🦑 Setting Up Squid Proxy with Domain Allowlisting on RHEL
Squid is a powerful caching and forwarding HTTP proxy server commonly used to control outbound traffic, enforce access policies, and secure network communications.
In this guide, you’ll learn how to:
- Install and configure Squid Proxy on RHEL
- Set up Basic Authentication for users
- Maintain an external allowlist of approved domains
- Verify proxy functionality and access restrictions
⚙️ Step 1: Install Required Packages
First, install Squid and supporting tools for authentication and network utilities.
yum -y install squid
yum -y install mlocate
yum -y install httpd-tools
👥 Step 2: Create a Proxy User for Authentication
Set up a username and password that clients will use when connecting through the proxy.
proxy_user=myuser
proxy_password=mypass
htpasswd -b -c /etc/squid/passwd $proxy_user $proxy_password
This command creates /etc/squid/passwd and adds the user with a hashed password for Basic Auth.
🚀 Step 3: Enable and Start the Squid Service
Start and enable Squid to ensure it runs at boot.
systemctl start squid
systemctl enable squid
systemctl status squid
You should see an “active (running)” status.
📝 Step 4: Create the Allowed Domains File
To make the configuration modular and easier to maintain, we’ll store allowed domains in a separate file.
Create /etc/squid/allowed_domains.txt:
cat << EOF > /etc/squid/allowed_domains.txt
.cloud-object-storage.appdomain.cloud
.amazonaws.com
.googleapis.com
.windows.net
EOF
Each line represents a domain or subdomain that users are allowed to access through the proxy.
You can add new domains anytime — just append to the file and restart Squid:
echo ".example.com" >> /etc/squid/allowed_domains.txt
systemctl restart squid
⚙️ Step 5: Configure squid.conf
Now, replace the default Squid configuration with the following:
cat << 'EOF' > /etc/squid/squid.conf
#Make sure to allow the cluster's networks through the proxy
acl localnet src 10.15.129.58/21
acl localnet src 9.46.192.217/21
acl allowed_domains dstdomain "/etc/squid/allowed_domains.txt"
#Deny requests to certain unsafe ports
#http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
#http_access allow localhost manager
#http_access deny manager
#Keep the default proxy port
http_port 3128
# Allow access from local networks
http_access allow localnet
http_access allow localhost
# Basic Authentication
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5 startup=5 idle=1
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl BASIC_AUTHENTICATION proxy_auth REQUIRED
# Allow access only for authenticated users and allowed domains
http_access allow allowed_domains BASIC_AUTHENTICATION
# Finally, deny all other access
http_access deny all
EOF
🧩 Key highlights:
acl allowed_domains dstdomain "/etc/squid/allowed_domains.txt"→ external file for domain listhttp_access allow allowed_domains BASIC_AUTHENTICATION→ users must authenticate and request an allowed domainhttp_access deny all→ everything else is blocked
🔁 Step 6: Restart Squid to Apply Changes
Restart and verify Squid is running with the updated configuration.
systemctl restart squid
systemctl status squid
🧪 Step 7: Test Proxy Access
Define your proxy host IP (replace with your own):
bastion_node=<your_proxy_server_ip>
Test an authenticated request using curl:
curl -x http://$proxy_user:$proxy_password@$bastion_node:3128 https://www.google.com -L -o /dev/null -s -w "%{http_code}\n"
You should receive a 200 HTTP code for allowed domains.
For a blocked domain, you should get:
curl: (56) Received HTTP code 403 from proxy after CONNECT
Check the Squid logs for details:
tail -f /var/log/squid/access.log
🌍 Step 8: Configure Proxy Environment Variables (Optional)
If you want your terminal or system to use the proxy globally:
export http_proxy=http://$proxy_user:$proxy_password@$bastion_node:3128
export https_proxy=http://$proxy_user:$proxy_password@$bastion_node:3128
Now, commands like curl or yum will automatically use the proxy.
🧠 Troubleshooting
| Problem | Possible Cause | Solution |
|---|---|---|
| Proxy refuses all connections | Incorrect ACL or missing allow rule |
Check order of http_access lines |
| Allowed domain still blocked | Domain missing in allowed_domains.txt |
Add it and restart Squid |
| Authentication fails | Wrong password or file path | Recreate /etc/squid/passwd using htpasswd |
| Firewall blocks port 3128 | Firewall not configured | firewall-cmd --add-port=3128/tcp --permanent && firewall-cmd --reload |
✅ Summary
You’ve successfully configured a Squid Proxy Server on RHEL with:
- Basic authentication
- Strict domain allowlisting
- Secure and modular configuration using external files
This setup is ideal for controlled network environments like bastion hosts, corporate networks, or secure clusters.