74 Responses to “How to install squid proxy on centos 6”

  1. Raajiv says:

    Thanks, i really appreciate your effort

  2. Edwin says:

    Thanks soooooo much, everything worked well.

  3. Hulululu says:

    Nice one. Clear and helpful tutorial!

    • jjsn says:

      Good day. This is the first time i set up a proxy server. I hope you can help me how to setup a transparent proxy.I am trying to setup a transparent proxy behind the firewall and i am using eth1 on the squid server. my problem is when i assign a proxy setting on the browser it works but when i remove the proxy setting on the browser it does not work. i just followed the how to on this page.

      Thanks in advance.

    • Chanuka says:

      Yes its actually clear tutorial and it was really helpful me too…

  4. jjsn says:

    ADDITIONAL INFO. this is the firewall script that im currentlu using. i put a commet on this line because i am getting an error message #echo 1 > /proc/sys/net/ipv4/ip_forward

    #!/bin/sh
    # squid server IP
    SQUID_SERVER=”192.168.1.1″
    # Interface connected to Internet
    INTERNET=”eth0″
    # Interface connected to LAN
    LAN_IN=”eth1″
    # Squid port
    SQUID_PORT=”3128″
    # DO NOT MODIFY BELOW
    # Clean old firewall
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    # Load IPTABLES modules for NAT and IP conntrack support
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    # For win xp ftp client
    #modprobe ip_nat_ftp
    #echo 1 > /proc/sys/net/ipv4/ip_forward
    # Setting default filter policy
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    # Unlimited access to loop back
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    # Allow UDP, DNS and Passive FTP
    #iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
    # set this system as a router for Rest of LAN
    #iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
    iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
    # unlimited access to LAN
    iptables -A INPUT -i $LAN_IN -j ACCEPT
    iptables -A OUTPUT -o $LAN_IN -j ACCEPT
    # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
    iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
    # if it is same system
    iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
    # DROP everything and Log it
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP

  5. krizna says:

    Hi jjsn,
    Can you just paste the error msg here? and can you please check the gateway of the machine , Gateway should be squid server IP for using it as transparent proxy.

  6. jjsn says:

    HI Krizna, Additional question how can i enable ports such as port 21,22,25,110,etc… and also ping currently the user only access is browsing.

    • krizna says:

      Just add these lines in the iptables script and try again
      #iptables -A OUTPUT -i $INTERNET -p tcp -m multiport --dports 21,22,110,25,143 -m state --state NEW -j ACCEPT
      #iptables -A INPUT -i $INTERNET -p tcp -m multiport --dports 21,22,110,25,143 -m state --state NEW -j ACCEPT
      #iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
      #iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

  7. Kishore says:

    Hi,

    I have installed Squid in Centos 6.3.
    I want to use this pc as firewall between my Internet & LAN
    I want to do the following below things.

    1. Connect the Internet to the PC (installed with Centos)
    2. using squid configure the Eth0 as incoming internet
    3. Eth1 as distributing internet to LAN
    4. using Squid as Proxy and assign the IP addresses to the client pcs using MAC address
    5. how to restrict the use of certain websites in client pcs during working hours. and allow them only on specific times like 5pm to 9am and 1pm to 2pm.

    Thanks
    Kishore

  8. mohamed Ramadan says:

    many thanks

  9. vijay says:

    i am using reh hat el 5 for squid proxy server. i paste one porn file in squid folder to restrict some webites . Another file using name Hicet that also paste in squid folder it is using for particular ips can search all websites . how can i use this porn and hicet file in centos squid.conf file ?

    • krizna says:

      create acl for porn file and hicet file like below ..

      acl blockporn dstdomain “/etc/squid/porn”
      acl allowips src “etc/squid/hicet”

      and control access like this

      http_access deny blockporn
      http_access allow allowips

      [or]
      http_access deny blockporn !allowips

  10. vijay says:

    i am using centos 6.3. in squid.conf file where i can insert my clinet ips ?

