Squid Proxy Server Setup Guide

squid proxy server

A squid proxy Server is a software running on a computer, that acts as a middle man between an end device and a service. For example, if an end user attempts to access www.facebook.com and www.google.com service, the proxy server takes the request from the end devices and makes the request to google and facebook server on behalf of the client.
There must be one obvious question floating in your head right now.
Why do I need proxy servers in my network?
1. Performance: Web proxies makes fetching web content very fast. This is possible by a feature known as caching. When a user request a web page from the internet, the proxy fetches the webpage and stores the content of the webpage in its cache for some time. If any user on that network makes a request for that same webpage, the proxy server simply gives it the content stored in its cache instead of going out to the internet to fetch the webpage. This greatly improves web page performance and provide great user experience.

2.Bandwidth control

3. Internet Sharing

4. Blocks certain url and keywords like porn, drugs, gambling e.t.c. This is especially usefull if you want to protect your children from using the internet to their harm. You can also block certain sites like youtube.com, instant messenging sites, for office users.

5. Improves corporate security.

These are just a few of the many benefits of using a proxy service. Now that we understand the importance of a proxy service for our home and company network, let us go further into discussing how to install and confiugure it for our network.

There are basically 3 types of proxies.

a. Forward Proxies

b. Reverse Proxies

c. Transparent Proxies.

This guide will attempt to show how to install and use all the proxies mentioned above. But for now, we will look at Transparent Squid Proxy Server Setup.

TRANSPARENT SQUID PROXY SERVER SETUP AND CONFIGURATION

We will run the squid proxy server on a Linux box runing Ubuntu 16.04.

To install ubuntu server 16.04, follow this guide: https://topnetworkguide.com/install-ubuntu-server-16-04-virtual-box/
To install DHCP on Ubuntu 16.04, follow this guide: https://topnetworkguide.com/how-to-install-and-configure-dhcp-on-ubuntu-server-16-04/

Install squid using the command #sudo apt-get install squid

access suid.conf

install squid

Access squid configuration file by going to #sudo vi /etc/squid/squid.conf

install squid

Locate,  uncomment and replace the line that reads acl localhost src x.x.x.x/x with,

acl my_network 192.168.100.0/24

acl list rule

Also create acl for porn or downloads of certain file types like .exe
acl porn url_regex -i sex adult porn pornography naked hardcore lesbian
acl downloads urlpath_regex \.exe$
You can add as many porn terms to be blocked and as many download extensions to be blocked.

block porn and downloads

Now deny porn and downloads and allow our network by typing
http_access deny porn
http_access deny downloads
http_access allow my_network

http_access deny and accept rule

You can also write it in one line, like this: http_access allow my_network !porn.

You can proceed further to allow my_network during work hours from Monday to Friday 8am-5pm.

Simply create an access control list,

acl workhours time M T W H F A 8:00-17:00.

http_access my_network workhours.

You get the idea right?

It is also possible to get a block list on the internet, or keywork lists that are bad and enter them line by line in squid directory,

#sudo vi /etc/squid/badkeywords.

Now create an access control list,

acl badwords url_regex “/etc/squid/badkeywords”.

http_access deny badwords.

For transparent proxy to work, locate http_port 3128 and include intercept,
http_port 3128 intercept. (You can change the port number if you like)
http_port 8080. (This is added as an alternative port. It may not be necessary, but i usually include it to prevent forwarding errors.)

suid listens on port 3126

Do a save and exit.

Type at the terminal, #service squid restart

At the terminal issue the commands,
#sudo modprobe ip_nat_ftp
#sudo modprobe ip_nat_irc

To force all computers to use proxy server, type,
#iptables -t nat -A PREROUTING -s 192.168.100.1 -p tcp –dport 80 -j ACCEPT
#iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination 192.168.100.1:3128#iptables -t nat -A POSTROUTING -j MASQUERADE

iptables accept rule.iptables to destination ipiptables masquerade

CONFIGURE IP FORWARDING
#sudo sysctl -w net.ipv4.ip_forward=1.
CONFIGURE-IP-FORWARDING
#sudo sysctl -p /etc/sysctl.conf TO RETAIN THE CONFIGURATION ON REBoot.

SYSCTL RETAINED ON REBOOT

Test your using the browser to access a porn site with http and you should get an access denied error.

access denied message

Howevee, this will not prevent porn sites that are encrypted with https. TO block porn sites with https, you may have to install ssl certificates on the server and then also install the client certificates on all the clients. This is pretty tedious and not very practical in my opinion.
In my next guide, i will show you how to block http and https using squid but not as a transparent proxy. The step may involve manually going to all the clients browsers to input the proxy address which is much easier. But if you have active directory, you can automatically update all your clients with the necessary proxy addresses . STAY TUNED.

TROUBLESHOOTING TIPS

If you are having problems with your squid server because of improper squid configuration, and you would like to start afresh, simply type at the terminal, #sudo apt-get purge squid.

Then reinstall squid.

If you have wrong iptable rules and you want to delete them, simply type

#sudo iptables -t nat -v -L POSTROUTING -n –line-number.(to get the iptable rule line number)

#sudo iptables -t nat -v -L PREROUTING -n –line-number.(to get the iptable rule line number)

Now delete by typing:

#sudo iptables -t nat -D POSTROUTING 3 (where 3 will be the line number of that rule)

#sudo iptables -t nat -D POSTROUTING 1 (where 1 will be the line number of that rule)

You may also wish to give your squid server a visible name. Open up #sudo vi /etc/squid/squid.conf and locate visible_hostname

Now type visible_hostname  carehealth.local(or your domain name)

You may also want your error message to show an email address so that users can reach you with their problems. Open up

#sudo vi /etc/squid/squid.conf and locate cache_mgr. Now type:

cache_mgr support@carehealth.local(or whatever your email address is)

NOTE: Pay very close attention to your access control list rule. It may be better to place deny rules above allow rules.

Further, view the access.log and cache.log file to figure out any possible problems with your squid server

#sudo vi /var/log/squid/access.log

#sudo vi /var/log/squid/cache.log

Thanks for reading this transparent squid proxy server setup and configuration guide. We hope it helped you.  Follow along for more guides on cache proxy setup, forward proxies and reverse proxies.

 

 

 

Did You Enjoy What You Read? Sign Up To Our News Letter
I agree to have my personal information transfered to MailChimp ( more information )
Join over 1.000 visitors who are receiving our newsletter and learn how to design networks that work using open source technology and commercial offerings. Also learn how to proactively defend against security threats.
We hate spam. Your email address will not be sold or shared with anyone else.
Share This.