ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Squid Proxy - Configuring as an External Proxy?

    IT Discussion
    squid proxy fedora29 acl
    2
    3
    714
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wrx7m
      last edited by

      I am setting up a Squid proxy server on Fedora 29 (via Vultr). The goal is to allow access only from a certain range of IP addresses (our corporate office WAN IP range).

      My first question involves the ACLs. In the squid.conf file, it has numerous default ACL entries for "localnet". As this is not going to be used locally, I want to make sure that I don't have to somehow specify/designate another type of source for external/public ranges somewhere else. Also, if I comment out all the internal network lines for private IPs, will it cause any issues?

      # Example rule allowing access from your local networks.
      # Adapt to list your (internal) IP networks from where browsing
      # should be allowed
      acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
      acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
      acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
      acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
      acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
      acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
      acl localnet src fc00::/7               # RFC 4193 local private network range
      acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines
      
      
      1 Reply Last reply Reply Quote 1
      • B
        black3dynamite
        last edited by black3dynamite

        Without reading more about this, I would guess you add your Office WAN IP acl localnet src 1.2.3.4/30, save and restart squid. Add a firewall rule to allow access to 3128.

        1 Reply Last reply Reply Quote 2
        • W
          wrx7m
          last edited by wrx7m

          Updating this thread. I ended up setting up the squid.conf file with the following config to get it to work.

          First, at the top of the localnet lines-

          acl localnet src 205.205.205.1/32
          

          Then, I added the only domains that I wanted to provide access to. This whitelisted them.

          acl GOOD dstdomain .google.com
          acl Good dstdomain .domain.ca
          

          Followed by, the allow and deny lines

          http_access allow GOOD
          http_access deny all
          

          Finally, "uncommenting" the Safe ports/services for 80 and 443.

          1 Reply Last reply Reply Quote 2
          • 1 / 1
          • First post
            Last post