    • krizna says:

      @vijay
      please provide more details like . purpose of using client ips ( to block or allow )
      anyway to allow or deny ips , you should define an ACL for IP groups ..

      For Eg:
      developers : 192.168.1.2 ,192.168.1.3
      testers : 172.27.1.2 , 172.27.1.3

      Now in squid.conf file under ACL section define acl for both developers and testers like below
      acl devips src 192.168.1.2 192.168.1.3
      acl testips src 172.27.1.2 172.27.1.3

      and under http_access .. you can allow or deny particular acl

      http_access deny devips
      http_access allow testips

  11. vijay says:

    i want write coding for squid proxy server in centos 6. here i am going to use this ip serious 192.168.153.0/24 for browing. i insert my this lines acl Net src 192.168.153.0/24 http_access allow Net in squid conf file behind this lines adapt to list your internal IP networks from where browsing should be allowed: but getting error message when i service restart squid this msg you should probably remove 192.168.153.0/24 from the ACL name Net . how to slove this

  12. vijay says:

    #
    # Recommended minimum configuration:
    #
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32 ::1
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7 # RFC 4193 local private network range
    acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
    acl NET src 192.168.153.0/24 # Your Internal Network

    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT

    #
    # Recommended minimum Access Permission configuration:
    #
    # Only allow cachemgr access from localhost
    http_access allow manager localhost
    http_access deny manager

    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports

    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports

    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on “localhost” is a local user
    #http_access deny to_localhost

    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #

    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed

    acl Net 192.168.153.0/255.255.255.0

    http_access allows Net

    #http_access allow localnet
    http_access allow localhost

    # And finally deny all other access to this proxy
    http_access deny all

    # Squid normally listens to port 3128
    http_port 3128

    # We recommend you to use at least the following line.
    hierarchy_stoplist cgi-bin ?

    # Uncomment and adjust the following to add a disk cache directory.
    #cache_dir ufs /var/spool/squid 100 16 256

    # Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid

    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|?) 0 0% 0
    refresh_pattern . 0 20% 4320

    • krizna says:

      vijay

      it seams you got 2 acls in the same name Net and some typo errors..
      replace these lines

      acl Net 192.168.153.0/255.255.255.0
      http_access allows Net

      with

      http_access allow Net

      you have already defined acl Net under ACL section.

      acl NET src 192.168.153.0/24 # Your Internal Network

  13. vijay says:

    i server ip 192.168.153.153 . i configured 192.168.153.153 port 3128 in connections ineternet explorer but not browsing .

    #
    # Recommended minimum configuration:
    #
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32 ::1
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7 # RFC 4193 local private network range
    acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
    acl NET src 192.168.153.0/24 # Your Internal Network

    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT

    #
    # Recommended minimum Access Permission configuration:
    #
    # Only allow cachemgr access from localhost
    http_access allow manager localhost
    http_access deny manager

    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports

    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports

    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on “localhost” is a local user
    #http_access deny to_localhost

    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #

    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    http_access allow Net
    #http_access allow localnet
    http_access allow localhost

    # And finally deny all other access to this proxy
    http_access deny all

    # Squid normally listens to port 3128
    http_port 3128

    # We recommend you to use at least the following line.
    hierarchy_stoplist cgi-bin ?

    # Uncomment and adjust the following to add a disk cache directory.
    #cache_dir ufs /var/spool/squid 100 16 256

    # Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid

    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|?) 0 0% 0
    refresh_pattern . 0 20% 4320

  14. MRamadan says:

    thanks

  15. vijay says:

    [root@localhost ~]# cat /ect/squid/blockkeywords.squid
    cat: /ect/squid/blockkeywords.squid: No such file or directory

  16. vijay says:

    hi thanks for information . I want open only one website in particular ips how can i configure

  17. vijay says:

    if i want one or two websites only allow particular ips

  18. tirtha says:

    hi…
    pls provide a document about squid with windows AD authentication

  19. vijay says:

    hi krish ….

    i need pxe boot server for cent os . pls provide how to configure pxe boot server in centos 6.3

  20. Rodrigo says:

    Thank you very much!

