/ Server / Debian Router - Squid Setup


Published:2015-06-12T13:23:24Z Edited:2017-06-22T13:23:24Z

We've configured the dhcp server, so what's for today?! Today we'll configure Squid for caching web traffic and access control.

 
 
In this debian router articles series also:
  1. Introduction.
  2. Hardware Requirements.
  3. Software installation.
  4. Basic Setup.
  5. /etc/network/Interfaces Configuration.
  6. Unbound dns server setup.
  7. DHCP server setup
  8. Squid setup. (We are Here!)
  9. Final step iptables and sysctl.conf configuration.

 

Objective:

Our goal from our setup is to let LAN clients/users to connect to the internet through squid only, we'll achieve this by routing all traffic through squid, this will let us control the clients connections, we want to allow only http/https connections only, block everything else.

 

 
First lets backup the original conf file, since you probably want to keep it as a reference.
mv /etc/squid/squid.conf{,.origin}
We create to new configuration files, squid.conf mysquid.conf
touch /etc/squid/{my,}squid.conf
Then open mysquid.conf for edit:
vi /etc/squid/mysquid.conf

tell squid about local network on 10.5.5.0

acl localnet src 10.5.5.0/24

Next we define some ports we'll allow squid to connect to, we like it to be able to connect to: 443, 80

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
Deny all non allowed ports
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
Prevent cache managment from other than localhost
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
Allow browsing from localnet but nobody else
# from where browsing should be allowed
http_access allow localnet

# And finally deny all other access to this proxy
http_access deny all
Instruct squid to listen on 3377 ( nicer port only :) instead of default 3168 on eth1 ip address
http_port 10.5.5.1:3377 intercept
Configure cache especially if your debian box is low on ram, since without it it will cache to ram,
Lets use upto 7Gb ( 7168Mb) 
# Uncomment and adjust the following to add a disk cache directory. 7168 = 7 Gb, feel free to increase it
cache_dir aufs /var/cache/squid 7168
Whole /etc/squid/mysquid.conf look like the following:
acl localnet src 10.5.5.0/24

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl CONNECT method CONNECT

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# from where browsing should be allowed
http_access allow localnet

# And finally deny all other access to this proxy
http_access deny all

http_port 10.5.5.1:3377 intercept

# Uncomment and adjust the following to add a disk cache directory. 7168 = 7 Gb, feel free to increase it
cache_dir aufs /var/cache/squid 7168
Open main squid config file /etc/squid/squid.conf
vi /etc/squid/squid.conf
Include our custom config file in the new squid.conf
include /etc/squid/mysquid.conf
Finally restart squid
service squid restart
 
Next
Debian Router - Unbound DNS Server Setup
Previous
Debian Router - Setup
Tags