7/22/2019 Setting Up Squid Proxy Server

1/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

Setting up Squid Proxy Server

Except hardware all other things are free. Relax from licensing problems.

Hardware Requirements:

1. Its good to have some machine which is bought a year before, to avoid adding new

drivers manually to the Linux. You can try with new machine, if Linux detects yournetwork card perfectly then no issues else we have to find and install the driver for itmanually. This will take some time. Use #ifconfig command to find the details ofEthernet card.

2. No need for monitor/Keyboard/Mouse after installation. You can monitor and controlthrough web. This can be done only after installing Webmin software. You can alsotelnet or SSH to work on it.

3. Its better to have at least 1GB memory if you want everyone to go through proxy.4. It would be better if the machine is Wake-On-Lanenabled because sometimes you may

need to start it from remote else someone has to power-on manually. Linux also hasinbuilt command #ether-wakefor starting other computers in the network.

Software Requirements:

For Installation:

For Linux1. Download Fedora Core 9 version ISO from any one link below and burn it to DVDhttp://mirror.web-ster.com/fedora/releases/9/Fedora/i386/iso/Fedora-9-i386-DVD.isohttp://astromirror.uchicago.edu/fedora/linux/releases/9/Fedora/i386/iso/Fedora-9-i386-DVD.isohttp://mirror.yandex.ru/fedora/linux/releases/9/Fedora/i386/iso/Fedora-9-i386-DVD.iso

2. Download Webmin software from www.webmin.com. Select RPM package or download fromthe link belowhttp://sourceforge.net/project/downloading.php?groupname=webadmin&filename=webmin-

1.430-1.noarch.rpm&use_mirror=nchc

Note:You can also download this software from Linux using browser or using wget utility fromcommand line. Only if your Linux detects graphic card you can get into GUI mode else you haveto work in command mode. If you are unable to download Webmin from command mode, youcan download from any windows and bring it to Linux using a CD.

Command to Install Webmin#rpm -i webmin-1.430-1.noarch.rpm

Command to Uninstall Webmin#rpm -e webmin-1.430-1.noarch.rpm

Command to Upgrade Webmin#rpm -Uvh webmin-1.430-1.noarch.rpm

Command to find whether any package is installed like squid and Webmin#rpm -q webmin (No need to use full file name here)#rpm -q squid (This will show all squid related packages)#rpm -qi squid (This will display full package information)

7/22/2019 Setting Up Squid Proxy Server

2/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

Note: Above three commands will show results only if packages are installed using rpm module(filename.rpm). If installation is done using filename.tar.gz format, you wont get anyinformation. Alternatively you find can using command

#whereis squid#whereis webmin

This will show exact application path. Its always better to use rpm installation module for anyinstallation rather than tar.gz format because you need to configure manually and compile thepackage to install.

Installation:

1. Boot with Fedora core 9 DVD and installation will continue to ask usual questions likemachine name, password, IP address (use static), DNS, Gateway etc.

2. Go for full setup or in custom mode select all components because some componentsmay be needed for future use. Adding everything will not degrade the performanceunless the components are going to be used.

3. Installation will take at least 30 to 40 minutes to complete depending upon yourmachine configuration.

4. Once installation is over, try telnet with installed machine from other machine. If itsok then you are almost done with installation.

5. Last but not the least is installing Webmin software (Use commands mentioned insoftware requirements for installation). Once this is done you are ready to keep themachine in your desired place and start configuring from remote.

After Installation:

For Windows1. Download Kraken Reports to analyze Squid log file from

http://www.krakenreports.com/index.php?subPage=download2. Putty for telnet or SSH

Configuring:

1. Use the browser and type https://ipaddress:100002. Login with user root and root password.3. You should see the similar screen below

7/22/2019 Setting Up Squid Proxy Server

3/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

4. Before proceeding with Squid configuration, if you want to change any network settingsfor that machine. Select Networking, from the menu in the left and select NetworkConfiguration to make the required changes.

5. Now Select Servers from the menu and select Squid Proxy Server. This will not rununless some initial configuration is made. Screenshot shown below is after changes aremade and squid server is running.

7/22/2019 Setting Up Squid Proxy Server

4/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

6. Screen shots of various settings as followsModule Config

7/22/2019 Setting Up Squid Proxy Server

5/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

Ports and Networking

7/22/2019 Setting Up Squid Proxy Server

6/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

Default is 3128 and you change to some other number like 8080. If you are also going to havepublic address for that server use different ports other than 3128 and 8080.

Logging

7/22/2019 Setting Up Squid Proxy Server

7/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

I often analyze access log files using Kraken Reports in Windows. This will show you what, who,where, when and more details of a website. Its a difficult to understand just by seeing

7/22/2019 Setting Up Squid Proxy Server

8/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

access.log so use Kraken Reports software. Screenshot of Kraken Reports is shown below

Administrative Options

Last but not the least is Access Control, its where you will be playing all the time. No need tochange any other options under Squid Proxy Server.

7/22/2019 Setting Up Squid Proxy Server

9/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

Once configuration is made, try starting Squid from the link on the top-right. If it asks toinitialize cache in front screen, do that first and start the Squid. After starting squid tryconfiguring proxy server details in a browser and try browsing. This should work without anyrestrictions.