    Your squid configurations works like a charm.

    Very good job!

    Best Regards from Brazil.

  21. vijay says:

    hi. my squid is working fine . but i cannot create error block file in squid.

  22. Aye Chan says:

    very good job thanks alots

  23. vishwash says:

    Hi..
    it is working …..but client are unable to use outlook express

  24. DafPunk says:

    Thank you very much!
    Your squid configurations works like a charm.

  25. Alok says:

    Suppose I setup a centos 6 = 192.11.112.112 IP. Now I have a another server with 198.22.112.55 IP address. How do I connect them? Means someone hit 192.11.112.112 it will show 198.22.112.55 automatically without showing the IP address or redirect.

    Thanks

  26. Anthony Gijapon says:

    Hellow Krizna, after following your great steps on dns server. I follow your squid proxy and it is work on my box both dns & squid proxy. Thanks for everthing.

    My, question, I’m planning to setup a sipx server locally in our office, can I yum update my sipx through my proxy server? Where to put my config so that I can use yum update of my sipx I already add the ip address of my sipx server from /etc/squid/squid.con.

    Thank you Krizna.

    • krizna says:

      Hi,
      Please issue these commands and try to install/update packages using yum.

      export http_proxy=http://squidserverip:3128

      export https_proxy=http://squidserverip:3128

      • Anthony Gijapon says:

        [root@rpidvoproxy rpidavao]# export http_proxy=http://172.11.1.56:80
        [root@rpidvoproxy rpidavao]# export https_proxy=http://172.11.1.56:80
        [root@rpidvoproxy rpidavao]# yum update
        Loaded plugins: fastestmirror, refresh-packagekit
        Loading mirror speeds from cached hostfile
        * base: mirror.vietoss.com
        * epel: http://ftp.jaist.ac.jp
        * extras: mirror.vietoss.com
        * updates: mirror.vietoss.com
        Setting up Update Process
        No Packages marked for Update
        [root@rpidvoproxy rpidavao]#

        • krizna says:

          Hi,

          try using some package name to update

          yum update vim

          • Anthony Gijapon says:

            ok.. I will try this tomorrow..

            thanks again.

          • Anthony Gijapon says:

            Hello krizna, I tried what you said above command

            export http_proxy=http://squidserverip:80
            export https_proxy=http://squidserverip:80

            this are error

            [root@rpidvoproxy rpidavao]#yum update

            Transaction Summary

            =============================================

            Install 14 Package (s)

            Upgrade 253 Package (s)

            Total size: 368 M

            Total download size: 223 M

            Is this ok [y/n]: y

            [Error 14] HTTP Error 403 = Fobidden
            [Error 256] No more mirrors to try.

            dot dot dot… that’s mean is package update running, I put dot dot dot because I cannot see that running package as fast.

            Mod, can you pls. give me an idea, about the error..

            Thanks.

          • Anthony Gijapon says:

            by the way exporting proxy is fine, nothing error, but after yum update command and accepting the updat using [y] command, that is the error above mention.

      • ajay mishra says:

        HI
        https site is not working in squid transparent proxy server .

  27. Anthony says:

    hello, krizna.

    I googling about log report of squid and I see some toturials about SARG on Centos.

    I’m sucessfully instaled my SARG. but when i put my IPsquid-report.

    ERROR
    The requested URL could not be retrieved

    The following error was encountered while trying to retrieve the URL: /squid-reports
    Invalid URL

    Some aspect of the requested URL is incorrect.
    Some possible problems are:
    Missing or incorrect access protocol (should be http:// or similar)
    Missing hostname
    Illegal double-escape in the URL-Path

    Illegal character in hostname; underscores are not allowed.

    Your cache administrator is root.

