Deploy Squid proxy for caching and filtering for safe INTERNET browsing

By

Deploy Squid proxy for caching and filtering for safe INTERNET browsing

The problem we trying to solve in our case is unsafe INTERNET browsing and poor INTERNET access speeds. The solution that we will be implementing will be Squid proxy server positioned on internal network and providing caching as well as filtering for all internal clients requests.

Proxy Server overview

A proxy server is a computer system positioned between the client requesting a web document and the target server. In its simplest form, a proxy server facilitates communication between client and target server without modifying requests or replies. In our case we will be implementing a proxy server that can filter requests based on various rules and will allow communication only when requests can be validated against the available rules. The rules are generally based on an IP address of a client or target server, protocol, content type of web documents, web content type, and so on.

Proxy vs Reverse proxy

Forward proxy provides proxy services to a client or a group of clients. Oftentimes, these clients belong to a common internal network.
Reverse proxy proxies in behalf of servers. A reverse proxy accepts requests from external clients on behalf of servers.

Proxy vs Reverse Proxy

Why use proxy server?

  • Enforce network access policies
  • Reduce bandwidth usage
  • Monitoring user traffic or reporting Internet usage
  • Filter requests or replies
  • Distribute load among different web server

Existing Network

  • CentsOS 7 with Squid 3.5.20 as Proxy Server – 192.168.0.25
  • Windows 7 and Windows 10 based workstations on internal network
  • Firefox v 47.0 web browser on users workstations
  • Internal network subnet 192.168.0.0/24

Installation

At the time of writing this article current stable version is 3.5.27. We will install squid from yum repository available for CentOS7 which comes with version 3.5.20

yum -y update
yum -y install squid
squid -v 

Minimal configuration to get started

Main configuration file can be located under /etc/httpd/conf.d/squid.conf. Assuming our internal network located on 192.168.0.0/24 subnet and Squid cache directory will be /var/spool/squid our basic configuration will look like this

cache_dir ufs /var/spool/squid/ 500 16 256
acl my_internal_net src 192.168.0.0/24 
http_access allow my_internal_net

Now we will need to start squid service and enable it on startup

systemctl start squid
systemctl enable squid

All left to do is configure our Firefox browser to use our proxy
1. Open menu
2. Select Preferences
3. Under General go to Network Proxy settings
4. Specify Manual proxy configuration
5. Set HTTP Proxy to 192.168.0.25 and Port 3128

Firefox proxy configuration

Monitor log file when browsing Internet you will see connection through your newly build proxy. In this example we are accessing tekyhost.com site

tail -f /var/log/squid/access.log

1518875847.076    132 192.168.0.10 TCP_MISS/302 570 GET http://www.tekyhost.com/ - HIER_DIRECT/38.99.188.103 text/html
1518875852.465   5384 192.168.0.10 TCP_TUNNEL/200 59454 CONNECT www.tekyhost.com:443 - HIER_DIRECT/38.99.188.103 -

Clear Squid Cache and Rebuild it

In some cases we will need to remove cache directories and create them again. Here is the procedure

squid -k shutdown
rm -rf /var/spool/squid/ 
mkdir /var/spool/squid
chown squid:squid /var/spool/squid
squid -z
systemctl start squid

Block user access to websites

In some cases we will want to block user access to some websites. In this example we will use facebook.com and ebay.com. We will also include all sub directories as well.
First lets create file that we can use to add remove websites that we want to block.

vi /etc/squid/bad-web.acl

Add our sites to the list

.facebook.com
.ebay.com

Now we need to edit squid configuration file and add acl and http_access directives. It is very important that lines below placed with other acl and http_access rules in there sections.

acl...
acl...
acl badsites dstdomain "/etc/squid/bad-web.acl"

http_access deny badsites
http_access ...
http_access ...

Restart your squid service

systemctl restart squid

Setup basic username and password authentication for your proxy

In some cases we want users to be prompted for username and password each time they want to connect via browser. This is how we would setup basic username and password authentication.
First we will need to install apache tools as we need htpasswd program to create our users

yum install httpd-tools

Lets create user john

htpasswd /etc/squid/squid_passwd john

The folowing lines must be added to /etc/squid/squid.conf file

auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 5 hours
acl password proxy_auth REQUIRED
http_access allow password

Restart squid service.

systemctl restart squid

Deply SquidGuard test mode

SquidGuard is URL redirector that works together with squid. We will install it and create test domain block file. It comes with its own blacklists.tar.gz we will not use it for this example.
We will install it from EPEL repo.

yum install epel-release
yum install squidGuard 

Create blacklist directories

cd /var/squidGuard/
mkdir blacklists
cd blacklists
vi testdomains

Enter list of domains you want to block

There is a bug with CentOS 7 that we will need to work around. Change configuration as specified below.

vi /etc/squid/squidGuard.conf
#
# CONFIG FILE FOR SQUIDGUARD
#

dbhome /var/squidGuard/
logdir /var/log/squidGuard

dest test {
        domainlist blacklists/testdomains
        
        }

acl {
        default {
                pass !test all
                redirect http://localhost/block.html
        }
 }

Make sure we have correct permissions set

chown -R squid /var/squidGuard/blacklists

Recompile squidGuard

[root@squid squid]# squidGuard -b -d -C all
2018-02-19 11:40:29 [29993] New setting: dbhome: /var/squidGuard/
2018-02-19 11:40:29 [29993] New setting: logdir: /var/log/squidGuard
2018-02-19 11:40:29 [29993] init domainlist /var/squidGuard//blacklists/testdomains
Processing file and database /var/squidGuard//blacklists/testdomains
    [==================================================] 100 % done
2018-02-19 11:40:29 [29993] create new dbfile /var/squidGuard//blacklists/testdomains.db
2018-02-19 11:40:29 [29993] squidGuard 1.4 started (1519058429.772)
2018-02-19 11:40:29 [29993] db update done
2018-02-19 11:40:29 [29993] squidGuard stopped (1519058429.777)

Test our configuration

echo "http://testsite.com 192.168.0.x/ - - GET" | squidGuard -c squidGuard.conf -d 
  • The first entry is the URL you want to test
  • The second entry is the client IP address
  • Last thing we need to do is add line below to our squid configuration file below acl

    vi squid.conf 
    url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
    

    Restart squid

    service squid restart
    

    Deply SquidGuard with MESD blacklist

    First download blacklist from this link
    Copy it to /var/squidGuard
    Extract it in /var/squidGuard directory

    tar -xzvf blacklists.tgz 
    

    Edit /etc/squid/squidGuard.conf file to look like the one below

    
    #
    # CONFIG FILE FOR SQUIDGUARD
    #
    
    dbhome /var/squidGuard/
    logdir /var/log/squidGuard
    
    dest test {
            domainlist blacklists/testdomains
    
            }
    
    dest adv {
            domainlist      hacking/domains
            urllist         hacking/urls
    }
    dest porn {
            domainlist      porn/domains
            urllist         porn/urls
    }
    dest warez {
            domainlist      warez/domains
            urllist         warez/urls
    }
    
    
    
    acl {
            default {
                    pass !hacking !porn !warez !test all
                    redirect http://tekyhost.com
            }
     }
    

    Recompile squidGuard

    squidGuard -b -d -C all
    

    Restart squid

    service squid restart
    

    administrator