Now coming to Access Control

Note: Basically you can set restrictions in two ways using IP address or with MAC address. Forfull access users, I use MAC address and for others I use IP address. If particular IP has fullaccess there may be possibility that someone can set IP address of a full user machine (whenthat machine is off) and enjoy full access. So by going with MAC address we can eliminatemisuse. I have other ways to prevent making changes to proxy settings and I will mention itlater. Even you can set that only IE can access the proxy so if someone uses other browsers orany other internet applications, proxy will reject. You can also set restrictions based on timeand day. More than number of rules will decrease the internet access time (client side) soyou may need to add more RAM to the proxy machine.

Below are the screenshots of Access control listsin my proxy server.

7/22/2019 Setting Up Squid Proxy Server

10/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

7/22/2019 Setting Up Squid Proxy Server

11/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

7/22/2019 Setting Up Squid Proxy Server

12/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

7/22/2019 Setting Up Squid Proxy Server

13/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

7/22/2019 Setting Up Squid Proxy Server

14/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

7/22/2019 Setting Up Squid Proxy Server

15/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

You will see only few lines in the initial setup stage under Access Control and more rules can be

added depending upon your need. This is similar to firewall rules. Just by adding here in AccessControl Lists (ACL) will not provide you restrictions. You have to add these rules in Proxyrestrictions section and order of rules (top to bottom) will decide the restrictions. You have toedit the IP address range in localnet section and remove unwanted IP address range.

We have to create all the ACLs first and then set restrictions. To create a new ACL, select thelist you want from menu next to Create new ACL button and click the button to create.

7/22/2019 Setting Up Squid Proxy Server

16/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

Browser Regexp(Regular Expression)

This is rule to detect only IE explorer. ACL Name can be anything and use MSIE because thisis the code which browser sends to proxy for identification. I found this from access.log. If youadd Mozilla then all Mozilla based browser will be allowed to use Proxy.

Client Address

7/22/2019 Setting Up Squid Proxy Server

17/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

This rule is to specify one or many IP address. This can be clubbed with many other rules.

Ethernet Address

This rule is to specify one or more Ethernet address in your local network. Again this can beclubbed with many other rules.

URL Regexp(Regular Expression)

7/22/2019 Setting Up Squid Proxy Server

18/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

This rule is very often used for various purposes. In general, the contents specified in this willbe detected from the URL (link) not from the page content. For example www.aol.compagecontains mobile or gmail word then this will not be blocked. But www.aol-gmail.comorwww.aolmobile.comor www.aol.com/mobileor www.aol.com/images/mobile.jpgwill beblocked. Dont forget to check Ignore Case option. You can have regular expression in this.

Web Server Regexp

This rule is to specify one or many websites. If you specify microsoft.com alone then by defaultit will allow all sub domains *.microsoft.com. But when sub domains are in different network orIP range you have enter all the domains manually. Here I have entered office.microsoft.comand update.microsoft.com.

These are the major ACLs we need to set restrictions. For more advanced restrictions otherACLs can be used.

7/22/2019 Setting Up Squid Proxy Server

19/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

For Enabling or Disabling ACLs we need to get into Proxy restrictionstab which is next toAccess control liststab.

Again by default you will very few restrictions enabled in the initial setup. Rules are read fromtop to bottom. Click Add proxy restrictionlink to apply a rule. Select one or many ACL (usecontrol key for multiple selections) you want and select whether the rule is to allow or deny.

7/22/2019 Setting Up Squid Proxy Server

20/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

7/22/2019 Setting Up Squid Proxy Server

21/22

www.marskarthik.com

Written by Karthikeyan proxy@marskarthik.com

Use the upward or downward arrows to move the rules order. Thats it, now you have controlover the browsing.

Overcoming smart users

Some people are smart to change the proxy settings from connections tab in IE settings. Youcan do the below registry trick to disable it.

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel]"ConnectionsTab"=dword:00000001

Also you can mention list of address that can override proxy in a registry file and merge it.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]"ProxyOverride"="208.28.64.*;172.19.20.*;172.19.10.*;125.17.1.*;"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]"ProxyOverride"="208.28.64.*;172.19.20.*;172.19.10.*;125.17.1.*;"

You can also make a registry script to implement all the settings in one shot instead ofconfiguring manually. By placing in logon script will make your job easier.

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel]"ConnectionsTab"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]"ProxyEnable"=dword:00000001"ProxyOverride"="208.28.64.*;172.19.20.*;172.19.10.*;125.17.1.*;""ProxyServer"="192.168.1.1:3128"

Now, what happens if they use firefox, netscape or opera and configure DNS manually tobrowse?

7/22/2019 Setting Up Squid Proxy Server

22/22

www.marskarthik.com

You need to enable DNS Servers in gpedit.msc (group policy) with some local IP address so thatit will supersede DNS setting configured locally or via DHCP. Make sure the IP address doesntruns DNS service.

So, no matter what browser or application a user use, internet access is not possible. But theycan access with direct IP address.