• Raajiv

    Thanks, i really appreciate your effort

  • Edwin

    Thanks soooooo much, everything worked well.

  • Hulululu

    Nice one. Clear and helpful tutorial!

    • jjsn

      Good day. This is the first time i set up a proxy server. I hope you can help me how to setup a transparent proxy.I am trying to setup a transparent proxy behind the firewall and i am using eth1 on the squid server. my problem is when i assign a proxy setting on the browser it works but when i remove the proxy setting on the browser it does not work. i just followed the how to on this page.

      Thanks in advance.

    • Chanuka

      Yes its actually clear tutorial and it was really helpful me too…

  • jjsn

    ADDITIONAL INFO. this is the firewall script that im currentlu using. i put a commet on this line because i am getting an error message #echo 1 > /proc/sys/net/ipv4/ip_forward

    #!/bin/sh
    # squid server IP
    SQUID_SERVER=”192.168.1.1″
    # Interface connected to Internet
    INTERNET=”eth0″
    # Interface connected to LAN
    LAN_IN=”eth1″
    # Squid port
    SQUID_PORT=”3128″
    # DO NOT MODIFY BELOW
    # Clean old firewall
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    # Load IPTABLES modules for NAT and IP conntrack support
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    # For win xp ftp client
    #modprobe ip_nat_ftp
    #echo 1 > /proc/sys/net/ipv4/ip_forward
    # Setting default filter policy
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    # Unlimited access to loop back
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    # Allow UDP, DNS and Passive FTP
    #iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
    # set this system as a router for Rest of LAN
    #iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
    iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
    # unlimited access to LAN
    iptables -A INPUT -i $LAN_IN -j ACCEPT
    iptables -A OUTPUT -o $LAN_IN -j ACCEPT
    # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
    iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
    # if it is same system
    iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
    # DROP everything and Log it
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP

  • http://www.krizna.com krizna

    Hi jjsn,
    Can you just paste the error msg here? and can you please check the gateway of the machine , Gateway should be squid server IP for using it as transparent proxy.

    • jjsn

      Thanks Krizna it works now. I will just post for any possible problem encountered.

  • jjsn

    HI Krizna, Additional question how can i enable ports such as port 21,22,25,110,etc… and also ping currently the user only access is browsing.

    • http://www.krizna.com krizna

      Just add these lines in the iptables script and try again
      #iptables -A OUTPUT -i $INTERNET -p tcp -m multiport --dports 21,22,110,25,143 -m state --state NEW -j ACCEPT
      #iptables -A INPUT -i $INTERNET -p tcp -m multiport --dports 21,22,110,25,143 -m state --state NEW -j ACCEPT
      #iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
      #iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

      • jjsn

        I will try that. Thanks again

  • Kishore

    Hi,

    I have installed Squid in Centos 6.3.
    I want to use this pc as firewall between my Internet & LAN
    I want to do the following below things.

    1. Connect the Internet to the PC (installed with Centos)
    2. using squid configure the Eth0 as incoming internet
    3. Eth1 as distributing internet to LAN
    4. using Squid as Proxy and assign the IP addresses to the client pcs using MAC address
    5. how to restrict the use of certain websites in client pcs during working hours. and allow them only on specific times like 5pm to 9am and 1pm to 2pm.

    Thanks
    Kishore

    • Mahendran

      Hi…
      It is working very Good ….Thnkz….

  • dip

    it nice

  • mohamed Ramadan

    many thanks

  • vijay

    i am using reh hat el 5 for squid proxy server. i paste one porn file in squid folder to restrict some webites . Another file using name Hicet that also paste in squid folder it is using for particular ips can search all websites . how can i use this porn and hicet file in centos squid.conf file ?

    • krizna

      create acl for porn file and hicet file like below ..

      acl blockporn dstdomain “/etc/squid/porn”
      acl allowips src “etc/squid/hicet”

      and control access like this

      http_access deny blockporn
      http_access allow allowips

      [or]
      http_access deny blockporn !allowips

  • vijay

    i am using centos 6.3. in squid.conf file where i can insert my clinet ips ?

    • krizna

      @vijay
      please provide more details like . purpose of using client ips ( to block or allow )
      anyway to allow or deny ips , you should define an ACL for IP groups ..

