Step-by-Step Guide: Setting Up a Secure Squid Proxy on CentOS 8
In today’s complex network environments, managing and optimizing web traffic is more critical than ever. A powerful tool for this task is a proxy server, and one of the most robust and widely-used solutions is Squid. A Squid proxy server acts as an intermediary between your users and the internet, offering significant benefits in performance, security, and access control.
By caching frequently accessed content, Squid can dramatically speed up web browsing and reduce bandwidth consumption. It also allows you to enforce web access policies, filter content, and enhance security by masking the IP addresses of client computers. This guide will walk you through the complete process of installing and configuring a secure Squid proxy server on CentOS 8.
Prerequisites
Before we begin, ensure you have the following:
- A server running CentOS 8.
- Root or sudo privileges.
- A basic understanding of the Linux command line and a text editor like
viornano.
Step 1: Installing the Squid Package
The first step is to get the Squid software onto your server. CentOS repositories make this a straightforward process. It’s always a best practice to start by updating your system’s package index to ensure you have the latest information.
Open your terminal and update your system packages:
bash
sudo dnf update -y
Next, install the Squid package using the
dnfpackage manager:sudo dnf install squid -yThis command will download and install Squid along with all its necessary dependencies.
Once the installation is complete, you can start the Squid service and enable it to launch automatically at boot:
bash
sudo systemctl start squid
sudo systemctl enable squid
To verify that the service is running correctly, check its status:
bash
sudo systemctl status squid
You should see an “active (running)” message, confirming that Squid is operational. By default, Squid listens on TCP port 3128.
Step 2: Configuring Squid Access Controls
Out of the box, the default Squid configuration is highly restrictive and will likely deny access from your client machines. The core of setting up a functional and secure proxy lies in editing its main configuration file.
The primary configuration file is located at /etc/squid/squid.conf. This file contains numerous directives that control every aspect of the proxy’s behavior. We will focus on the most critical settings: Access Control Lists (ACLs) and http_access rules.
ACLs are used to define specific types of traffic based on criteria like source IP address, destination domain, or time of day. The http_access rules then use these ACLs to either allow or deny that traffic.
Before making any changes, it is highly recommended to create a backup of the original configuration file:
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.originalNow, open the configuration file with your preferred text editor:
sudo nano /etc/squid/squid.confInside the file, you need to define an ACL for the client network(s) you want to grant access to. Find the section with ACLs (you can search for
acl). Add a line defining your local network. For example, if your local network is192.168.1.0/24, you would add:# Add your local network to the list of allowed clients acl localnet src 192.168.1.0/24Replace
192.168.1.0/24with your actual network range. You can add multiple ACLs for different networks if needed.Next, you must grant access to the network you just defined. Find the
http_accessrules section. By default, Squid denies most requests. You need to insert anallowrule for your ACL. It is crucial to place this rule before the finalhttp_access deny alldirective.Add the following line above
http_access deny all:# Allow access from our local network http_access allow localnetYour access rules should now look something like this:
# ... other http_access rules ... http_access allow localhost # INSERT YOUR RULE HERE http_access allow localnet # And finally deny all other access to this proxy http_access deny allSecurity Tip: The order of
http_accessrules is critical. Squid processes them from top to bottom and stops at the first match. Always end your access list withhttp_access deny allto ensure that any traffic not explicitly allowed is blocked.Save the file and exit the editor. For the changes to take effect, you must restart the Squid service:
bash
sudo systemctl restart squid
Step 3: Configuring the Firewall
Even with Squid configured, your server’s firewall will block incoming connections to the proxy port. You need to add a rule to firewalld to allow traffic on port 3128.
- Add a permanent firewall rule to open the Squid port:
bash
sudo firewall-cmd --permanent --add-port=3128/tcp
- Reload the firewall to apply the new rule:
bash
sudo firewall-cmd --reload
Your proxy server is now ready to accept connections from your configured local network.
Step 4: Testing the Proxy Connection
The final step is to configure a client machine (e.g., your computer) to use the new proxy server and verify that it works.
- On a client machine within the network you allowed (
192.168.1.0/24in our example), open your web browser’s network or connection settings. - Find the proxy settings section and choose to configure a proxy manually.
- Enter the IP address of your CentOS 8 server in the HTTP Proxy field and 3128 in the Port field.
- Save the settings and try to browse the web. If you can access websites, your proxy is working correctly.
To further confirm that traffic is passing through Squid, you can monitor its access log in real-time on the server:
sudo tail -f /var/log/squid/access.log
As you browse from your client machine, you should see new log entries appear in the terminal, showing the requests being processed by Squid.
By following these steps, you have successfully deployed a functional and secure Squid proxy on CentOS 8. You can now explore the extensive squid.conf file to implement more advanced features like caching rules, content filtering, and user authentication to further enhance your network’s performance and security.
Source: https://kifarunix.com/install-and-configure-squid-proxy-on-centos-8/
