≡ Menu

Squid Web Proxy and Cache Server

Tutorials, howtos, and tips about Squid web proxy and cache software under *nix. It includes a wide variety of uses, from speeding up a web server by caching repeated requests; to caching web, DNS and other computer network lookups for a group of people sharing network resources; to aiding security by filtering traffic ( rss feed )

Q. I'm using Squid Cache Version 2.6.STABLE. It is configured perfectly and I'd like to know how do I allow squid to only authenticated users?

A. Squid can authenticate users if squid is configured to use proxy_auth ACLs. Browsers send the user's authentication credentials in the Authorization request header. If Squid gets a request and the http_access rule list gets to a proxy_auth ACL, Squid looks for the Authorization header. If the header is present, Squid decodes it and extracts a username and password.

If the header is missing, Squid returns an HTTP reply with status 407 (Proxy Authentication Required). The user agent (browser) receives the 407 reply and then prompts the user to enter a name and password. The name and password are encoded, and sent in the Authorization header for subsequent requests to the proxy.

Your Squid software comes with a few authentication helper programs. These include (click link below to open Squid cache authentication configuration tutorial):

Squid Proxy Sever View logs / log files

Q. How do I view squid proxy server log files under CentOS Linux server 5.0?

A. squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, squid handles all requests in a single, non-blocking, I/O-driven process.

/var/log/squid/ log file directory

The logs are a valuable source of information about Squid workloads and performance. The logs record not only access information, but also system configuration errors and resource consumption (eg, memory, disk space). There are several log file maintained by Squid. Some have to be explicitely activated during compile time, others can safely be deactivated during.

  • /var/log/squid/access.log : Most log file analysis program are based on the entries in access.log. You can use this file to find out who is using squid server and what they are doing etc
  • /var/log/squid/cache.log : The cache.log file contains the debug and error messages that Squid generates. If you start your Squid using the default RunCache script, or start it with the -s command line option, a copy of certain messages will go into your syslog facilities. It is a matter of personal preferences to use a separate file for the squid log data.
  • /var/log/squid/store.log : The store.log file covers the objects currently kept on disk or removed ones. As a kind of transaction log it is ususally used for debugging purposes. A definitive statement, whether an object resides on your disks is only possible after analysing the complete log file. The release (deletion) of an object may be logged at a later time than the swap out (save to disk).

How do I view Squid Log files / logs?

You can use standard UNIX / Linux command such as grep / tail to view log files. You must login as root or sudo command to view log files.

Display log files in real time

Use tail command as follows:
# tail -f /var/log/squid/access.log
OR
$ sudo tail -f /var/log/squid/access.log

Search log files

Use grep command as follows:
grep 'string-to-search' /var/log/squid/access.log

View log files

Finally you can use text editor such as vi to view log files:
# vi /var/log/squid/access.log

Q. I am using Debian stable Linux version and squid proxy server for our small software company. I need to block a port number 1234. How to filter a particular port?

A. You can easily filter any port with squid ACL (Access Control List).

ACL is used for defining an access List. When using "file" the file should contain one item per line By default, regular expressions are CASE-SENSITIVE. To make them case-insensitive, use the -i option.

Procedure to block a port

First open /etc/squid/squid.conf file
# vi /etc/squid/squid.conf
Locate your ACL section and add configuration directive as follows:
acl block_port port 1234
http_access deny block_port
http_access allow all

If you just want to skip a particular IP (192.168.1.5) try as follows:
acl block_port port 1234
acl no_block_port_ip src 192.168.1.5
http_access deny block_port !no_block_port_ip
http_access allow all

Close and save the file.

Restart squid proxy server:
# /etc/init.d/squid restart

Q. How do I configure squid for NTLM authentication?

A. You need to use squid ntlm_auth helper tool. It o allow external access to Winbind's NTLM authentication function. ntlm_auth uses winbind to access the user and authentication data for a domain.

Make sure winbindd is working

winbindd is a daemon that provides a number of services to the Name Service Switch capability found in most modern C libraries, to arbitary applications via PAM and ntlm_auth and to Samba itself. If you are not sure about winbindd, refer to official Samba documentation for configuration.

Configure squid for NTLM authentication

Open squid configuration file - squid.conf, enter:
# vi squid.conf
Append following configuration directive:
auth_param ntlm program /usr/lib/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic program /usr/lib/squid/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

To setup ntlm_auth for use by squid 2.5 with group limitation, add:
auth_param ntlm program /usr/lib/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of="WORKGROUP\Domain Users"
auth_param basic program /usr/lib/squid/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of="WORKGROUP\Domain Users"
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

OR You can also pass DOMAIN/PDC name:
auth_param ntlm program /usr/lib/squid/ntlm_auth DOMAINNAME/PDC
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

Now add ACL configuration for ntlm_auth helper
acl ntlm_users proxy_auth REQUIRED
http_access allow ntlm_users
http_access deny all

Save and close the file. Restart Squid:
# /etc/init.d/squid restart
For more information:

Updated for accuracy.

Q. For security and to save bandwidth I would like to configure Squid proxy server such way that I do not want my users to download all of the following files:
MP3
MPEG
MPG
AVG
AVI
EXE

How do I configure squid content filtering?

A. You can use squid ACL (access control list) to block all these files easily.

How do I block music files using squid content filtering ACL?

First open squid.conf file /etc/squid/squid.conf:

# vi /etc/squid/squid.conf
Now add following lines to your squid ACL section:

acl blockfiles urlpath_regex "/etc/squid/blocks.files.acl"
You want display custom error message when a file is blocked:
# Deny all blocked extension
deny_info ERR_BLOCKED_FILES blockfiles
http_access deny blockfiles

Save and close the file.

Create custom error message HTML file called ERR_BLOCKED_FILES in /etc/squid/error/ directory or /usr/share/squid/errors/English directory.
# vi ERR_BLOCKED_FILES
Append following content:

<HTML>
<HEAD>
<TITLE>ERROR: Blocked file content</TITLE>
</HEAD>
<BODY>
<H1>File is blocked due to new IT policy</H1>
<p>Please contact helpdesk for more information:</p>
Phone: 555-12435 (ext 44)<br>
Email: helpdesk@yourcorp.com<br>

Caution: Do not include HTML close tags </HTML> </BODY> as it will be closed by squid.
Now create /etc/squid/blocks.files.acl file:
# vi /etc/squid/blocks.files.acl
Append following text:
\.[Ee][Xx][Ee]$
\.[Aa][Vv][Ii]$
\.[Mm][Pp][Gg]$
\.[Mm][Pp][Ee][Gg]$
\.[Mm][Pp]3$

Save and close the file. Restart Squid:
# /etc/init.d/squid restart

Squid in action:

Squid content filtering howto
(Click to enlarge)

Squid Deny Users Accessing a Website

How do I deny a user accessing particular website? For example deny access to a website called foo.com.
[click to continue…]