Sam - March 7, 2017
Squid is an open Open Source full-featured web proxy cache server application which provides proxy and cache services for Hyper Text Transport Protocol (HTTP), File Transfer Protocol (FTP), and other popular network protocols. Squid can implement caching and proxying of Secure Sockets Layer (SSL) requests and caching of Domain Name Server (DNS) lookups, and perform transparent caching. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. It has extensive access controls and makes a great server accelerator. A Squid proxy server is generally installed on a separate server than the Web server with the original files that works by tracking object use over the network. Squid will initially act as an intermediary, simply passing the client’s request on to the server and saving a copy of the requested object. If the same client or multiple clients request the same object before it expires from Squid’s cache, Squid can then immediately serve it, accelerating the download and saving bandwidth.
Squid is used by hundreds of Internet Providers in the World to provide their users with the best possible web access. It runs on most available operating systems, including Windows and is licensed under the GNU GPL. Let’s see how you can setup your Squid Proxy Server to create your own proxies on Ubuntu 16.04 by following the instructions in this article.
In order to setup your own Squid proxy server on Ubuntu 16.04. You need to login on your system with sudo or root user credentials. To do so connect to your Ubuntu serer using Putty or with ssh.
ssh root@your_server_ip
The next you need to set up an alternative user account with a reduced scope of influence for day-to-day work.
# adduser kash
You will be asked few questions, starting with the account password and fill in any of the additional information if you would like as its optional.
Next allow this user to root user privileges adding it to sudoers group.
# usermod -aG sudo kash
Now you can run commands with superuser privileges with sudo commands.
Once you have created your general user with sudo privileges, then update your system software for missing security patches and latest version updates available by using below command.
# sudo apt-get update && sudo apt-get -y upgrade
Once the your system is back with all updates and security patches, then move to the next step.
The installation of Squid proxy server on an Ubuntu server is pretty straightforward as its available in the Ubuntu repositories. Run the command below to install squid on your system as shown.
# sudo apt-get install squid
Type ‘Y’ for yes and hit ‘Enter’ key to continue installing the squid package along with its required dependencies.
The default configuration file for squid is located under ‘/etc/squid/squid.conf‘ which contains some configuration directives that needs to be configured to affect the behavior of the Squid. To edit the configuration file, first take the backup of the original file so that we can revert any changes that goes wrong.
# cp /etc/squid/squid.conf /etc/squid/squid.conf.org
Squid listens on port 3128 by default and if you would like to change the default listening port you can do by to editing the ‘http_port’ directive in the configuration file.
# vim /etc/squid/squid.conf
http_port 3128
Next to allow access to the HTTP proxy server from all IP addresses, you need to edit the ‘http_access’ directive as by default, the HTTP proxy server will not allow access to anybody.
http_access allow all
Save and close the configuration file and make sure to restart squid server service to impact the changes.
To use Squid as an HTTP proxy, let’s configure it to use only the client IP address for authentication and restrict all other access.
Open the configuration file using any of your favourite editor to add a new ACL in it.
# vim /etc/squid/squid.conf
acl k_vm src 111.11.11.11 # Your Servers IP
http_access allow k_vm
Here k_vm is a name identifying the connection to our VM and ‘111.11.11.11’ is our local IP address, so you can replace this with your own IP and Hostname.
Save and close the using using ‘:wq!’ and restart squid service by issuing below command.
# systemctl restart squid
Next, we are going test our proxy server functionality if its working fine or not. To do so open your favourite web browser, like if you are using firefox then go the Options > Advanced > Network > Connection Settings and select Manual Proxy Configurations provided by the IP address of your squid server and its port as shown.
That’s it, now click on ‘OK’ key to continue working under the limits of your squid proxy server and like the same way you can do the same settings for any other web browser.
Now you may check the logs files if you faced any errors or if you want to know which websites are being visited by people using Squid proxy settings using squid logs files located in ‘/var/log/squid/’ directory.
# more /var/log/squid/access.log
# more /var/log/squid/cache.log
You can also change the default location of your logs files by making changes in the Squid configuration file.
Now let’s see how we can configure Squid Proxy server that allows authenticated access to the Squid service using usernames and passwords. We are going to use “ncsa_auth” that allows Squid to read and authenticate user and password information from an NCSA httpd-style password file when using basic HTTP authentication.
Open the squid configuration file to add following line
# vim /etc/squid/squid.conf
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
Save and close the configuration file and then run below command to create a new empty file for storing squid credentials.
#touch /etc/squid/passwd
Next we will be using below command to generate password for a user like ‘kash’ that will going to access the squid proxy server. You will be required to type the password for this as shown.
# htpasswd -c /etc/squid/passwd kash
The ‘-c’ argument in this command will force the “htpasswd” to use CRYPT encryption of the password. After this restart your squid service so that the configuration can be updated.
# systemctl restart squid
When you open your web browser followed the FQDN or IP address of your squid proxy server, a popup will be opened for authentication. You need to provide the user and name and its password that we have created earlier.
In this section we are going to configure Squid IP whitelist, to limit connections to Squid proxy server only from particular IPs and to to allow specific ip address to be exempted from all the restriction.
For this purpose we have to configure ACLs matching our desired IPs and use them together with http_access directive. Open the Squid configuration file to add following line to allow an IP address to connect to the Squid proxy.
# vim /etc/squid/squid.conf
# Allowed clients
acl white_list src xx.xx.xx.xx
http_access allow white_list
http_access deny all
You can add multiple IPs to whitelist and make sure that the last entry, always below ALLOW entries. For multiple IPs whitelisting you will create list of ip address in a file then point this file in acl by giving path.
# vim /etc/squid/allowed_ips.txt
xx.xx.xx.1
xx.xx.xx.2
xx.xx.xx.3
xx.xx.xx.4
Save and close the file and then put the following two lines in ‘squid.conf’ file but make sure to add this ACL above to any restricted Access List.
acl allowed_ips src “/etc/squid/allowed_ips.txt”
http_access allow allowed_ips
That’s it, save and close the configuration file and restart your squid service to make your whitelisted IPs working.
# systemctl restart squid
In this article you have learnt about the basic server setup for Ubuntu, and the installation and configuration of Squid Proxy server on Ubuntu 16.04. At the end this article you will be able to use Squid for caching. This means the contents of site A are saved locally at your Squid. When a second user requests site A Squid will deliver the content. So the user has it some what faster. You can control the traffic for malicious content and if found, remove it. You can restrict the access to certain websites. Of course there are some „bad“ things Squid allows you to do (Control your users, record which sites they visit etc.).