Setup Squid Proxy Server On openSUSE 13.1

Squid is a caching proxy server that caches frequently visited websites and reduces the Internet bandwidth. It runs on most available operating systems, including Windows and is licensed under the GNU GPL. We can share the single Internet connection to many users with the help of Squid. Squid is used by hundred of Internet service providers around the world to deliver stable and best possible Internet access to their clients.

In this how-to let us see how to setup a basic squid proxy server on openSUSE 13.1.

Install Squid on openSUSE 13.1

Install squid using following command:

# zypper in squid

Basic Configuration

Edit squid configuration file,

# vi /etc/squid/squid.conf

Make the changes as shown below.

## Define your local area network
acl mynetwork src 192.168.1.0/255.255.255.0

# Allow your network to browse
http_access allow mynetwork

# Squid normally listens to port 3128
http_port 3128

# Add the host name
visible_hostname linux-e0ix.site

Save and close the file. Enable and start squid service.

# systemctl enable squid.service
# systemctl start squid.service

Firewall Configuration

Go to Yast Control Center -> Security and Users -> Firewall -> Custom Rules. Enter your IP address range (ex.192.168.1.0/24) in Source netwrok column and squid port number (3128) in destination port column.

openSUSE 12.3 [Running] - Oracle VM VirtualBox_005Close Yast Window. Its time to configure Client systems.

Client Side Configuration

Open your client browser. Here i use Ubuntu 13.04 as my client and my client default browser is Mozilla Firefox. Go to Firefox -> Edit -> Preferences -> Advanced -> Network. Click on Settings. In the Manual proxy configuration, enter your Squid server ip address and squid default port(3128). Make sure that you selected the option “Use this protocol for all protocols”.

Connection Settings_004Click Ok to apply the settings. Try to open any website.

Linux Howtos & Tutorials | Unixmen - Mozilla Firefox_003Now you’ll be able to browse websites.

We learnt how to install Squid and share internet connection to clients. Now let us see how to use it to control the web access.

Restrict Internet Access to a particular host by IP address

Want to restrict internet access for a specific host? Yes, you can do it with Squid.

For example, you want to restrict host 192.168.1.100. To do that edit file /etc/squid/squid.conf file,

# vi /etc/squid/squid.conf

Add a new ACL rule to restrict a particular host (ex.192.168.1.100).

## create ACL for the restricted host 192.168.1.100
acl restricthost src 192.168.1.100

## Deny the host 192.168.1.100 from internet
http_access deny restricthost

Save and exit the file and restart squid service.

# systemctl restart squid.service

The above example will restrict the host 192.168.1.100 from using Internet.

Now try to access internet from the restricted host. You should see the following screen.

ERROR: The requested URL could not be retrieved - Mozilla Firefox_006

Restrict Internet to a group of hosts by IP address

Create a text file called “blocked_ip.acl” in any location.

# vi /etc/squid/blocked_ip.acl

Add the ip addresses that you want to block.

192.168.1.10/24
192.168.1.11/24
192.168.1.12/24

Now define a acl rule in squid.conf file as shown below.

[...]
acl restricted_ips url_regex -i "/etc/squid/blocked_ip.acl"
[...]
http_access deny restricted_ips
[...]

Save and close file. Restart squid service.

# systemctl restart squid.service

Now try to access internet from any one of the blocked ip’s. You can’t browse.

Restrict Internet Access to a particular Network

If you want to restrict internet access to a particular network ex.192.168.10.0/24, then add the following lines in squid.conf file.

[...]
acl unsafe_network src 192.168.10.0/24
[...]
http_access deny unsafe_network
[...]

Save and close file. Restart squid service to take effect the changes.

Access from the clients who has IP address in the 192.168.10.0/24 series. You will see the clients can’t access Internet.

Restrict Internet Access by Particular Time

You might want to restrict your employers not to use Internet on particular important business hours. So you can add the following lines to restrict them for using Internet.

Edit squid.conf file,

# vi /etc/squid/squid.conf

Add the following lines.

acl mynetwork src 192.168.1.0/24
acl working_hours time M T W H F 10:00-18:00
[...]
http_access deny mynetwork working_hours
[...]

