Squid is a proxy and cache server. It acts as a proxy by forwarding requests to the required destination but also saves the requested content. If another server ask for the same information before it it has not expired in the squid server, it serves the same content to the requester, therefore, improving download speeds and saves on bandwidth.
Squid proxy server supports caching of content requested through different protocols such as http, SSL requests, DNS lookups and FTP. This guides explains how to install and configure Squid proxy on Ubuntu 20.04
Squid Proxy Server on Ubuntu 20.04
First, update your system packages. Note that for all the commands, I will be running them as root user
sudo apt-get update sudo apt-get upgrade
Next, install squid proxy on Ubuntu 20.04. Installing Squid proxy in Ubuntu 20.04 is easy because it is already available in Ubuntu 20 repositories. Confirm this with the below command.
sudo apt-cache policy squid
To install Squid proxy, run the below commands. Also enable to start on system boot then check status
sudo apt-get install -y squid sudo systemctl start squid sudo systemctl enable squid sudo systemctl status squid
If squid is properly installed and running, you should an output as shown:
Configure Squid proxy server on Ubuntu 20.04
The default Squid proxy configuration file is found in /etc/squid/squid.conf. The file already has a number of setting that work at the minimum but we can modify to suit our preference. First, create a backup of the original file.
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.orig
Now, do your custom settings in /etc/squid/squid.conf. Open the file with your preferred file editor
sudo vim /etc/squid/squid.conf
1. Change squid default port
The default Squid tcp port is 3128.To alter this, open squid.conf file and look for http_port line. Change to your desired port number and save the file.
#http_port 3128 http_port 8080
Make sure to allow the port though the firewall
sudo ufw allow 8080/tcp sudo ufw enable
2. Set Squid cache memory size
To set your desired cache memory, use the settings below. For my case, I am using 256 MB
cache_mem 256 MB
3. Specify DNS name-servers to use
To define your own DNS servers, use the command as shown
dns_nameservers 220.127.116.11 18.104.22.168
4. Squid ACL and http_access
Now, edit squid.conf to add rules of your choice. A proxy server is selective of what goes through it. We can allow access from specific networks/ IP addresses and deny others. It can also be used to filter traffic by restricting access to certain sites or by blocking content based on certain keywords. This is achieved by use of ACLs (Access Control Lists), which define what is allowed and what is denied. Http_access define the allow or deny based on an ACL.
How to define ACLs for Squid proxy server
ACLs (Access control lists) are statements that define what is allowed to pass through the proxy server and what is denied. Every statement must begin with acl followed by the name of the rule. After the name is the acltype and finally the argument or file. Where files are used, each line in the file must contain only one item.
acl aclname acltype argument.. acl aclname acltpe “file”…
The default defined ACL rules are as shown. Tou can choose to disable the by adding # at the beginning of each line. To create new rules, follow the examples below:
Examples1: Allow LAN network through Squid proxy server
Create the acl rule
acl my_lan src 192.168.100.0/24
Now either allow or deny based on the defined rule, with the use of http_access directive. In our case, we need to allow
http_access allow my_lan
Note that the last rule every time you create ACL access rules should be the deny all. This should be done when you have allowed all the required sites otherwise you might block yourselves from accessing some needed sites.
http_access deny all
How to deny access to specific websites in Squid proxy server
When dealing with a number of websites, it is easier and more organized to put all the sites in a file then call it, otherwise you would list the cites in the acl rule. In our example, I will create a file called deniedsites.squid in the squid directory.
sudo vim /etc/squid/deniedsites.squid
Add the sites that you wish to deny access. For my case, I am using facebook and youtube. Save the file after.
Now open squid.conf and create an acl rule for the denied sites and add a deny rule then save the file.
acl deniedsites dstdomain “/etc/squid/deniedsites.squid” http_access deny deniedsites
If you were to list the sites in the acl rule:
acl deniedsites dstdomain facebook.com youtubecom http_access deny deniedsites
Note that everytime you make changes, you must restart squid server
systemctl restart squid
How to block traffic basing on some keywords in Squid proxy server
Create a file containing the key words. Use the file name to create an acl rule the deny traffic.
sudo vim /etc/squid/keywords.squid.
Add you keywords and save.
Edit squid.conf to create acl and deny rule the save and remember to restart squid.
acl keywords url_regex -i "/etc/squid/keywords.squid" http_access deny keywords
Your file finally appear with the added as below.
To open ports in Squid proxy server, use the command syntax as shown below
acl Safe_ports port <port-number>
How to mask outgoing traffic on Squid proxy server
A proxy server is suppose to hide our identity by exposing the proxy IP address instead of our own. However, the proxy can let our IP get known via http outgoing traffic. To disable this, edit squid.conf file and disable via headers. To do this, check for the line with #via on. Uncomment and change from on to off.
# via on via off
Also Proxy server should not append clients IP address in the http requests which it forwards. Disable this by modifying the following lines in squid.conf file.
To avoid revealing your Squid proxy server, you can remove Squid proxy header. Add the line below in TAG; request_header_access.
request_header_access From deny all request_header_access Server deny all request_header_access WWW-Authenticate deny all request_header_access Link deny all request_header_access Cache-Control deny all request_header_access Proxy-Connection deny all request_header_access X-Cache deny all request_header_access X-Cache-Lookup deny all request_header_access X-Forwarded-For deny all request_header_access Pragma deny all request_header_access Keep-Alive deny all
Save squid.conf file and remember to restart squid
systemctl restart squid
How to check Squid configuration errors
The command below will point out where there could be errors in your configuration file
sudo squid -k parse
How to configure clients to connect through Squid proxy server
Configure user authentication
First, let us create and allow users to authenticate through Squid proxy. We need to enable http authentication in squid.conf file. Install apache2-utils.
apt install -y apache2-utils
Create a file that will be used to store users. Mine is called ‘passwd’. The file should be owned by proxy which is the default Squid user.
touch /etc/squid/passwd chown proxy: /etc/squid/passwd
Let’s add a user called lorna
htpasswd /etc/squid/passwd lorna New password: Re-type new password: Adding password for user lorna
Now add the following lines in squid.conf file. After adding, save and restart squid.
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd auth_param basic children 5 auth_param basic realm Squid Basic Authentication auth_param basic credentialsttl 2 hours acl auth_users proxy_auth REQUIRED http_access allow auth_users
It is important to check the location of basic_ncsa_auth to be sure that you are using the right path and that you do not get errrors. Use the command below:
dpkg -L squid | grep ncsa_auth
Your Squid file should look as below:
To test that your Squid proxy server is working, go to your client web browser, such as Firefox, and configure manual proxy authentication. Open Firefox, click on the three bars on the far right. Under Edit, click on preference. Click on settings under network settings. On the page that appears, clock on manual proxy configuration radio button and fill in your proxy server details. You can exclude proxy for other IP addresses if you wish under ‘No proxy for‘
Now confirm your Squid proxy set up is working. Open the Firefox browser and try to search a restricted site such as youtube.com for my case. You should see a page saying ‘proxy server refuse connections’
Now open another site that is not restricted. You should be prompted for authentication which after entering your username and password, you should be able to access the site.
This has been a step-by-step guide on how to install and configure Squid proxy server in Ubuntu 20.04. I hope you have enjoyed. Below are more elaborate guides for for your daily Linux installations