with the following line.
acl SSL_ports port port_numberYou can also define ports that define rules to configure to which ports Squid can establish a connection. For Example, to configure clients using the proxy to access resources on port 21 for FTP, 80 for HTTP, and 443 for HTTPS, I would use the acl Safe_ports statement.
acl Safe_ports port 21
acl Safe_ports port 80
acl Safe_ports port 443Configure the cache type settings as shown below. You will uncomment the following line.
cache_dir ufs /var/spool/squid 1000 16 256This parameter uses the ufs cache type and stores it in the /var/pool/squid directory with 1000 MB of size with 16 level 1 directories and 256 subdirectories on each level 1 directory. You can create a directory and set the storage to that directory.
Save and exit the file. Then restart Squid for the changes to take effect.
sudo systemctl restart squidConfigure the Firewall to allow Squid service
sudo firewall-cmd --add-port=3128/tcp --permanent
sudo firewall-cmd --reloadTo verify that squid works, download a webpage. The file should be downloaded in that working directory and curl should not produce any error. Replace the IP address with yours or a hostname.
$ curl -O -L "https://www.redhat.com/index.html" -x "192.168.200.40:3128"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 125k 0 125k 0 0 374k 0 --:--:-- --:--:-- --:--:-- 374kBasic Authentication with Squid
To authenticate a user before using squid. you will need httpd-tools.
sudo dnf -y install httpd-toolsCreate a user and set permission to that file
sudo touch /etc/squid/passwd
sudo chown squid /etc/squid/passwdCreate a new user and a password using the htpasswd utility.
$ sudo htpasswd /etc/squid/passwd proxyuser
New password:
Re-type new password:
Adding password for user proxyuserEdit the configuration file.
sudo vi /etc/squid/squid.confAdd the following lines below the acl list of ports.
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow auth_usersSave and exit the file. Then restart the squid service.
sudo systemctl restart squidTo verify that the proxy works correctly. Replace the username, password, and IP address/domain name with your actual details.
$ curl -O -L "https://www.redhat.com/index.html" -x "proxyuser:[email protected]:3128"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 125k 0 125k 0 0 350k 0 --:--:-- --:--:-- --:--:-- 350k
Configure Squid to Listen to a Different Port and IP address
Edit the configuration file
sudo vi /etc/squid/squid.confChange the port number where Squid should listen on.
http_port 8080To configure the IP address on which Squid listens, set the IP address and the port number. You can also add multiple IP addresses and ports that Squid listens on.
http_port 192.168.200.40:3128
http_port 192.168.200.40:8080Save and exit the file.
Configure the Firewall to allow the new port access.
sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --reloadConfigure SELinux to allow the new port access.
sudo semanage port -a -t squid_port_t -p tcp 8080Restart the Squid service for changes to take effect.
sudo systemctl restart squidTo verify that Squid listens on the new port, use the curl utility.
$ curl -O -L "https://www.redhat.com/index.html" -x "proxyuser:[email protected]:8080"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 125k 0 125k 0 0 457k 0 --:--:-- --:--:-- --:--:-- 944kConfigure Proxy clients
There is an option of setting the proxy server system-wide or on a per-application basis on a Client machine. There are different ways to do this:
1. Configure on CLI
We will add a shell script file under /etc/profile to apply all settings to all logged-in users.
sudo vi /etc/profileApply the Proxy settings.
# set proxy config via profie.d - should apply for all users
#
PROXY_URL="http://192.168.200.40:8080/"
export http_proxy="$PROXY_URL"
export https_proxy="$PROXY_URL"
export ftp_proxy="$PROXY_URL"
export no_proxy="127.0.0.1,localhost"
# For curl
export HTTP_PROXY="$PROXY_URL"
export HTTPS_PROXY="$PROXY_URL"
export FTP_PROXY="$PROXY_URL"
export NO_PROXY="127.0.0.1,localhost"Source the file to apply changes.
source /etc/profileConfirm to ensure you have done the configuration correctly.
$ env | grep -i proxy
no_proxy=127.0.0.1,localhost
ftp_proxy=http://192.168.200.40:8080/
https_proxy=http://192.168.200.40:8080/
NO_PROXY=127.0.0.1,localhost
FTP_PROXY=http://192.168.200.40:8080/
HTTPS_PROXY=http://192.168.200.40:8080/
HTTP_PROXY=http://192.168.200.40:8080/
http_proxy=http://192.168.200.40:8080/2. Firefox and Google Chrome browsers
On the Firefox browser, you need to update proxy settings. Go to Menu then select Settings then scroll down to select Network Settings then check the Manual Configuration radio button. Add the Proxy server address details accordingly then Click OK to save.
On Google Chrome Browser, Go to Settings -> System and select the Open your computer’s proxy settings.
Under network settings, select Network Proxy.
Then enter the details of the proxy server.
3. Configure Proxy with YUM/DNF package manager
Edit the YUM/DNF configuration file.
## DNF package Manager ##
sudo vim /etc/dnf/dnf.conf
## YUM package Manager ##
sudo vim /etc/yum.confAdd the following details including the IP address of the server, username, and password for authentication.
proxy=192.168.200.40:8080
proxy_username=technixleo
proxy_password=StrongPassWordSave and exit the file.
4. Configure Curl with proxy
Edit the curl configuration file to tell it which proxy to use.
vim ~/.curlrcAdd the proxy server details
proxy="http:192.168.200.40:8080"Save and exit the file.
5. Configure Wget with proxy
Edit the wget configuration file to tell what proxy to use for HTTP, HTTPS, and FTP protocols for all users.
sudo vi /etc/wgetrcFor a specific user, you will need to create a wget configuration file on your home directory.
sudo vi ~/wgetrcSet the proxy details as follows and add authentication details if required.
use_proxy=yes
https_proxy = http://192.168.200.40:8080
http_proxy = http://192.168.200.40:8080
ftp_proxy =http://192.168.200.40:8080
no_proxy="localhost,127.0.0.1,localaddress,.localdomain.com"
proxy_user=technixleo
[email protected]Save and exit the file.
Block Access to Specific Domains
To block specific domains, create a file to store the list of websites not to access.
sudo vi /etc/squid/denied_sitesEnter a list of the sites you want to block.
examptle.com
telpmaxe.netSave and exit the file.
Edit the configuration file.
sudo vi /etc/squid/squid.confAdd the following line.
acl blocked_sites dstdomain "/etc/squid/denied_sites"
http_access deny blocked_sitesSave and exit the file then restart the Squid service.
sudo systemctl restart squidConclusion
From this guide, we have installed Squid Proxy Server on CentOS 9|AlmaLinux 9| RHEL 9 systems. We also enables a basic authentication for Squid and learned how to change the Squid default port and use a different one. Squid Proxy server caches content to reduce bandwidth and improves response time.
