Installing and Configuring Squid

Hands-On Lab

 

Photo of Michael Christian

Michael Christian

Course Development Director in Content

Length

01:30:00

Difficulty

Intermediate

In this learning activity, you will need to install and configure squid so that it only permits web access to linuxacademy.com.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Installing and Configuring Squid

The Scenario

A business unit needs a solution to their problem. They want non-SSL web access for some client hosts limited to just linuxacademy.com. We need to provide a proxy server for them to use.

We'll do this by installing a Squid proxy server, then configuring it so that it only permits traffic to linuxacademy.com. We won't need to restrict SSL traffic at all.

Get logged in

Use the credentials and server IP in the hands-on lab overview page to log into our lab server. Notice there are a couple of machines we're working with, a server and a client. Pay attention in the lab guide, as the shell prompt will reveal which one we're working with at the moment.

Install Squid

Become root on Server1 (with su -), and then we can start.

First we'll install Squid on Server1:

[root@Server1]# yum install squid

Enable and Start Squid

Then we've got to enable Squid and start it:

[root@Server1]# systemctl enable squid
[root@Server1]# systemctl start squid

Permit Squid Client Access through the Firewall

We'll need to permit clients to connect to the Squid service through the firewall, then reload the firewall configuration to apply the change :

[root@Server1]# firewall-cmd --permanent --add-service=squid
[root@Server1]# firewall-cmd --reload

To prove that we've opened the hole, we can run this:

[root@Server1]# firewall-cmd --list-all

Configure Squid

We want to create an ACL that allows clients to access only linuxacademy.com. These go in /etc/squid/squid.conf after the line that says # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS. If we edit the file and add them, it should look like this when we're done:

...
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

acl whitelist dstdomain .linuxacademy.com
http_access allow whitelist
...

We'll also need to either comment out, or remove, the line:

#http_access allow localnet

Once we restart Squid, our changes should take effect:

[root@Server1]# systemctl restart squid

Test from a Client

Ok, let's log into the client (using the credentials on the hands-on lab page) so we can test things out. Once we're in, we've got to export the http_proxy value to use Server1:

[cloud_user@client]$ export http_proxy="http://10.0.1.10:3128"

Then we'll try retrieving header of linuxacademy.com with curl:

[cloud_user@client]$ curl -I linuxacademy.com

This should work. Now let's verify that linuxacademy.com is the only site that works, by trying that command with a different address:

[cloud_user@client]$ curl -I apache.org

This should come back as forbidden.