How to block flash videos using Squid proxy Server

One popular example is to block flash video, used by sites such as Youtube.
The MIME type for such content is "video/x-flv". Creating an ACL to block this is easy.

First, create an ACL which matches the MIME type in question:

acl deny_rep_mime_flashvideo rep_mime_type video/x-flv

Then create a HTTP Reply ACL which denies any replies with that MIME type:

http_reply_access deny deny_rep_mime_flashvideo

This has been verified to block Youtube flash video content.

If the content is blocked the following similar line will be seen in access.log:

1282485682.146    903 127.0.0.1 TCP_DENIED_REPLY/403 3143 GET http://tc.v15.cache3.c.youtube.com/videoplayback? - DIRECT/208.117.252.163 text/html

And on browser, you can see ...

Read More

HowTo Allow windows updates through squid

Add the following to your squid.conf, It 'MUST' be added near the top before any ACL that require authentication.

acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com

acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com

http_access allow CONNECT wuCONNECT localnet
http_access allow windowsupdate localnet

The above config is also useful for other automatic update sites such as Anti-Virus vendors, just add their domains to the acl.

Read More

Block mp3, mpg, mpeg, exe files using Squid proxy server

First open squid.conf file /etc/squid/squid.conf:

# vi /etc/squid/squid.conf

Now add following lines to your squid ACL section:

acl blockfiles urlpath_regex “/etc/squid/multimedia.files.acl”

Now create the the file

# vi /etc/squid/multimedia.files.acl

\.[Ee][Xx][Ee]$
\.[Aa][Vv][Ii]$
\.[Mm][Pp][Gg]$
\.[Mm][Pp][Ee][Gg]$
\.[Mm][Pp]3$

Save and close the file and Restart Squid:

# /etc/init.d/squid restart

Read More

HowTo Clean and Re-build Squid cache

First, Check you squid.conf file
and locate the location of you cache directory, you should have line starting with "cache_dir"

1) Shutdown your squid server
squid -k shutdown

2) Remove the cache directory
rm -r /squid/cache/*

3) Re-Create the squid cache directory
squid -z

4) Start the squid

Read More

squid configuration : ACL's based on MAC address

There are many times that client are having dynamic ip address (assigned by DHCP server) and in this cases it's hard to set any rules on bases of ip address as, you would not know what ip address the client machine be getting, in such case we could use mac based ACL's to set up any rules on that particular machine.

 # vi /etc/squid/squid.conf 

Look for acl section and append ACL as follows:

acl mac1 arp 00:11:22:70:44:90 

acl mac2 arp 00:11:22:33:44:55 

http_access allow mac1 

http_access allow mac2 

http_access deny all 

Save and close the file.

Restart squid server:

# /etc/init.d/squid restart

Read More

Squid Password Authentication Using NCSA

You can configure Squid to prompt users for a username and password. Squid comes with a program called ncsa_auth that reads any NCSA-compliant encrypted password file.

1) Create the password file. The name of the password file should be /etc/squid/squid_passwd, and you need to make sure that it’s universally readable.

# touch /etc/squid/squid_passwd
# chmod o+r /etc/squid/squid_passwd

2) Use the htpasswd program to add users to the password file. You can add users at anytime without having to restart Squid. In this case, you add a username called nikesh:

# htpasswd /etc/squid/squid_passwd nikeshNew
password:Re-type new password:
Adding password for user nikesh

3) Find your ncsa_auth file using the locate/find command. (different distro stores this file at different locations)

# locate ncsa_auth/usr/lib/squid/ncsa_auth

4) Edit squid.conf; specifically, you need to define the authentication program in squid.conf, which is in this case ncsa_auth. Next, create an ACL named ncsa_users with the REQUIRED keyword that forces Squid to use the NCSA auth_param method you defined previously. Finally, create an http_access entry that allows traffic that matches the ncsa_users ACL entry. Here’s a simple user authentication example; the order of the statements is important:

## Add this to the auth_param section of squid.conf

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

# Add this to the bottom of the ACL section of squid.conf
acl ncsa_users proxy_auth REQUIRED

# Add this at the top of the http_access section of squid.conf
http_access allow ncsa_users

Remember to restart Squid for the changes to take effect.

Read More

cachemgr (Cache Manager) configuration for Squid

The cache manager (cachemgr.cgi) is a CGI utility comes with squid for displaying statistics about the squid process as it runs. The cache manager is a convenient way to manage the cache and view statistics without logging into the server

To make this configuration you need a webserver (Apache) running and configured.

1) Try to locate your cachemgr.cgi file which comes with the squid package, this can be done using rpm -ql command (different distro stores this file at different location), here you can also use locate/find command.

# rpm -ql squid | grep cachemgr.cgi
/usr/share/doc/packages/squid/scripts/cachemgr.cgi
/usr/share/man/man8/cachemgr.cgi.8.gz

In this case my cachemgr.cgi is in /usr/share/doc/packages/squid/scripts/ directory

2) Copy cachemgr.cgi file to your configure script alias (/var/www/cgi-bin) directory of you Apache

3) Open squid.conf file and insert following two parameters at the end of the file

cache_mgr nikesh@domain.com
cachemgr_passwd your_Password all

4) Restart your squid and open your browser and type
http://localhost/cgi-bin/cachemgr.cgi
you should see something like … , provide a configure e-mail and password (mentioned above)

Read More