Configure Squid Access Control List
To allow a range of IP address to use the Internet through your proxy server. You can add a new ACL entry. Squid supports CIDR notations. Consider an example, if you want to allow a range of IP address from 192.168.100.1 to 192.168.100.255 then you can make the following entry in Squid configuration file under the list of ACLs.
acl localnet src 1192.168.100.0/24
our list of ACLs will finally look like this.
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl localnet src 192.168.100.0/24 #Your newly added ACL
For changes to take effect you will need to restart your Squid server, use the following command for same.
sudo systemctl restart squid
Allow a Specific Port for HTTP Connections
By default Squid only consider very few ports as safe ports and allow connections through them. The ports which are allowed by default are:
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
The ports which are not listed above will not be accessed through the proxy. You can add a Port into the list of Safe_ports by modifying the list of ACLs for ports. For example it you want to allow port 168 to be accessed through the proxy server you can add the following ACL entry for this.
acl Safe_ports port 168
For changes to take effect you will need to restart your Squid server, use the following command for same.
sudo systemctl restart squid
[ads]
Squid Proxy Client Authentication
You will most probably want your users to authenticate before using the proxy. For that purpose, you can enable basic http authentication. It is easy and fast to configure.
First you will need httpd-tools installed.
sudo yum -y install httpd-tools
Now create a new file and provide the ownership to squid daemon so that it can access it. Run the following command for same.
sudo touch /etc/squid/passwd && chown squid /etc/squid/passwd
Now you can add a new user to the password file using the htpasswd tool. In this tutorial we will be creating an example user testuser. You can replace testuser with anything you like. Run the following command to create a new user using htpasswd tool.
sudo htpasswd /etc/squid/passwd testuser
It will ask for the new password twice, provide the password and you will see following output.
sudo htpasswd /etc/squid/passwd testuser New password: Re-type new password: Adding password for user testuser
By default htpasswd uses MD5 encryption for the password, hence your password will be stored in MD5 hash.
As we have our password file ready, you can now edit the squid configuration file using the following command
sudo vi /etc/squid/squid.conf
Add the following lines into the configuration file under the access control lists of ports.
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow auth_users
Save the file and restart squid so that the new changes can take effect:
sudo systemctl restart squid
Now if you will try to use the proxy server, it will ask you for authentication. Provide your username and password and you will be able to use the proxy server. Unauthenticated user will be shown an error page.
Block Websites on Squid Proxy
Squid proxy can be used to restrict access to specific websites. For example to block access to youtube, facebook, netflix you would have to create a file that defines the domains of these websites as shown below;
sudo vi /etc/squid/restricted_sites
Now enter the list of sites you want to block. One website per line.
.youtube.com .facebook.com .netflix.com
The proceding dot tells squid to block all referecnes to that sites including www.netflix, subsite.netflix.com etc.
Now open Squid’s configuration file.
sudo vi /etc/squid/squid.conf
Just after the ports ACLs add the following two lines:
acl restricted_sites dstdomain "/etc/squid/restricted_sites" http_access deny restricted_sites
Now save the file and restart squid:
sudo systemctl restart squid
Now if you will try to access the blocked sites, you will get an access denied message from Squid.