squid configuration : ACL's based on MAC address

There are many times that client are having dynamic ip address (assigned by DHCP server) and in this cases it's hard to set any rules on bases of ip address as, you would not know what ip address the client machine be getting, in such case we could use mac based ACL's to set up any rules on that particular machine.

 # vi /etc/squid/squid.conf 

Look for acl section and append ACL as follows:

acl mac1 arp 00:11:22:70:44:90 

acl mac2 arp 00:11:22:33:44:55 

http_access allow mac1 

http_access allow mac2 

http_access deny all 

Save and close the file.

Restart squid server:

# /etc/init.d/squid restart

Read More

Squid Password Authentication Using NCSA

You can configure Squid to prompt users for a username and password. Squid comes with a program called ncsa_auth that reads any NCSA-compliant encrypted password file.

1) Create the password file. The name of the password file should be /etc/squid/squid_passwd, and you need to make sure that it’s universally readable.

# touch /etc/squid/squid_passwd
# chmod o+r /etc/squid/squid_passwd

2) Use the htpasswd program to add users to the password file. You can add users at anytime without having to restart Squid. In this case, you add a username called nikesh:

# htpasswd /etc/squid/squid_passwd nikeshNew
password:Re-type new password:
Adding password for user nikesh

3) Find your ncsa_auth file using the locate/find command. (different distro stores this file at different locations)

# locate ncsa_auth/usr/lib/squid/ncsa_auth

4) Edit squid.conf; specifically, you need to define the authentication program in squid.conf, which is in this case ncsa_auth. Next, create an ACL named ncsa_users with the REQUIRED keyword that forces Squid to use the NCSA auth_param method you defined previously. Finally, create an http_access entry that allows traffic that matches the ncsa_users ACL entry. Here’s a simple user authentication example; the order of the statements is important:

## Add this to the auth_param section of squid.conf

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

# Add this to the bottom of the ACL section of squid.conf
acl ncsa_users proxy_auth REQUIRED

# Add this at the top of the http_access section of squid.conf
http_access allow ncsa_users

Remember to restart Squid for the changes to take effect.

Read More

cachemgr (Cache Manager) configuration for Squid

The cache manager (cachemgr.cgi) is a CGI utility comes with squid for displaying statistics about the squid process as it runs. The cache manager is a convenient way to manage the cache and view statistics without logging into the server

To make this configuration you need a webserver (Apache) running and configured.

1) Try to locate your cachemgr.cgi file which comes with the squid package, this can be done using rpm -ql command (different distro stores this file at different location), here you can also use locate/find command.

# rpm -ql squid | grep cachemgr.cgi
/usr/share/doc/packages/squid/scripts/cachemgr.cgi
/usr/share/man/man8/cachemgr.cgi.8.gz

In this case my cachemgr.cgi is in /usr/share/doc/packages/squid/scripts/ directory

2) Copy cachemgr.cgi file to your configure script alias (/var/www/cgi-bin) directory of you Apache

3) Open squid.conf file and insert following two parameters at the end of the file

cache_mgr nikesh@domain.com
cachemgr_passwd your_Password all

4) Restart your squid and open your browser and type
http://localhost/cgi-bin/cachemgr.cgi
you should see something like … , provide a configure e-mail and password (mentioned above)

Read More

Squid Password Authentication Using PAM

We’ll be using the pam_auth module. This will allow anyone who has a shell account to also be able to use the Squid server. 

Search for the auth_param section in the config and add these lines:

auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Next search for this line and uncomment it:

acl password proxy_auth REQUIRED

Now create a pam module called /etc/pam.d/squid that contains:

auth required /lib/security/pam_unix.so
account required /lib/security/pam_unix.so

Restart the squid and you are done.

Read More

Configure Squid to use other Proxy (cache)

If you want Squid to be part of a hierarchy of proxies or want Squid to fetch content from another proxy

cache_peer proxy.isp.com parent 8080 0 no-query no-digest ever_direct allow all

For Multiple parent

cache_peer proxy.isp1.com parent 8080 0 no-query no-digest default

cache_peer proxy.isp2.com parent 8080 0 no-query no-digest

Multiple parents with weight:

cache_peer proxy.isp1.com parent 8080 0 no-query no-digest weight=1 

cache_peer proxy.isp2.com parent 8080 0 no-query no-digest weight=2

Multiple parents with round-robin:

cache_peer proxy.isp1.com parent 8080 round-robin no-query

cache_peer proxy.isp2.com parent 8080 round-robin no-query

cache_peer proxy.isp3.com parent 8080 round-robin no-query

In above examples proxy.isp1.com, proxy.isp2.com and proxy.isp2.com are other cache servers

Read More

HowTo do Transparent proxy with Squid

Modify or add following to squid configuration file (/etc/squid/squid.conf):

httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

acl lan src 192.168.1.1 192.168.2.0/24

http_access allow localhost

http_access allow lan

Added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :

[eth0 connected to internet and eth1 connected to local lan]

iptables -t nat -A PREROUTING -i eth1 -p tcp –-dport 80 -j DNAT –to 192.168.1.1:3128

iptables -t nat -A PREROUTING -i eth0 -p tcp –-dport 80 -j REDIRECT –-to-port 3128

Read More

Forward Squid traffic to secure tunnel (SSH)

When Squid is installed and running, it uses port 3128 by default. 

You should test it manually by setting your HTTP proxy to the server that runs Squid. 

For instance, in Firefox to go Tools -> Options -> Advanced -> Network -> Settings and enter the IP address or host of the Squid proxy (e.g. 192.168.0.100) and 3128 for the port. 

Try to load any web page. If you see an access denied error, check out the http_access configuration in the squid configuration file.

Once Squid is all set and ready to go, you need to forward your connection to it over SSH. 

 

To set the tunnel up on your Windows 

download Plink, a command-line version of Putty SSH client, 

and run this command:

plink.exe -batch -N -l UserName -pw Password -L 3128:localhost:3128 SSH_Server

On Unix-based systems, simply run this command:

ssh -L 3128:localhost:3128 SSH_Server -f -N

Finally, tell your browser to use the SSH tunnel as a proxy. Basically you need to change the host to localhost and the port number to 3128 (See below).

Read More