How To Use Squid Proxy Cache Server To Control Internet Access

by Balakrishnan Mariyappan on September 1, 2010

Squid is a proxy caching server. If you are Linux sysadmin, you can use squid to control internet access at your work environment.

This beginners guide will give a jump-start on how to setup squid on Linux to restrict internet access in an network.

Install Squid

You should install the following three squid related packages on your system.

  • squid
  • squid-common
  • squid-langpack

On Debian and Ubuntu, use aptitude to install squid as shown below. On CentOS, use yum to install the squid package.

$ sudo aptitude install squid

Check Configuration and Startup scripts

Apart from installing the squid related packages, it also creates the /etc/squid/squid.conf and /etc/init.d/squid startup script.

By default Squid runs on 3128 port. You can verify this from the squid.conf file. You can also set the visible_hostname parameter in your squid.conf, which will be used in error_log. If you don’t define, squid gets the hostname value using gethostname() function.

# vim /etc/squid/squid.conf
visible_hostname ubuntuserver
httpd_port 3128

Note: The http port number (3128) specified in the squid.conf should be entered in the proxy setting section in the client browser. If squid is built with SSL, you can use https_port option inside squid.conf to define https squid.

Start Squid and View Logs

Start the Squid proxy caching server as shown below.

# service squid start
squid start/running, process 11743

Squid maintains three log files (access.log, cache.log and store.log) under /var/log/squid directory.

From the /var/log/squid/access.log, you can view who accessed which website at what time. Following is the format of the squid access.log record.

time elapsed remotehost code/status bytes method URL rfc931     peerstatus/peerhost

To disable logging in squid, update the squid.conf with the following information.

# to disable access.log
cache_access_log /dev/null

# to disable store.log
cache_store_log none

# to disable cache.log
cache_log /dev/null

Squid Usage 1: Restrict Access to Specific Websites

This is how you can restrict folks from browsing certain website when they are connected to your network using your proxy server.

Create a file called restricted_sites and list all sites that you would want to restrict the access.

# vim /etc/squid/restricted_sites
www.yahoo.com
mail.yahoo.com

Modify the squid.conf to add the following.

# vim /etc/squid/squid.conf
acl RestrictedSites  dstdomain "/etc/squid/restricted_sites"
http_access deny RestrictedSites

Note: You can also configure squid as a transparent proxy server, which we’ll discuss in a separate article. Also, refer to our earlier article on how to block ip-address using fail2ban and iptables.

Squid Usage 2: Allow Access to Websites Only During Specific Time

Some organization might want to allow employees to surf or download from the internet only during specific timeperiods.

The squid.conf configuration shown below will allow internet access for employees only between 9:00AM and 18:00 during weekdays.

# vim /etc/squid/squid.conf
acl official_hours time M T W H F 09:00-18:00
http_access deny all
http_access allow official_hours

Squid Usage 3 : Restrict Access to Particular Network

Instead of restricting specific sites, you can also provide access only to certain network and block everything else. The example below, allows access only to the 192.168.1.* internal network.

# vim /etc/squid/squid.conf
acl branch_offices src 192.168.1.0/24
http_access deny all
http_access allow branch_offices

For a Linux based intrusion detection system, refer to our tripwire article.

Squid Usage 4 : Use Regular Expression to Match URLs

You can also use regular expression to allow or deny websites.

First create a blocked_sites files with a list of keywords.

# cat /etc/squid/blocked_sites
soccer
movie
www.example.com

Modify the squid.conf to block any sites that has any of these keywords in their url.

# vim /etc/squid/squid.conf
acl blocked_sites url_regex -i "/etc/squid/blocked_sites"
http_access deny blocked_sites
http_access allow all

In the above example, -i option is used for ignoring case for matching. So, while accessing the websites, squid will try to match the url with any of the pattern mentioned in the above blocked_sites file and denies the access when it matches.

SARG – Squid Analysis Report Generator

Download and install SARG to generate squid usage reports.

Use the sarg-reports command to generate reports as shown below.

# to generate the report for today
sarg-report today

# on daily basis
sarg-report daily

# on weekly basis
sarg-report weekly

# on monthly basis
sarg-report monthly

Note: Add the sarg-report to the crontab.

The reports generated by sarg are stored under /var/www/squid-reports. These are html reports can you can view from a browser.