  28. RajSadda says:

    Nice one …. works perfect for me. Another thing worth mention the rDNS entry for your host should exists in the DNS that is configured in resolv.conf. otherwise the Squid service fails to start.

  29. Nikolay says:

    Hello krizna,

    I want to use squid proxy from anywhere in the world when I go to business trips.

    So my question what rule I have to put in squid.conf file to have access to proxy?

    I have tried:

    acl remote src all

    and

    http_access allow remote

    then configure my browser and nothing happen

    thanks in advance

    Greetings

  30. vijay says:

    how can i configure private cloud in centos pls provide all information about that

  31. duachuot2011 says:

    Helo everyone
    I’m error ,restart firewall server is not internet same bublicsing webmail
    file /etc/sysconfig/iptables normal
    I hope everyone help
    Thanks!

    • duachuot2011 says:

      iptables file config:

      # Generated by iptables-save v1.4.7 on Mon Jul 29 21:11:21 2013
      *nat
      :PREROUTING ACCEPT [12:662]
      :POSTROUTING ACCEPT [0:0]
      :OUTPUT ACCEPT [0:0]
      -A PREROUTING -d 192.168.1.12/32 -i eth0 -p tcp -m tcp –dport 3389 -j DNAT –to-destination 10.0.0.11:3389
      -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128
      -A POSTROUTING -o eth0 -j MASQUERADE
      COMMIT
      # Completed on Mon Jul 29 21:11:21 2013
      # Generated by iptables-save v1.4.7 on Mon Jul 29 21:11:21 2013
      *filter
      :INPUT ACCEPT [17991:9672859]
      :FORWARD ACCEPT [34374:5172385]
      :OUTPUT ACCEPT [20381:10209778]
      COMMIT
      # Completed on Mon Jul 29 21:11:21 2013

      —-squid config

      #ACL blocksite
      acl blocksites dstdomain “/etc/squid/blockedsites.squid”
      #ACL blockkeywords
      acl blockkeywords url_regex -i “/etc/squid/blockkeywords.squid”
      #ACL blockip
      acl blockip src “/etc/squid/blockip.squid”
      #ACL ALLOW FUL
      acl allowip src “/etc/squid/allowip.squid”

      # Only allow cachemgr access from localhost
      http_access allow manager localhost
      #Deny access to blockip
      http_access deny blockip
      #Deny access to blocksites ACL
      http_access deny blocksites !allowip
      #Deny access to blockkeywords ACL
      http_access deny blockkeywords !allowip
      reply_body_max_size 10 MB all
      #reply_body_max_size 10 MB !allowip
      #http_access deny manager

      SELINUX=enforcing

      i config perfect ok but restart server error, client not internet and not apply rule squid

  32. 다니엘 호세 JOCHE SЯ ツ says:

    hi i want you to help me with something, I need to ping machines from the outside and not let me … I can help with access from the firewall …. and thanks for the manual is very good ….

  33. Anthony Griffiths says:

    hi, of all the tutorials I’ve ploughed through this is the only one that’s worked for me so big thankyou. I would like to run openvpn on the squid machine as a client, so that all traffic through the server gets encrypted but I’m not having any joy. I’ve installed openvpn but when I start it the internet goes down. I expect I need to edit the squidfw.sh script to cater for openvpn but I don’t know how to do this. Can you help?

  34. Anthony Griffiths says:

    neither sendmail nor postfix will work on the machine running the transparent proxy. I get constant ‘hostname lookup failure’. I’ve made sure port 25 is listed as safe in squid.conf, to correct this does the squidfw.sh file need to be modified?

    • krizna says:

      For “hostname lookup failure” .. you need to add hostname in /etc/hosts like below ..

