We help IT Professionals succeed at work.

squid advice

Ted
Ted asked
on
I am about to install squid web proxy for an office.  I want to install it on linux.  Need some help...
1.  Which linux distro do you recommend and how do I get it?
2.  I can find and download the squid and follow the instructions on how to install it, but any installation tips?
3.  Once I install it, how do I configure it for my specific private LAN (they are on private IP 192.168.1.0/24 network)?
4.  What information do I need to gather in order to complete the installation?

Thank you.
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2014
Commented:
Well most any Linux distro will work.  Popular distros now are:

    CentOS
    Ubuntu
    Debian

For CentOS you can use yum to install to make life easy.  For Debian and Ubuntu you can use apt-get

The installation instructions will tell you how to configure for your subnet.

Basically all you need to know is the same information you would need to know to setup the box to be on your network and access the Internet.

One tip, do use DHCP, set it up with a static IP address.
Ted

Author

Commented:
So, it's "yum squid", or for the others it's "apt-get squid" ?

I figured that was a typo, you meant do NOT use DHCP
CERTIFIED EXPERT
Top Expert 2014
Commented:
Yes, no NOT use DHCP.

yum install squid
apt-get install squid
Ted

Author

Commented:
Got it.  Then for the laptops on the subnet that are using that proxy how do I configure them to use that proxy.
(But still be able to use their laptops when they bring them home.)
CERTIFIED EXPERT
Top Expert 2014
Commented:
To use a proxy at work and nothing at home you have two options (that I am aware of).

1) You can setup Squid to be a transparent in-line proxy.  Just search on those terms.
2) You setup IE to use a ".pac" file.   This is basically a javascript program that you can make decisions of when to use a proxy and when not to.

You can setup a central proxy .pac file and when they are at home they will not be able to find it and so no proxy.

The other thing you can do in a .pac file is for any web servers you host internally you can bypass the proxy and go direct to the server.

Just two quick links dealing with .pac files.  Search in Google and you will find ton's of samples.
http://nscsysop.hypermart.net/proxypac.html
http://blog.freyguy.com/archives/2006/03/01/proxy-auto-detect-ie-and-firefox/
madunixExecutive IT Director, MVE
CERTIFIED EXPERT
Most Valuable Expert 2019
Commented:
Ted

Author

Commented:
The squid proxy will be behind an internet firewall, behind a nat wall.  Used by PCs that are also behind that nat wall and are on thier own private IP space.
Any special considerations as far as what I allow thru the firewall?
CERTIFIED EXPERT
Top Expert 2014
Commented:
Not really.  From the firewalls point of view Squid will look just like a web browser accessing Web sites.
Ted

Author

Commented:
And from the outside do I have to let port 80 in to my squid proxy?
CERTIFIED EXPERT
Top Expert 2014
Commented:
Simple answer no.

Slightly complex answer.  

You need to allow traffic FROM port 80/443 inbound to squid, but most firewalls today automatically allow this if you specify a rule to allow outbound traffic to port 80/443.


Unless you are trying to use Squid as a reverse proxy server.  If so, then yes.
Ted

Author

Commented:
I think I see what you're saying.  The firewall, being stateful, will allow return traffic from those web sites in which my internal workstations (but now in my case, the proxy) have initiated contact.

Since I want the squid to just proxy outgoing http/https requests, then you are correct in that I do not want it to be a reverse proxy.

That all correct?

Last question and I'll call it a day...I guess it is obvious that the proxy is the one that is hitting the DNS servers for all uncached DNS lookups.  Right?
CERTIFIED EXPERT
Top Expert 2014
Commented:
--> That all correct?

Correct.

The proxy is doing the DNS lookups.  I don't know exactly why you are installing Squid, but there are at least two add on programs, DansGuardian, and SquidGuard you might be interested in.

SquidGuard allows you to block hosts based on IP address or host name.  DansGuardian allows you to block hosts based on content.  So if you want, and are allowed, you could use these to prevent access to specific sites.

I personally have used Squid along with both of these at my house to prevent my sons from "accidentally" stumbling across adult sites.
Ted

Author

Commented:
Awesome, thank you!  I wish I had more points to give.  You've been a great source.
Ted

Author

Commented:
Thank you.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.