A squid proxy Server is a software running on a computer, that acts as a middle man between an end device and a service. For example, if an end user attempts to access www.facebook.com and www.google.com service, the proxy server takes the request from the end devices and makes the request to google and facebook server on behalf of the client.
There must be one obvious question floating in your head right now.
Why do I need proxy servers in my network?
1. Performance: Web proxies makes fetching web content very fast. This is possible by a feature known as caching. When a user request a web page from the internet, the proxy fetches the webpage and stores the content of the webpage in its cache for some time. If any user on that network makes a request for that same webpage, the proxy server simply gives it the content stored in its cache instead of going out to the internet to fetch the webpage. This greatly improves web page performance and provide great user experience.
3. Internet Sharing
4. Blocks certain url and keywords like porn, drugs, gambling e.t.c. This is especially usefull if you want to protect your children from using the internet to their harm. You can also block certain sites like youtube.com, instant messenging sites, for office users.
5. Improves corporate security.
These are just a few of the many benefits of using a proxy service. Now that we understand the importance of a proxy service for our home and company network, let us go further into discussing how to install and confiugure it for our network.
There are basically 3 types of proxies.
This guide will attempt to show how to install and use all the proxies mentioned above. But for now, we will look at Transparent Squid Proxy Server Setup.
TRANSPARENT SQUID PROXY SERVER SETUP AND CONFIGURATION
We will run the squid proxy server on a Linux box runing Ubuntu 16.04.
To install ubuntu server 16.04, follow this guide: https://topnetworkguide.com/install-ubuntu-server-16-04-virtual-box/
To install DHCP on Ubuntu 16.04, follow this guide: https://topnetworkguide.com/how-to-install-and-configure-dhcp-on-ubuntu-server-16-04/
Install squid using the command #sudo apt-get install squid
Access squid configuration file by going to #sudo vi /etc/squid/squid.conf
Locate, uncomment and replace the line that reads acl localhost src x.x.x.x/x with,
acl my_network 192.168.100.0/24
Also create acl for porn or downloads of certain file types like .exe
acl porn url_regex -i sex adult porn pornography naked hardcore lesbian
acl downloads urlpath_regex \.exe$
You can add as many porn terms to be blocked and as many download extensions to be blocked.
Now deny porn and downloads and allow our network by typing
http_access deny porn
http_access deny downloads
http_access allow my_network
You can also write it in one line, like this: http_access allow my_network !porn.
You can proceed further to allow my_network during work hours from Monday to Friday 8am-5pm.
Simply create an access control list,
acl workhours time M T W H F A 8:00-17:00.
http_access my_network workhours.
You get the idea right?
It is also possible to get a block list on the internet, or keywork lists that are bad and enter them line by line in squid directory,
#sudo vi /etc/squid/badkeywords.
Now create an access control list,
acl badwords url_regex “/etc/squid/badkeywords”.
http_access deny badwords.
For transparent proxy to work, locate http_port 3128 and include intercept,
http_port 3128 intercept. (You can change the port number if you like)
http_port 8080. (This is added as an alternative port. It may not be necessary, but i usually include it to prevent forwarding errors.)
Do a save and exit.
Type at the terminal, #service squid restart
At the terminal issue the commands,
#sudo modprobe ip_nat_ftp
#sudo modprobe ip_nat_irc
To force all computers to use proxy server, type,
#iptables -t nat -A PREROUTING -s 192.168.100.1 -p tcp –dport 80 -j ACCEPT
#iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination 192.168.100.1:3128#iptables -t nat -A POSTROUTING -j MASQUERADE
CONFIGURE IP FORWARDING
#sudo sysctl -w net.ipv4.ip_forward=1.
#sudo sysctl -p /etc/sysctl.conf TO RETAIN THE CONFIGURATION ON REBoot.
Test your using the browser to access a porn site with http and you should get an access denied error.
Howevee, this will not prevent porn sites that are encrypted with https. TO block porn sites with https, you may have to install ssl certificates on the server and then also install the client certificates on all the clients. This is pretty tedious and not very practical in my opinion.
In my next guide, i will show you how to block http and https using squid but not as a transparent proxy. The step may involve manually going to all the clients browsers to input the proxy address which is much easier. But if you have active directory, you can automatically update all your clients with the necessary proxy addresses . STAY TUNED.
If you are having problems with your squid server because of improper squid configuration, and you would like to start afresh, simply type at the terminal, #sudo apt-get purge squid.
Then reinstall squid.
If you have wrong iptable rules and you want to delete them, simply type
#sudo iptables -t nat -v -L POSTROUTING -n –line-number.(to get the iptable rule line number)
#sudo iptables -t nat -v -L PREROUTING -n –line-number.(to get the iptable rule line number)
Now delete by typing:
#sudo iptables -t nat -D POSTROUTING 3 (where 3 will be the line number of that rule)
#sudo iptables -t nat -D POSTROUTING 1 (where 1 will be the line number of that rule)
You may also wish to give your squid server a visible name. Open up #sudo vi /etc/squid/squid.conf and locate visible_hostname
Now type visible_hostname carehealth.local(or your domain name)
You may also want your error message to show an email address so that users can reach you with their problems. Open up
#sudo vi /etc/squid/squid.conf and locate cache_mgr. Now type:
cache_mgr firstname.lastname@example.org(or whatever your email address is)
NOTE: Pay very close attention to your access control list rule. It may be better to place deny rules above allow rules.
Further, view the access.log and cache.log file to figure out any possible problems with your squid server
#sudo vi /var/log/squid/access.log
#sudo vi /var/log/squid/cache.log
Thanks for reading this transparent squid proxy server setup and configuration guide. We hope it helped you. Follow along for more guides on cache proxy setup, forward proxies and reverse proxies.