      127.0.0.1 localhost localhost.localdomain yourhostname
      ::1 localhost localhost.localdomain yourhostname

      For mail server.. add these lines in squidfw .sh file

      #sending mails
      iptables -A OUTPUT -o eth0 -p tcp -m multiport --dport 25,587,465 -m state --state NEW,ESTABLISHED -j ACCEPT
      iptables -A INPUT -i eth0 -p tcp -m multiport --sport 25,587,465 -m state --state ESTABLISHED -j ACCEPT
      #Receiving mails
      iptables -A INPUT -i eth0 -p tcp -m multiport --dport 110,995 -m state --state NEW,ESTABLISHED -j ACCEPT
      iptables -A OUTPUT -o eth0 -p tcp -m multiport --sport 110,995 -m state --state ESTABLISHED -j ACCEPT

      # DROP everything and Log it # Before this line
      iptables -A INPUT -j LOG
      iptables -A INPUT -j DROP

      i’m not expert in iptables .. just try it :)

  35. Jose Daniel Sanchez R says:

    pregunto para agregar mas redes LAN_IN seria asi
    LAN_IN1=”192.168.1.0″
    LAN_IN2=”192.168.2.0″ ???

    o como se haria??
    ##############################

    asked to add more networks so serious LAN_IN
    LAN_IN1 = “192.168.1.0″
    LAN_IN2 = “192.168.2.0″???
     
    or as they would do??

  36. Tamil amuthan says:

    i block http sites but https sites are working, how to block https sites..?

  37. viswanath.vikas says:

    Hi Krizna,
    Very useful tutorials.
    by this tutorials i was able to install squid server,But one problem i’m facing my outlook and Thunderbird is not working so plz can help me out to configure it..?
    viswanath.vikas@gmail.com
    Regards
    Vikas viswanath

  38. Patryk Moura says:

    I have a VPS, how to make it avaiable for access on my home pc? thanks!

  39. Rob says:

    Hello,
    I have recently setup a box which should connect my network to the internet. Browsing on my networks pc’s works through the squid proxy. But I also do other stuff like ssh to servers on the internet. And use filezilla, for ex. I have been looking at the squid.conf, but I can’t get that to work. I tried to open ports. 22 for ssh, and 21 for ftp was already there in the config. but I can’t do an ssh from my pc on the network through the squid-box. Is there a setting I missed? or are there other ways?

    Regards,
    ROb

  40. Naresh Vulloju says:

    Dear sir i have configured squid in CentOS with your instructions… but the problem is site blocking & keyword blocking for the https sites in squid is not working. squid is running in transparent mode .like wetransfer,Facebook…Do u have any suggetion?…

  41. Juvial says:

    nice …..

  42. Faisal Khan says:

    Hi,

    Any body can help how can i create acl for skype user and how can i blocked SKYPE chating in my squid

  43. Nosayba Suleiman says:

    can both interfaces have the same subnet? because my LAN get its IP from the WAN router!! and the proxy is their internet gateway. so it there is a way to make them in the same subnet WAN port and LAN port? but different ethernet ports?

  44. Faisal Khan says:

    Hi Krinza

    can you help how can i create acl for skype user and how can i blocked SKYPE chating in my squid

  45. sam55 says:

    hey dear all https site not working in transparent squid. please get solution for this… urgent……….

  46. ajay says:

    Dear Sir’
    I have configure transparent squid proxy server but https site is not working and sites blocking issue.

  47. ajay mishra says:

    Hi Krizana’

    We are configure squid transparent proxy server s but https site is not working

    So Please help.

  48. squidblacklist says:

    We are the worlds leading publisher of Squid ‘Native ACL’ formatted blacklists, that allow for web filtering directly with Squid proxy. Of course we also offer alternative formats for the most widely used third party plugins, such as DansGuardian and Squidguard. And while our blacklists are subscription based, they are as a result of our efforts, of a much higher degree of quality than the free alternatives.

    We hope to serve you,


    Signed,

    Benjamin E. Nichols
    http://www.squidblacklist.org

  49. venkat d says:

    how to share internet connection using centos squid proxy to windows users please guide me……

Leave a Reply