      For Eg:
      developers : 192.168.1.2 ,192.168.1.3
      testers : 172.27.1.2 , 172.27.1.3

      Now in squid.conf file under ACL section define acl for both developers and testers like below
      acl devips src 192.168.1.2 192.168.1.3
      acl testips src 172.27.1.2 172.27.1.3

      and under http_access .. you can allow or deny particular acl

      http_access deny devips
      http_access allow testips

  • vijay

    i want write coding for squid proxy server in centos 6. here i am going to use this ip serious 192.168.153.0/24 for browing. i insert my this lines acl Net src 192.168.153.0/24 http_access allow Net in squid conf file behind this lines adapt to list your internal IP networks from where browsing should be allowed: but getting error message when i service restart squid this msg you should probably remove 192.168.153.0/24 from the ACL name Net . how to slove this

  • vijay

    #
    # Recommended minimum configuration:
    #
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32 ::1
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7 # RFC 4193 local private network range
    acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
    acl NET src 192.168.153.0/24 # Your Internal Network

    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT

    #
    # Recommended minimum Access Permission configuration:
    #
    # Only allow cachemgr access from localhost
    http_access allow manager localhost
    http_access deny manager

    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports

    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports

    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on “localhost” is a local user
    #http_access deny to_localhost

    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #

    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed

    acl Net 192.168.153.0/255.255.255.0

    http_access allows Net

    #http_access allow localnet
    http_access allow localhost

    # And finally deny all other access to this proxy
    http_access deny all

    # Squid normally listens to port 3128
    http_port 3128

    # We recommend you to use at least the following line.
    hierarchy_stoplist cgi-bin ?

    # Uncomment and adjust the following to add a disk cache directory.
    #cache_dir ufs /var/spool/squid 100 16 256

    # Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid

    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|?) 0 0% 0
    refresh_pattern . 0 20% 4320

    • krizna

      vijay

      it seams you got 2 acls in the same name Net and some typo errors..
      replace these lines

      acl Net 192.168.153.0/255.255.255.0
      http_access allows Net

      with

      http_access allow Net

      you have already defined acl Net under ACL section.

      acl NET src 192.168.153.0/24 # Your Internal Network

  • vijay

    i server ip 192.168.153.153 . i configured 192.168.153.153 port 3128 in connections ineternet explorer but not browsing .

    #
    # Recommended minimum configuration:
    #
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32 ::1
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7 # RFC 4193 local private network range
    acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
    acl NET src 192.168.153.0/24 # Your Internal Network

    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT

    #
    # Recommended minimum Access Permission configuration:
    #
    # Only allow cachemgr access from localhost
    http_access allow manager localhost
    http_access deny manager

    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports

    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports

    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on “localhost” is a local user
    #http_access deny to_localhost

    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #

    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    http_access allow Net
    #http_access allow localnet
    http_access allow localhost

    # And finally deny all other access to this proxy
    http_access deny all

    # Squid normally listens to port 3128
    http_port 3128

    # We recommend you to use at least the following line.
    hierarchy_stoplist cgi-bin ?

    # Uncomment and adjust the following to add a disk cache directory.
    #cache_dir ufs /var/spool/squid 100 16 256

    # Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid

    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|?) 0 0% 0
    refresh_pattern . 0 20% 4320

  • MRamadan

    thanks

  • vijay

    [root@localhost ~]# cat /ect/squid/blockkeywords.squid
    cat: /ect/squid/blockkeywords.squid: No such file or directory

    • krizna

      @2c4ddb138a661fb89cbbb1cebaccd704:disqus

      hi vijay .. you need to create files yourself and add some keywords to block

  • vijay

    hi thanks for information . I want open only one website in particular ips how can i configure

    • krizna

      acl partips src 192.168.1.10 192.168.1.11

      acl allowsite dstdomain http://www.google.com

      http_access deny partips !website

  • vijay

    if i want one or two websites only allow particular ips

  • tirtha

    hi…
    pls provide a document about squid with windows AD authentication

  • vijay

    hi krish ….

    i need pxe boot server for cent os . pls provide how to configure pxe boot server in centos 6.3

  • Rodrigo

    Thank you very much!

    Your squid configurations works like a charm.

    Very good job!

    Best Regards from Brazil.

  • vijay

    hi. my squid is working fine . but i cannot create error block file in squid.

  • http://www.facebook.com/ayechan82 Aye Chan

    very good job thanks alots

  • vishwash

    Hi..
    it is working …..but client are unable to use outlook express

    • aaaa

      some thing you need to work with iptables .. find the port and allow in iptables

      • vishwash

        i try but problem not solved

  • DafPunk

    Thank you very much!
    Your squid configurations works like a charm.

  • Alok

    Suppose I setup a centos 6 = 192.11.112.112 IP. Now I have a another server with 198.22.112.55 IP address. How do I connect them? Means someone hit 192.11.112.112 it will show 198.22.112.55 automatically without showing the IP address or redirect.