$ ls /var/www/squid-reports
Daily  index.hyml

$ ls /var/www/squid-reports/Daily
2010Aug28-2010Aug28  images  index.html

Linux Sysadmin Course Linux provides several powerful administrative tools and utilities which will help you to manage your systems effectively. If you don’t know what these tools are and how to use them, you could be spending lot of time trying to perform even the basic administrative tasks. The focus of this course is to help you understand system administration tools, which will help you to become an effective Linux system administrator.
Get the Linux Sysadmin Course Now!

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 17 comments… read them below or add one }

1 Madharasan September 1, 2010 at 3:09 am

Good Article.

Can you please guide me, how to display a banner right after a website is blocked by squid server ?

eg: “This website is Blocked and should not be accessed from the premises of Example Inc”

2 Geoff Campbell September 1, 2010 at 7:44 am

Thanks for the Squid article. Would be interested in how to configure to securely use a Squid proxy server from a remote location.

3 carlos September 1, 2010 at 4:58 pm

Sarg or calamaris?

comments welcomen. thanks.

4 PatrickDickey September 1, 2010 at 5:30 pm

For Madharasan,

You could create a page with that banner, and redirect them inside of Squid. I’m not sure how to do the redirection, but essentially that’s what you’ll want to do.

For the author,

Could you do a tutorial on how to configure your network to use Squid regardless of whether the browser settings have it as a proxy? I’ve seen this once before, but honestly I don’t remember where.

Have a great day:)
Patrick.

5 ChandraShekher September 2, 2010 at 3:56 am

Excellent Article.

Can you please provide info on how to limit/distribute bandwidth for a particular IP/user

6 Tapas Mallick September 4, 2010 at 12:57 am

Squid Usage 3 : Restrict Access to Particular Network
# vim /etc/squid/squid.conf
acl branch_offices src 192.168.1.0/24
http_access deny all
http_access allow branch_offices

Should be (I think) ….
# vim /etc/squid/squid.conf
acl branch_offices src 192.168.1.0/24
http_access allow branch_offices
http_access deny all

7 Ritesh September 10, 2010 at 3:27 am

Hi,
My requirement is if I assign user to access internet only 2 hours within a week.
Is this possible in squid ?

Thanks,
Ritesh

8 jargon December 30, 2010 at 2:12 pm

@Tapas

Definitely. ‘http_access deny all’ needs to come at the end of a block, or else the next directive is ignored. squid.conf is parsed top-down. That can be quite tricky, and I’ve run into some headaches over this. Nevertheless, I love squid. Fantastic piece of software.

9 Grant January 11, 2011 at 4:45 am

Thanks, the stuff here is really useful. How do i restrict a group of ip addresses from downloading during a specified period and leave another group with the access to downloading.

10 Thanki Kunal July 24, 2011 at 11:28 pm

Hi all,
I m doing my M.E. in computer science, and i have selected my subject for thesis as network security,. in that i m willing to do some work in squid proxy server. can any one guid me on that. i m interested in finding dos attacks and preventing them

11 navneet August 8, 2011 at 5:17 am

I want to restrict group of internet sites to some IPs and allow that sites to a particular IP using squid configuration file. Kindly help me.

12 blackunta January 8, 2012 at 7:47 pm

How can i used squid on a windows server 2003?

13 deepak January 19, 2012 at 11:13 pm

dear Boss,
i am recently joined one organization i’m facing some problem in squid
when i want to access the internet then it’s giving message u can’t access (linuxserver squid /2.6 stable6) how can remove permission plz give me answaer as soon as possible

14 Satish February 2, 2012 at 3:04 am

Hi Deepak,

Can u please send me your error screen shot squid ….

15 Rohit August 23, 2012 at 5:44 am

can anyone tell me that how to get the logged access. i mean to say that before opening a website it should open a web page which contains a message that “your usage is being logged ” and on the same page there should be a link to continue to that particular website.

16 Anonymous October 24, 2013 at 11:02 pm

Hi Deepak,
I have installed squid proxy in my network and it is working fine, i want to know how much bandwidth the users are using? is there any easy and possible way to that?? please do reply me to my email id..

17 Arun March 11, 2014 at 7:07 am

In which file, the following lines to be added? /etc/squid/squid.conf or /usr/local/etc/sarg.conf

# to generate the report for today
sarg-report today

# on daily basis
sarg-report daily

# on weekly basis
sarg-report weekly

# on monthly basis
sarg-report monthly

Leave a Comment

Previous post:

Next post: