How to Set Up and Configure a Squid Proxy Server

A proxy server is server software that acts as a link between a client seeking a resource and the server that provides that resource in information systems. Squid is a Unix-based proxy server that caches Internet material closer to the requestor than the source. The software is capable of caching a wide range of web items, including those accessible through HTTP and FTP. You can check more here. squid-cache. This article will show you what Squid proxy is all about and how to set up and configure a squid proxy server.

Also, it will guide you on how to create a basic Squid forward proxy in the demo at the end of the article.

Other guides can be found here: How to Install and Configure Nagios on Ubuntu/, How to install MariaDB on Ubuntu/ and What are the differences between dnf and apt package managers?/ and also How to install Apache Tomcat on Ubuntu.

How does Caching Work?

A resource from the origin server is requested by the website page. The system looks in the cache to determine if the resource has previously been cached.

If the resource has been cached, a cache hit response will be returned, and the resource will be supplied from the cache. Cache loss will occur if the resource is not cached, and the file will be accessed from its original source. The resource will be viewed until it expires, or the cache is removed after it has been cached.

Why should I Set Up Squid?

HTTP caches can aid with perceived latency, network consumption, and online application speed. Thus, you can use caches as a proxy filter, limiting access to specific websites or resources. There are two types of caches: forward and backward.

Types of Caches

Forward Cache

In a network, a forward cache helps to speed up HTTP access. When several browsers access the same cache, the material may be retrieved from the cache rather than requesting it from the original server. The following are examples of forward caches:

• Squid
• Tinyproxy
• Apache.

Reverse Cache

A reverse cache reduces the apparent latency between an HTTP application server and any client. 

• Squid
• Nginx
• Tinyproxy
• Apache.

Please see how to Install and update PowerShell version 7 on Windows and Linux or follow the steps below. You may also find the following intersting “Upgrade PowerShell Core Windows or Mac and Linux System“. Here is how to update PowerShell and Package Management via GPO.

Proxy SSL

When a browser fetches an https:// URI, one of the following things happen:

• A CONNECT method request is made to the proxy server, and traffic is transparently forwarded to the destination. Besides, the proxy has no ability to filter on URI, path, query string, or other information.
• The browser directly connects to the HTTPS server, bypassing the proxy.
• SslBump Peek and Splice – makes bumping decisions after the origin server is known.

Because the CONNECT method passes any TCP traffic, you should enable this option with care. It is possible to decrypt and monitor the SSL traffic using Squid. However, there are legal, ethical, and security concerns in doing so.

Please see “Fix broken Repository Path in Veeam Scale-Out Backup Repository“, and  “how to fix missing path and delete a Veeam Backup Repository“.

Cache Hierarchy

Cache hierarchies are an extension of the caching concept. Hence, working together, a group of cache servers can improve caching efficiency, route traffic to the optimal link, and accommodate a larger number of customers. There are two sorts of cache server hierarchy configurations that may be combined and matched.

Peer to Peer: Cache servers check with all or some of their peers to see whether they have cached material, and if they haven’t, the cache server requests the content.

Parent/Child: Cache servers query a parent server whether it has anything, and the parent retrieves it on the child’s behalf.

How to set up and configure Squid

The main squid configuration file, squid.conf, can be found in the following locations:

/etc/squid/squid.conf
/etc/squid3/squid.conf

Commonly configured options include:

• http_port: Port to listen on for incoming proxy requests.
• http_access: Allow or deny access to certain HTTP requests.
• hierarchy_stoplist: Set of strings which disable the cache hierarchy settings.

Squid can also parse and check its syntax with a built-in syntax checker:

# squid -k parse

The -k switch takes the following options as well:

• reconfigure: Reload the configuration file.
• shutdown: Safe shutdown.
• kill: Hard unclean shutdown.

Please consult man squid for more options and details.

Squid Security Configuration

Access list begins with an aclname and acltype followed by:

• type-specific argument(s), or
• a quoted filename with one item per line.

Access Control Lists (ACL) format:

acl aclname acltype argument …
acl aclname acltype “file” …

To see the possible ACL types, review the “Access Controls in Squid” documentation. To enable a parent cache server, use the following configuration option:

cache_peer parent.example.com parent 3128 3130

You can enable a sibling peer cache server, use the following configuration option:

cache_peer childcache.example.com sibling 3128 3130

You can control access to the peer cache with the following option:

cache_peer_access <PEER_NAME> <allow|deny> <ACLNAME>

Access Control for Squid Set Up

Access control is one of the main reasons to use a proxy. In addition, the ACL system of Squid has options to control almost every aspect of an HTTP request. Access control can be restricted by time of day, by domain/URI, by the user (logging into proxy), and by content. Meanwhile, configuration files are processed sequentially.

To enable the ACL named hourlyworkers to only use the proxy during business hours, do:

acl workinghours time MTWHF 08:00-18:00
http_access allow hourlyworkers workinghours
http_access deny hourlyworkers

To restrict by a part of the URI, do:

acl banned_reddit url_regex ˆhttp://.*reddit.com/.*$
http_access deny banned_reddit

Allow only authenticated users to use the following configuration:

acl valid_users proxy_auth REQUIRED
http_access allow valid_users
http_access deny all

When building ACLs or configuration files for Squid, remember that the first match wins. Therefore, start your ACLs with the most specific options in the beginning.

Create a Basic squid Forward Proxy

Ascertain that squid is installed enabled

$apt install squid

Then, verify the default route by using the command below

$ ip route

Furthermore, confirm the IP address by using the command below

$ip addr

In addition, create an ACL for your network. Edit/etc/squid/squid. conf

#acl localnet src 192.168.125.160/24

Then, locate where you can insert your own rules as shown below in the screenshot below

Explicitly allow HTTP access for the newly created ACL

http_access allow localnet src 192.128.125.160/25

Test the syntax of squid.conf

squid -k parse

Start or restart the Squid daemon

systemctl  restart squid

Finally, test the proxy

by visiting any known website like CNN.com on your VM's browser

Visit a known non-existent URI. You should notice a squid error when u visit the non-existent page

Summary

In conclusion, Squid is a Unix-based proxy server that caches Internet material closer to the requestor than the source. By now, you should know how to set up and configure Squid proxy server. Bear in mind that It can be installed and configured by following the steps above.