The above example describes Internet access is restricted for the network 192.168.1.0/24 from 10am to 6pm.

Allow Internet Access by Particular Time

You may want allow Internet connection for 192.168.1.0/24 network after 6pm upto 8pm.

So just add the following lines in the squid.conf file.

[...]
acl mynetwork src 192.168.1.0/24
acl leisure_period time 18:00-20:00
[...]
http_access allow mynetwork leisure_period
[...]

The above example describes the Internet is open to access by netwrok 192.168.1.0/24 at 6pm to 8pm. Don’t forget to restart squid service on every changes in squid.conf file.

Restrict Specific group of websites

You may want to restrict some job portals, porn sites or social networks being accessed by your employees.

Create a text file called “blocked_sites.acl” in any location.

# vi /etc/squid/blocked_sites.acl

Add the website names to restrict.

www.facebook.com
www.naukri.com
www.pornhub.com

Now define a acl rule in squid.conf file as shown below.

[...]
acl restricted_sites url_regex -i "/etc/squid/blocked_sites.acl"
[...]
http_access deny restricted_sites
[...]

Save and close file. Restart squid service.

# systemctl restart squid.service

Now try to access the any one of the blocked sites. You should see the following like screen.

ERROR: The requested URL could not be retrieved - Mozilla Firefox_007If you want to block only website, add the following line in squid.conf file and restart squid service.

acl banned_site url_regex -i www.movies.com
http_access deny banned_site

View Squid log files

There are two log files (access.log and cache.log) under /var/log/squid directory.

You can view who accessed which website at what time from the /var/log/squid/access.log file.

# cat /var/log/squid/access.log

Sample output:

[...]
1385905901.689   4705 192.168.1.100 TCP_MISS_ABORTED/200 23375 GET http://www.pornhub.com/ - HIER_DIRECT/31.192.117.132 text/html
1385905901.689    338 192.168.1.100 TCP_MISS_ABORTED/200 3044 GET http://cdn1.static.pornhub.phncdn.com/css/buttons.css? - HIER_DIRECT/199.93.56.125 text/css
1385905901.699   1340 192.168.1.100 TCP_MISS_ABORTED/200 7364 GET http://ss.phncdn.com/jquery-1.8.3.js - HIER_DIRECT/8.254.2.253 application/x-javascript
1385905901.699   1701 192.168.1.100 TCP_MISS_ABORTED/200 28116 GET http://cdn1.static.pornhub.phncdn.com/css/common.css? - HIER_DIRECT/199.93.56.125 text/css
1385905901.699   1339 192.168.1.100 TCP_MISS_ABORTED/200 8812 GET http://ss.phncdn.com/jquery-ui-1.10.3.js - HIER_DIRECT/8.254.2.253 application/x-javascript
1385905901.707      7 192.168.1.100 TCP_MISS_ABORTED/000 0 GET http://cdn1.static.pornhub.phncdn.com/images/categories_seeall.gif - HIER_DIRECT/199.93.56.125 -
1385905901.707      7 192.168.1.100 TCP_MISS_ABORTED/000 0 GET http://cdn1a.static.pornhub.phncdn.com/images/categories/118x88/29.jpg - HIER_NONE/- -
1385905901.707      7 192.168.1.100 TCP_MISS_ABORTED/000 0 GET http://cdn1a.static.pornhub.phncdn.com/images/categories/118x88/27.jpg - HIER_NONE/- -
1385905901.707      7 192.168.1.100 TCP_MISS_ABORTED/000 0 GET http://cdn1a.static.pornhub.phncdn.com/images/categories/118x88/3.jpg - HIER_NONE/- -
1385905901.707      7 192.168.1.100 TCP_MISS_ABORTED/000 0 GET http://cdn1.static.pornhub.phncdn.com/images/ajax-loader-small.gif? - HIER_DIRECT/199.93.56.125
[...]

That’s for now. I covered only some basic installation and configuration of squid in this tutorial, but is enough to setup a basic proxy server to your organization.

Though it was tested on openSUSE, this method is same for all distributions. All you have to know is where is squid.conf file. The rest of configuration will be same as described above.

Good Luck!