    Thanks

  • Anthony Gijapon

    Hellow Krizna, after following your great steps on dns server. I follow your squid proxy and it is work on my box both dns & squid proxy. Thanks for everthing.

    My, question, I’m planning to setup a sipx server locally in our office, can I yum update my sipx through my proxy server? Where to put my config so that I can use yum update of my sipx I already add the ip address of my sipx server from /etc/squid/squid.con.

    Thank you Krizna.

    • krizna

      Hi,
      Please issue these commands and try to install/update packages using yum.

      export http_proxy=http://squidserverip:3128

      export https_proxy=http://squidserverip:3128

      • Anthony Gijapon

        [root@rpidvoproxy rpidavao]# export http_proxy=http://172.11.1.56:80
        [root@rpidvoproxy rpidavao]# export https_proxy=http://172.11.1.56:80
        [root@rpidvoproxy rpidavao]# yum update
        Loaded plugins: fastestmirror, refresh-packagekit
        Loading mirror speeds from cached hostfile
        * base: mirror.vietoss.com
        * epel: http://ftp.jaist.ac.jp
        * extras: mirror.vietoss.com
        * updates: mirror.vietoss.com
        Setting up Update Process
        No Packages marked for Update
        [root@rpidvoproxy rpidavao]#

        • krizna

          Hi,

          try using some package name to update

          yum update vim

          • Anthony Gijapon

            ok.. I will try this tomorrow..

            thanks again.

          • Anthony Gijapon

            Hello krizna, I tried what you said above command

            export http_proxy=http://squidserverip:80
            export https_proxy=http://squidserverip:80

            this are error

            [root@rpidvoproxy rpidavao]#yum update

            Transaction Summary

            =============================================

            Install 14 Package (s)

            Upgrade 253 Package (s)

            Total size: 368 M

            Total download size: 223 M

            Is this ok [y/n]: y

            [Error 14] HTTP Error 403 = Fobidden
            [Error 256] No more mirrors to try.

            dot dot dot… that’s mean is package update running, I put dot dot dot because I cannot see that running package as fast.

            Mod, can you pls. give me an idea, about the error..

            Thanks.

          • Anthony Gijapon

            by the way exporting proxy is fine, nothing error, but after yum update command and accepting the updat using [y] command, that is the error above mention.

  • Anthony

    hello, krizna.

    I googling about log report of squid and I see some toturials about SARG on Centos.

    I’m sucessfully instaled my SARG. but when i put my IPsquid-report.

    ERROR
    The requested URL could not be retrieved

    The following error was encountered while trying to retrieve the URL: /squid-reports
    Invalid URL

    Some aspect of the requested URL is incorrect.
    Some possible problems are:
    Missing or incorrect access protocol (should be http:// or similar)
    Missing hostname
    Illegal double-escape in the URL-Path

    Illegal character in hostname; underscores are not allowed.

    Your cache administrator is root.

  • RajSadda

    Nice one …. works perfect for me. Another thing worth mention the rDNS entry for your host should exists in the DNS that is configured in resolv.conf. otherwise the Squid service fails to start.

  • Nikolay

    Hello krizna,

    I want to use squid proxy from anywhere in the world when I go to business trips.

    So my question what rule I have to put in squid.conf file to have access to proxy?

    I have tried:

    acl remote src all

    and

    http_access allow remote

    then configure my browser and nothing happen

    thanks in advance

    Greetings

  • vijay

    how can i configure private cloud in centos pls provide all information about that

  • duachuot2011

    Helo everyone
    I’m error ,restart firewall server is not internet same bublicsing webmail
    file /etc/sysconfig/iptables normal
    I hope everyone help
    Thanks!

    • duachuot2011

      iptables file config:

      # Generated by iptables-save v1.4.7 on Mon Jul 29 21:11:21 2013
      *nat
      :PREROUTING ACCEPT [12:662]
      :POSTROUTING ACCEPT [0:0]
      :OUTPUT ACCEPT [0:0]
      -A PREROUTING -d 192.168.1.12/32 -i eth0 -p tcp -m tcp –dport 3389 -j DNAT –to-destination 10.0.0.11:3389
      -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128
      -A POSTROUTING -o eth0 -j MASQUERADE
      COMMIT
      # Completed on Mon Jul 29 21:11:21 2013
      # Generated by iptables-save v1.4.7 on Mon Jul 29 21:11:21 2013
      *filter
      :INPUT ACCEPT [17991:9672859]
      :FORWARD ACCEPT [34374:5172385]
      :OUTPUT ACCEPT [20381:10209778]
      COMMIT
      # Completed on Mon Jul 29 21:11:21 2013

