You can support us by downloading this article as PDF from the Link below. Download the guide as PDF

Squid is a proxy and cache server. It acts as a proxy by forwarding requests to the required destination but also saves the requested content. If another server ask for the same information before it it has not expired in the squid server, it serves the same content to the requester, therefore, improving download speeds and saves on bandwidth.

Squid proxy server supports caching of content requested through different protocols such as http, SSL requests, DNS lookups and FTP. This guides explains how to install and configure Squid proxy on Ubuntu 20.04

Squid Proxy Server on Ubuntu 20.04

First, update your system packages. Note that for all the commands, I will be running them as root user

sudo apt-get update
sudo apt-get upgrade

Next, install squid proxy on Ubuntu 20.04. Installing Squid proxy in Ubuntu 20.04 is easy because it is already available in Ubuntu 20 repositories. Confirm this with the below command.

sudo apt-cache policy squid

Output

To install Squid proxy, run the below commands. Also enable to start on system boot then check status

sudo apt-get install -y squid
sudo systemctl start squid
sudo systemctl enable squid
sudo systemctl status squid

If squid is properly installed and running, you should an output as shown:

Configure Squid proxy server on Ubuntu 20.04

The default Squid proxy configuration file is found in /etc/squid/squid.conf. The file already has a number of setting that work at the minimum but we can modify to suit our preference. First, create a backup of the original file.

sudo cp /etc/squid/squid.conf  /etc/squid/squid.conf.orig

Now, do your custom settings in /etc/squid/squid.conf. Open the file with your preferred file editor

sudo vim /etc/squid/squid.conf

1. Change squid default port

The default Squid tcp port is 3128.To alter this, open squid.conf file and look for http_port line. Change to your desired port number and save the file.

#http_port 3128
http_port 8080

Make sure to allow the port though the firewall

sudo ufw allow 8080/tcp
sudo ufw enable

2. Set Squid cache memory size

To set your desired cache memory, use the settings below. For my case, I am using 256 MB

cache_mem 256 MB

3. Specify DNS name-servers to use

To define your own DNS servers, use the command as shown

dns_nameservers 8.8.8.8 8.8.4.4

4. Squid ACL and http_access

Now, edit squid.conf to add rules of your choice. A proxy server is selective of what goes through it. We can allow access from specific networks/ IP addresses and deny others. It can also be used to filter traffic by restricting access to certain sites or by blocking content based on certain keywords. This is achieved by use of ACLs (Access Control Lists), which define what is allowed and what is denied. Http_access define the allow or deny based on an ACL.

How to define ACLs for Squid proxy server

ACLs (Access control lists) are statements that define what is allowed to pass through the proxy server and what is denied. Every statement must begin with acl followed by the name of the rule. After the name is the acltype and finally the argument or file. Where files are used, each line in the file must contain only one item.

acl aclname acltype argument..
acl aclname acltpe “file”…

The default defined ACL rules are as shown. Tou can choose to disable the by adding # at the beginning of each line. To create new rules, follow the examples below:

Examples1: Allow LAN network through Squid proxy server

Create the acl rule

acl my_lan src 192.168.100.0/24

Now either allow or deny based on the defined rule, with the use of http_access directive. In our case, we need to allow

http_access allow my_lan

Note that the last rule every time you create ACL access rules should be the deny all. This should be done when you have allowed all the required sites otherwise you might block yourselves from accessing some needed sites.

http_access deny all

How to deny access to specific websites in Squid proxy server

When dealing with a number of websites, it is easier and more organized to put all the sites in a file then call it, otherwise you would list the cites in the acl rule. In our example, I will create a file called deniedsites.squid in the squid directory.

sudo vim /etc/squid/deniedsites.squid

Add the sites that you wish to deny access. For my case, I am using facebook and youtube. Save the file after.

.facebook.com
.youtube.com

Now open squid.conf and create an acl rule for the denied sites and add a deny rule then save the file.

acl deniedsites dstdomain “/etc/squid/deniedsites.squid”
http_access deny deniedsites

If you were to list the sites in the acl rule:

acl deniedsites dstdomain facebook.com youtubecom
http_access deny deniedsites

Note that everytime you make changes, you must restart squid server

systemctl restart squid

How to block traffic basing on some keywords in Squid proxy server

Create a file containing the key words. Use the file name to create an acl rule the deny traffic.

sudo vim /etc/squid/keywords.squid.

Add you keywords and save.

gamble
nudes

Edit squid.conf to create acl and deny rule the save and remember to restart squid.

acl keywords url_regex -i "/etc/squid/keywords.squid"
http_access deny keywords

Your file finally appear with the added as below.

For ACLs

For http_access

To open ports in Squid proxy server, use the command syntax as shown below

acl Safe_ports port <port-number>

How to mask outgoing traffic on Squid proxy server

A proxy server is suppose to hide our identity by exposing the proxy IP address instead of our own. However, the proxy can let our IP get known via http outgoing traffic. To disable this, edit squid.conf file and disable via headers. To do this, check for the line with #via on. Uncomment and change from on to off.

# via on
via off

Also Proxy server should not append clients IP address in the http requests which it forwards. Disable this by modifying the following lines in squid.conf file.

To avoid revealing your Squid proxy server, you can remove Squid proxy header. Add the line below in TAG; request_header_access.

request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all 
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all

Save squid.conf file and remember to restart squid

systemctl restart squid

How to check Squid configuration errors

The command below will point out where there could be errors in your configuration file

sudo squid -k parse

How to configure clients to connect through Squid proxy server

Configure user authentication

First, let us create and allow users to authenticate through Squid proxy. We need to enable http authentication in squid.conf file. Install apache2-utils.

apt install -y apache2-utils

Create a file that will be used to store users. Mine is called ‘passwd’. The file should be owned by proxy which is the default Squid user.

touch /etc/squid/passwd
chown proxy: /etc/squid/passwd

Let’s add a user called lorna

htpasswd /etc/squid/passwd lorna
New password:
Re-type new password:
Adding password for user lorna

Now add the following lines in squid.conf file. After adding, save and restart squid.

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow auth_users

It is important to check the location of basic_ncsa_auth to be sure that you are using the right path and that you do not get errrors. Use the command below:

dpkg -L squid | grep ncsa_auth

Your Squid file should look as below:

To test that your Squid proxy server is working, go to your client web browser, such as Firefox, and configure manual proxy authentication. Open Firefox, click on the three bars on the far right. Under Edit, click on preference. Click on settings under network settings. On the page that appears, clock on manual proxy configuration radio button and fill in your proxy server details. You can exclude proxy for other IP addresses if you wish under ‘No proxy for

Now confirm your Squid proxy set up is working. Open the Firefox browser and try to search a restricted site such as youtube.com for my case. You should see a page saying ‘proxy server refuse connections’

Now open another site that is not restricted. You should be prompted for authentication which after entering your username and password, you should be able to access the site.

This has been a step-by-step guide on how to install and configure Squid proxy server in Ubuntu 20.04. I hope you have enjoyed. Below are more elaborate guides for for your daily Linux installations

You can support us by downloading this article as PDF from the Link below. Download the guide as PDF