Squid with authentication on Centos 6
How to install Squid with authentication on Centos 6
>>Get VPS with current config ready-to-go $5.95 p/m Netherlands, EU<<
[NOTE: According to our AUP/TOS you can use only private proxy servers with authentication.]
There are several authentication helpers, squid can work with. In this guide we will set up ncsa_auth helper.
Install squid if you haven't it installed yet:yum install squidIf there is any problem with installing squid - install EPEL repo:
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm sudo rpm -Uvh remi-release-6*.rpm epel-release-6*.rpmEnable the remi repository by opening file /etc/yum.repos.d/remi.repo and set enabled=1
name=Les RPM de remi pour Enterprise Linux $releasever - $basearch #baseurl=http://rpms.famillecollet.com/enterprise/$releasever/remi/$basearch/ mirrorlist=http://rpms.famillecollet.com/enterprise/$releasever/remi/mirror enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi failovermethod=priorityNow when EPEL is installed you can install squid as shown above.
Before setting up the authentication, test basic squid functionality. It has to work without requiring authorization.
Create user:htpasswd -c /etc/squid/passwd user1This command creates file passwd. In this file will be stored NCSA users and passwords.
Output:New password: Re-type new password: Adding password for user user1If htpasswd command is not recognized, make sure you have httpd installed:
yum install httpdMake sure squid can read /etc/squid/passwd:
chmod o+r /etc/squid/passwdLocate nsca_auth authentication helper
rpm -ql squid | grep ncsa_authOpen /etc/squid/squid.conf file.
Add or edit the strings:auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive offAdd or edit these strings to acl section:
acl ncsa_users proxy_auth REQUIRED http_access allow ncsa_usersRemember that position of strings in file is critical.
Here is a tested config file:# # Recommended minimum configuration: # acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/passwd auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 8899 acl ncsa_users proxy_auth REQUIRED acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost http_access allow ncsa_users # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 8899 # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 httpd_suppress_version_string on forwarded_for off visible_hostname squid.101NOTE: the port is changed to 8899 from standard 3128
You can disable IPv6 by adding line
tcp_outgoing_address 0.0.0.0 allRestart squid
/etc/init.d/squid restartFor allow squid start automatically during system startup :
chkconfig squid onAlso remember to check iptables if you cant connect/telnet squid port. For troubleshooting try to temporary disable iptables.
Here is example iptables rules:
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d <serverIP> --dport <squidport> -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -s <serverip> --sport <squidport> -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPTNOTE: since Squid 3.1.0 you may receive an error TCP_MISS/503 in /var/log/squid/access.log. If so, add the string tcp_outgoing_address <your public IP or domain name> in /etc/squid/squid.conf