A proxy server is server software that acts as a link between a client seeking a resource and the server that provides that resource in information systems. Squid is a Unix-based proxy server that caches Internet material closer to the requestor than the source. Squid is capable of caching a wide range of web items, including those accessible through HTTP and FTP. You can check more here. squid-cache. This article will show you what Squid proxy is all about and why you should understand it. Also, you will also be guided on how to create a basic Squid forward proxy in the demo at the end of the article. Other guides can be found here: How to Install and Configure Nagios on Ubuntu/, How to install MariaDB on Ubuntu/ and What are the differences between dnf and apt package managers?/ and also How to install Apache Tomcat on Ubuntu.
How Caching Works: A resource from the origin server is requested by the website page. - The system looks in the cache to determine if the resource has previously been cached. If the resource has been cached, a cache hit response will be returned, and the resource will be supplied from the cache. Cache loss will occur if the resource is not cached, and the file will be accessed from its original source. The resource will be viewed until it expires, or the cache is removed after it has been cached.
Why should I deploy Squid?
HTTP caches can aid with perceived latency, network consumption, and online application speed. Caches can also be used as a proxy filter, limiting access to specific websites or resources. There are two types of caches: forward and backward.
Types of Caches
Forward Cache: In a network, a forward cache is used to speed up HTTP access. When several browsers access the same cache, the material may be retrieved from the cache rather than being requested from the original server. The following are examples of forward caches:
Reverse Cache: A reverse cache reduces the apparent latency between an HTTP application server and any client.
When a browser fetches an https:// URI, one of the following things happen:
- A CONNECT method request is made to the proxy server, and traffic is transparently forwarded to the destination. The proxy has no ability to filter on URI, path, query string, or other information.
- The browser directly connects to the HTTPS server, bypassing the proxy.
- SslBump Peek and Splice – makes bumping decisions after the origin server is known.
Because the CONNECT method passes any TCP traffic, you should enable this option with care. It is possible to decrypt and monitor the SSL traffic using Squid. However, there are legal, ethical, and security concerns in doing so.
Cache hierarchies are an extension of the caching concept. Working together, a group of cache servers can improve caching efficiency, route traffic to the optimal link, and accommodate a larger number of customers. There are two sorts of cache server hierarchy configurations that may be combined and matched.
Peer to Peer: Cache servers check with all or some of their peers to see whether they have cached material, and if they haven’t, the cache server requests the content.
Parent/Child: Cache servers query a parent server whether it has anything, and the parent retrieves it on the child’s behalf.
Squid – Basic Configuration
The main squid configuration file, squid.conf, can be found in the following locations:
Commonly configured options include:
- http_port: Port to listen on for incoming proxy requests.
- http_access: Allow or deny access to certain HTTP requests.
- hierarchy_stoplist: Set of strings which disable the cache hierarchy settings.
Squid can also parse and check its syntax with a built-in syntax checker:
# squid -k parse
The -k switch takes the following options as well:
- reconfigure: Reload the configuration file.
- shutdown: Safe shutdown.
- kill: Hard unclean shutdown.
Please consult man squid for more options and details.
Access list begins with an aclname and acltype followed by:
- type-specific argument(s), or
- a quoted filename with one item per line.
Access Control Lists (ACL) format:
acl aclname acltype argument ... acl aclname acltype "file" ...
To see the possible ACL types, review the “Access Controls in Squid” documentation. To enable a parent cache server, use the following configuration option:
cache_peer parent.example.com parent 3128 3130
To enable a sibling peer cache server, use the following configuration option:
cache_peer childcache.example.com sibling 3128 3130
Access to the peer cache can be controlled with the following option:
cache_peer_access <PEER_NAME> <allow|deny> <ACLNAME>
Access control is one of the main reasons to use a proxy. The ACL system of Squid has options to control almost every aspect of an HTTP request. Access control can be restricted by time of day, by domain/URI, by the user (logging into proxy), and by content. Configuration files are processed sequentially.
To enable the ACL named hourlyworkers to only use the proxy during business hours, do:
acl workinghours time MTWHF 08:00-18:00 http_access allow hourlyworkers workinghours http_access deny hourlyworkers
To restrict by a part of the URI, do:
acl banned_reddit url_regex ˆhttp://.*reddit.com/.*$ http_access deny banned_reddit
To allow only authenticated users to use the following configuration, do:
acl valid_users proxy_auth REQUIRED http_access allow valid_users http_access deny all
When building ACLs or configuration files for Squid, remember that the first match wins. Therefore, start your ACLs with the most specific options in the beginning.
Create a Basic squid Forward Proxy
Ascertain that squid is installed enabled
$apt install squid
verify the default route by using the command below
$ ip route
verify the IP address by using the command below
Create an ACL for your network. Edit/etc/squid/squid. conf
#acl localnet src 192.168.125.160/24
Locate where you can insert your own rules as shown below in the screenshot below
Explicitly allow HTTP access for the newly created ACL
http_access allow localnet src 18.104.22.168/25
Test the syntax of squid.conf
squid -k parse
Start or restart the Squid daemon
systemctl restart squid
Test the proxy
by visiting any known website like CNN.com on your VM's browser
Visit a known non-existent URI (http://abcdcef.example.com).
You should notice a squid error when u visit the non-existent page
Squid is a Unix-based proxy server that caches Internet material closer to the requestor than the source. It can be installed and configured by following the steps above.