Fedora 40: Install Squid

Introduction

This guide covers the installation and configuration of Squid, a caching proxy for the web, on Fedora 40. The guide follows the 5W1H approach to provide a comprehensive understanding of the process.

Overview Install Squid Configure Proxy Client Set Basic Authentication Configure As a Reverse Proxy

Navbar

• Overview
• Install Squid
• Configure Proxy Client
• Set Basic Authentication
• Configure As a Reverse Proxy

Overview

What

Squid is a caching proxy for the web that supports HTTP, HTTPS, FTP, and other protocols. It reduces bandwidth and improves response times by caching and reusing frequently requested web pages.

Who

This guide is intended for system administrators and IT professionals who are responsible for managing network services and want to implement a caching proxy server on their Fedora 40 systems.

Where

The steps outlined in this guide should be performed on a Fedora 40 system with administrative privileges. Ensure that your system is connected to the internet and has sufficient resources to run Squid.

When

This guide can be followed whenever you need to set up a caching proxy server on Fedora 40. There are no specific timing requirements, but make sure to perform regular maintenance and updates to keep Squid running smoothly.

Why

Installing Squid on Fedora 40 provides several advantages, including improved network performance and reduced bandwidth usage. However, there are also some potential drawbacks to consider.

Pros	Cons
Improved network performance	Requires proper configuration and maintenance
Reduced bandwidth usage	Potential security risks if not managed correctly
Caching frequently accessed web content	May cause issues with dynamic content updates
Supports multiple protocols (HTTP, HTTPS, FTP)	Additional resources required for caching

How

Follow these steps to install and configure Squid on Fedora 40:

• Update your system: sudo dnf update -y
• Install Squid: sudo dnf install squid -y
• Start and enable Squid service: sudo systemctl start squid and sudo systemctl enable squid
• Edit the Squid configuration file: sudo nano /etc/squid/squid.conf
• Add necessary configuration settings (e.g., access control lists, cache settings)
• Restart the Squid service: sudo systemctl restart squid
• Verify Squid is running: sudo systemctl status squid

Consequences

Setting up Squid on Fedora 40 can have the following consequences:

Positive	Improved network performance due to caching frequently accessed content. Reduced bandwidth usage, leading to cost savings. Enhanced security by filtering and controlling web traffic. Supports multiple protocols such as HTTP, HTTPS, and FTP. Flexible configuration options to meet various networking needs.
Negative	Requires proper configuration and regular maintenance. Potential security risks if misconfigured. Possible issues with caching dynamic or secure content. Additional resources needed for managing the cache and proxy functions. Complex setup for beginners unfamiliar with Squid and network configurations.

Conclusion

Installing and configuring Squid on Fedora 40 can significantly improve network performance and reduce bandwidth usage. While there are some potential drawbacks, such as the need for proper configuration and maintenance, the benefits of using Squid as a caching proxy outweigh the disadvantages. By following this guide, system administrators can set up Squid efficiently and ensure their network operates smoothly and securely.

Install Squid

Install Squid to configure Proxy server.

Step [1]Install Squid.

          
[root@prox ~]# dnf -y install squid
          
                

Step [2]This is general forward proxy settings.

          
[root@prox ~]# vi /etc/squid/squid.conf
.....
.....
acl Safe_ports port 777         # multiling http
# line 28 : add your local network
# network range you allow to use this proxy server
acl my_localnet src 10.0.0.0/24

# line 66 : add a line you defined ACL
# http_access allow localnet
http_access allow my_localnet

# add to last line
request_header_access Referer deny all
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all

# add (do not display IP address)
forwarded_for off

[root@prox ~]# systemctl enable --now squid
          
                

Step [3]If Firewalld is running, allow Proxy service.

          
[root@prox ~]# firewall-cmd --add-service=squid
success
[root@prox ~]# firewall-cmd --runtime-to-permanent
success
          
                

Proxy Client : Fedora

Configure Proxy Clients to connect to the Proxy server.

Step [1]Configure proxy settings like follows on Fedora Client.

          
[root@client ~]# vi /etc/profile.d/proxy.sh
# create new (set proxy settings to the environment variables for System wide)
MY_PROXY_URL="prox.bizantum.lab:3128"

HTTP_PROXY=$MY_PROXY_URL
HTTPS_PROXY=$MY_PROXY_URL
FTP_PROXY=$MY_PROXY_URL
http_proxy=$MY_PROXY_URL
https_proxy=$MY_PROXY_URL
ftp_proxy=$MY_PROXY_URL

export HTTP_PROXY HTTPS_PROXY FTP_PROXY http_proxy https_proxy ftp_proxy

[root@client ~]# source /etc/profile.d/proxy.sh
# otherwise, it's possible to set proxy settings for each application, not System wide
# for dnf
[root@client ~]# vi /etc/dnf/dnf.conf
# add to last line
proxy=prox.bizantum.lab:3128
# for curl
[root@client ~]# vi ~/.curlrc
# create new
proxy=prox.bizantum.lab:3128
# for wget
[root@client ~]# vi /etc/wgetrc
# add to the end
http_proxy = prox.bizantum.lab:3128
https_proxy = prox.bizantum.lab:3128
ftp_proxy = prox.bizantum.lab:3128
          
                

Proxy Client : Windows

Configure proxy settings like follows on Windows Client.