      —-squid config

      #ACL blocksite
      acl blocksites dstdomain “/etc/squid/blockedsites.squid”
      #ACL blockkeywords
      acl blockkeywords url_regex -i “/etc/squid/blockkeywords.squid”
      #ACL blockip
      acl blockip src “/etc/squid/blockip.squid”
      #ACL ALLOW FUL
      acl allowip src “/etc/squid/allowip.squid”

      # Only allow cachemgr access from localhost
      http_access allow manager localhost
      #Deny access to blockip
      http_access deny blockip
      #Deny access to blocksites ACL
      http_access deny blocksites !allowip
      #Deny access to blockkeywords ACL
      http_access deny blockkeywords !allowip
      reply_body_max_size 10 MB all
      #reply_body_max_size 10 MB !allowip
      #http_access deny manager

      SELINUX=enforcing

      i config perfect ok but restart server error, client not internet and not apply rule squid

  • 다니엘 호세 JOCHE SЯ ツ

    hi i want you to help me with something, I need to ping machines from the outside and not let me … I can help with access from the firewall …. and thanks for the manual is very good ….

  • Anthony Griffiths

    hi, of all the tutorials I’ve ploughed through this is the only one that’s worked for me so big thankyou. I would like to run openvpn on the squid machine as a client, so that all traffic through the server gets encrypted but I’m not having any joy. I’ve installed openvpn but when I start it the internet goes down. I expect I need to edit the squidfw.sh script to cater for openvpn but I don’t know how to do this. Can you help?

  • Anthony Griffiths

    neither sendmail nor postfix will work on the machine running the transparent proxy. I get constant ‘hostname lookup failure’. I’ve made sure port 25 is listed as safe in squid.conf, to correct this does the squidfw.sh file need to be modified?

    • krizna

      For “hostname lookup failure” .. you need to add hostname in /etc/hosts like below ..

      127.0.0.1 localhost localhost.localdomain yourhostname
      ::1 localhost localhost.localdomain yourhostname

      For mail server.. add these lines in squidfw .sh file

      #sending mails
      iptables -A OUTPUT -o eth0 -p tcp -m multiport --dport 25,587,465 -m state --state NEW,ESTABLISHED -j ACCEPT
      iptables -A INPUT -i eth0 -p tcp -m multiport --sport 25,587,465 -m state --state ESTABLISHED -j ACCEPT
      #Receiving mails
      iptables -A INPUT -i eth0 -p tcp -m multiport --dport 110,995 -m state --state NEW,ESTABLISHED -j ACCEPT
      iptables -A OUTPUT -o eth0 -p tcp -m multiport --sport 110,995 -m state --state ESTABLISHED -j ACCEPT

      # DROP everything and Log it # Before this line
      iptables -A INPUT -j LOG
      iptables -A INPUT -j DROP

      i’m not expert in iptables .. just try it :)

  • Jose Daniel Sanchez R

    pregunto para agregar mas redes LAN_IN seria asi
    LAN_IN1=”192.168.1.0″
    LAN_IN2=”192.168.2.0″ ???

    o como se haria??
    ##############################

    asked to add more networks so serious LAN_IN
    LAN_IN1 = “192.168.1.0″
    LAN_IN2 = “192.168.2.0″???
     
    or as they would do??

  • Tamil amuthan

    i block http sites but https sites are working, how to block https sites..?

  • viswanath.vikas

    Hi Krizna,
    Very useful tutorials.
    by this tutorials i was able to install squid server,But one problem i’m facing my outlook and Thunderbird is not working so plz can help me out to configure it..?
    viswanath.vikas@gmail.com
    Regards
    Vikas viswanath

  • Patryk Moura

    I have a VPS, how to make it avaiable for access on my home pc? thanks!

  • Rob

    Hello,
    I have recently setup a box which should connect my network to the internet. Browsing on my networks pc’s works through the squid proxy. But I also do other stuff like ssh to servers on the internet. And use filezilla, for ex. I have been looking at the squid.conf, but I can’t get that to work. I tried to open ports. 22 for ssh, and 21 for ftp was already there in the config. but I can’t do an ssh from my pc on the network through the squid-box. Is there a setting I missed? or are there other ways?

    Regards,
    ROb

  • Naresh Vulloju

    Dear sir i have configured squid in CentOS with your instructions… but the problem is site blocking & keyword blocking for the https sites in squid is not working. squid is running in transparent mode .like wetransfer,Facebook…Do u have any suggetion?…

  • Juvial

    nice …..