How to Install Squid & SquidGuard in CentOS

How to Install Squid and SquidGuard in CentOS Overview

A proxy server is a very useful tool for a computer network. Proxy servers are commonly used in computer networks to protect the network from attack, to filter undesirable web content and web pages requested by local users, and to speed up the delivery of web pages and web content by caching (storing) commonly requested web pages, documents, and media. Proxy servers are typically implemented on private, local area networks, to filter, protect and cache content requested by users on that network, this is called “proxy” or “transparent proxy.” Proxy servers can also be implemented on the remote side “in-front-of” destination webservers in order to protect those servers by filtering requests, speeding up web page delivery, and caching frequently requested files, this is called “reverse proxy.”

Squid is one of the most popular and most used proxy servers in the world. It is free to download, easy to install and it can be implemented on any distribution of Linux. Here are the steps to install and configure Squid and SquidGuard on a CentOS distribution of Linux.


Types of Proxy Servers

Proxy Server The web browser on the client is configured to point to the proxy server’s IP address. The client can bypass the proxy server by removing or altering the proxy address configuration. An administrator could prevent this by creating a GPO in Active Directory that blocks access to the web browser settings. A proxy server can also function as a caching server.
Transparent Proxy Server The router sends all traffic on defined ports, to the transparent proxy server, this way clients cannot bypass the proxy server. A transparent proxy server can also function as a caching server.
Reverse Proxy Server (Cache) The reverse proxy server or cache server is placed in-front-of or prior-to the web server in order to speed up delivery of frequently requested pages and to protect the web server by creating a layer of separation and redundancy.


Step-by-step instructions

1. Install Squid, start it, and set it to start on boot.

$ su –
# yum install squid
# service squid start
# chkconfig squid on

Check to see if it is listening on port 3128.

# netstat -antp |grep squid
# ps -aux |grep squid

2. Edit the Squid configuration file to change Squid from IPv6 to IPv4. Reload Squid.

# vim /etc/squid/squid.conf

on line 62 change http_port :::3128 to  http_port
save and quit.

# service squid reload
# service squid restart

3. Now that squid is running you can test it out directly from your CentOS Linux machine by setting Firefox to use the Squid web proxy. Open Firefox and go to File > Options > advanced > network tab > connection settings > manual proxy configuration.

set it to:

Now request a web page from Firefox. The request will be forwarded to Squid, running on the local system at the loopback address and port You can also test Squid from a different computer on the network, by adjusting the computer’s web browser settings to use a proxy. In Internet Explorer go to Tools > Internet options > Connections (tab) > LAN settings > Proxy server and set the address to the IP address of the proxy server and the port number to 3128. In Firefox, go to File > Options > advanced > network tab > connection settings > manual proxy configuration, and set the address and port number to the proxy server’s IP address and port number 3128.

*Note: In order to test the Squid proxy server from another computer you will need to make sure that the proxy server’s firewall is not blocking outside requests. Depending on the release and type of CentOS Linux distribution, the iptables firewall can be actively blocking outside requests. You will need to add a rule to allow requests on port 3128. In the meantime, for testing purposes just turn off the iptables firewall.

# service iptables stop

4. You can monitor the access log to see it working.

# tail -f /var/log/squid/access.log 

Now browse the web in Firefox, or the web browser of your choice to see if you are able to receive webpages through the Squid proxy. If you are able to successfully reach websites, then the Squid proxy is working correctly and allowing web requests. Look to the output of Squid’s access.log file to see the requests reaching Squid (issue the tail command shown above).

5. With Squid working you can now go about installing SquidGuard.

If you do not already have the EPEL repositories, you will need to install additional repositories in CentOS, in order to access to necessary software packages that are not available in the default repositories. Install the Extra Packages for Enterprise Linux (EPEL), the epel-release for the current version of Enterprise Linux (EL6). You can find it at the following website: A direct link to the RPM is in the command below. Eventually the link will be outdated and need to be replaced. For 64 bit systems you can change /i386/ to /x86_64/ in the command below.
# yum install

Now install SquidGuard.

# yum install squidGuard

{loadposition adposition6}6. Now that SquidGuard is installed, open Firefox and go to the SquidGuard website: . The SquidGuard website has links to configuration documentation and websites to download blacklists. You need to download a blacklists file. You can go to  and get the link for the blacklists.tar.gz file, then you can use wget to download blacklists.tar.gz, by copying and pasting the link, or you can download it through the Firefox web browser. Squidguard has its own blacklists.tar.gz file, and you will eventually want to replace it with the newer blacklists.tar.gz file that you downloaded. Before you do that, you can create a test blacklists file for SquidGuard to block. To do that you need to create a blacklists directory in the /var/squidGuard/ directory. Now, in the new blacklists directory use vim create and edit a text file named testdomains.

# cd /var/squidGuard
# mkdir blacklists
# cd blacklists
# vim testdomains

type in three lines of text to add some test-domains to block:

save and exit.

7. Now edit the squidGuard.conf file to configure it to work with the testdomains file. You may want to back up the squidGuard.conf file before making changes.

# cp /etc/squid/squidGuard.conf /etc/squid/squidGuard.conf.BAK
# vim /etc/squid/squidGuard.conf

In the config file, add the following text elements in red. Be careful in your edits, incorrect syntax will cause squidGuard to fail. The beginning of the text file has been omitted.

#dest adult {
#   domainlist blacklists/porn/domains
  urllist blacklists/porn/urls
#   expressionlist blacklists/porn/expressions
#   redirect


dest test {
domainlist testdomains
acl {
admin {
pass any

foo-clients within workhours {
     #   pass good !in-addr !adult any
} else {
pass any

bar-clients {
pass local none

default {
  pass !test any
            rewrite dmz

8. Now compile the SquidGuard blacklists and chown the blacklists to be accessible by Squid.

# squidGuard -b -d -C all
# chown -R squid /var/squidGuard/blacklists 

9. Edit the squid.conf file and then reload Squid.

# vim /etc/squid/squid.conf

add the following line to the squid.conf file around line 28:

url_rewrite_program /usr/bin/squidGuard

# service squid reload
# service squid restart

10. Now open the Firefox browser and test to see if your testdomains are successfully blocked, while every other domain is allowed.

11. If you were successful at blocking the test domains then you can extract and decompress the blacklists.tar.gz file that you downloaded in Step 6. Copy some of the extracted blacklist folders to your /var/squidGuard/blacklists/ directory. Now you will need to edit your squidGuard.conf file to account for the new blacklists areas beyond testdomains, recompile the squidGuard database (if there are errors creating the database file/s then you will need to troubleshoot by editing the squidGuard.conf file), chown the blacklists directory recursively, restart Squid and you should be filtering tons of undesirable domains, urls, keywords, etc.

Author: Dan

Dan teaches computer networking and security classes at Central Oregon Community College.

Leave a Reply

Your email address will not be published. Required fields are marked *