Step [2] This is an example to configure proxy setting for Google Chrome. To open setting for proxy on Chrome like follows, proxy setting on Windows system wide opens. It's possible to use proxy on Chrome to set on it.

Step [3]If you'd like to set proxy only for Chrome, not for Windows system wide, add startup option [--proxy-server=(server's hostname or IP address):(proxy port)] to use proxy like follows.

Set Basic Authentication

Set Basic Authentication to limit access to Squid.

Step [1]Install a package which includes htpasswd.

          
[root@prox ~]# dnf -y install httpd-tools
          
                

Step [2]Configure Squid to set Basic Authentication.

          
[root@prox ~]# vi /etc/squid/squid.conf
.....
.....
acl Safe_ports port 777         # multiling http
# line 28 : add follows for Basic auth
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/.htpasswd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 5 hours
acl password proxy_auth REQUIRED
http_access allow password

[root@prox ~]# systemctl restart squid
# add a user : create new file with [-c] option
[root@prox ~]# htpasswd -5 -c /etc/squid/.htpasswd fedora
New password:     # set password
Re-type new password:
Adding password for user fedora
          
                

Proxy Client : Fedora

Step [3]Configure Fedora Proxy Client for Basic Authentication.

          
[root@client ~]# vi /etc/profile.d/proxy.sh
# create new
# username:password@proxyserver:port
MY_PROXY_URL="fedora:password@prox.bizantum.lab:3128"

HTTP_PROXY=$MY_PROXY_URL
HTTPS_PROXY=$MY_PROXY_URL
FTP_PROXY=$MY_PROXY_URL
http_proxy=$MY_PROXY_URL
https_proxy=$MY_PROXY_URL
ftp_proxy=$MY_PROXY_URL

export HTTP_PROXY HTTPS_PROXY FTP_PROXY http_proxy https_proxy ftp_proxy

[root@client ~]# source /etc/profile.d/proxy.sh
# otherwise, it's possible to set proxy settings for each application, not System wide
# for dnf
[root@client ~]# vi /etc/dnf/dnf.conf
# add to last line
proxy=prox.bizantum.lab:3128
proxy_username=fedora
proxy_password=password
# for curl
[root@client ~]# vi ~/.curlrc
# create new
proxy=prox.bizantum.lab:3128
proxy-user=fedora:password
# for wget
[root@client ~]# vi /etc/wgetrc
# add to last line
http_proxy = prox.bizantum.lab:3128
https_proxy = prox.bizantum.lab:3128
ftp_proxy = prox.bizantum.lab:3128
proxy_user = fedora
proxy_passwd = password
          
                

Proxy Client : Windows

Step [4]For Windows Clients, none of specific settings, but when access to a web, proxy server requires authentication like follows, then input username and password.

Configure Reverse Proxy

Configure Squid as a Reverse Proxy Server.

Step [1]Get SSL Certificate to receive HTTPS access, too, refer to here.

Step [2]Configure Squid.

          
[root@bizantum ~]# vi /etc/squid/squid.conf
# line 66 : add to allow all http access
http_access allow all 
# And finally deny all other access to this proxy
http_access deny all

# line 71 : specify the backend Web server
#http_port 3128
http_port 80 accel defaultsite=www.bizantum.lab
https_port 443 accel defaultsite=www.bizantum.lab cert=/etc/letsencrypt/live/dlp.bizantum.lab/fullchain.pem key=/etc/letsencrypt/live/dlp.bizantum.lab/privkey.pem

# line 74 : uncomment
# number means ⇒ [disk cache size] [number of directories on top level] [number of directories on 2nd level]
cache_dir ufs /var/spool/squid 100 16 256

# add to last line
cache_peer www.bizantum.lab parent 80 0 no-query originserver 

# memory cache size
cache_mem 256 MB 

# define hostname
visible_hostname dlp.bizantum.lab 

[root@bizantum ~]# systemctl enable --now squid
          
                

Step [3]If Firewalld is running, allow HTTP/HTTPS services.

          
[root@bizantum ~]# firewall-cmd --add-service={http,https}
success
[root@bizantum ~]# firewall-cmd --runtime-to-permanent
success
          
                

Step [4]Change settings of DNS or Routers in your local network if need to listen HTTP/HTTPS access on Squid, then try to access to Squid Reverse Proxy Server from a Client PC with Web browser like follows.