A little SQUID

A little SQUID

I can make you faster, I can be your big brother, or I can be your TSA agent

yum -y install squid
chkconfig squid on
service squid start

DONE, well not really :) but you do have a very basic default config with lots of uncommenting and playing with to do now so let's start by configuring the browser to connect to the proxy on port 3128 for testing, in my case:

    http://squid.sysxperts.com on port 3128

So in firefox I go to Edit > Preferences and under General Settings I chose Connection Settings.  Then I clicked Manual proxy configuration and added the server above and 3128 in the port field.

Make sure your IPTABLES has a rule to allow this:
    -A Firewall-INPUT -s 10.1.4.0/24 -p tcp --dport 3128 -j ACCEPT

Save and restart iptables
    service iptables restart

Edit /etc/squid/squid.conf
    Search for "Recommended minimum" in the file and add just below the acl CONNECT method line:
    
        acl sysxperts src 10.1.4.0/24  #sysxperts being the name for the acl and src indicating that this is the source IP for this acl

    Now search further for INSERT YOUR OWN and add a line above the localhost access rule to allow sysxperts.
        
        http_access allow localhost
        deny jerks ends up here....
        http_access allow sysxperts
        deny all ends up here.....

Create some acls for some jerks near the sysxperts acl
    acl jerks dstdomain .nigeria914.com
    acl jerks dstdomain .thief.com
    

and go back to the allow rule for sysxperts and add this above it (if you put it below it wouldn't have any effect):
    http_access deny jerks  # will block those bad guys domains entirely provided you remembered the leading dot
    http_access deny all

Some useful settings in squid.conf are:
    http_port - customize freely to make your security admins happy
    cache_mem - 8M default but feel free to beef it up for better performance
    cache_dir ufs /var/spool/squid 100 16 256 # how about mounting this on some flash drives
    acl all src 0.0.0.0/0.0.0.0  #handy little catch all
    acl localhost src 127.0.0.1/255.255.255.255 #loopback baby
    http_access allow localhost #guess what happens if you don't?
    http_access deny all # make use of that catch all 

Then reload
    service squid reload

Use the browser to try to connect to the badguys domains and it should fail, /var/log/squid/ is your friend just like man pages and google.



Posted by Paul Valentino

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)