Linux

Squid Proxy: How to setup and configure a Proxy Server

squid-proxy-feature

A proxy server is server software that acts as a link between a client seeking a resource and the server that provides that resource in information systems. Squid is a Unix-based proxy server that caches Internet material closer to the requestor than the source. Squid is capable of caching a wide range of web items, including those accessible through HTTP and FTP. You can check more here. squid-cache. This article will show you what Squid proxy is all about and why you should understand it. Also, you will also be guided on how to create a basic Squid forward proxy in the demo at the end of the article. Other guides can be found here: How to Install and Configure Nagios on Ubuntu/, How to install MariaDB on Ubuntu/ and What are the differences between dnf and apt package managers?/ and also How to install Apache Tomcat on Ubuntu.

How Caching Works: A resource from the origin server is requested by the website page.
- The system looks in the cache to determine if the resource has previously been cached.

If the resource has been cached, a cache hit response will be returned, and the resource will be supplied from the cache. Cache loss will occur if the resource is not cached, and the file will be accessed from its original source. The resource will be viewed until it expires, or the cache is removed after it has been cached.

Why should I deploy Squid?

HTTP caches can aid with perceived latency, network consumption, and online application speed. Caches can also be used as a proxy filter, limiting access to specific websites or resources. There are two types of caches: forward and backward.

Types of Caches

Forward Cache: In a network, a forward cache is used to speed up HTTP access. When several browsers access the same cache, the material may be retrieved from the cache rather than being requested from the original server. The following are examples of forward caches:

  • Squid
  • Tinyproxy
  • Apache.

Reverse Cache: A reverse cache reduces the apparent latency between an HTTP application server and any client. 

  • Squid
  • Nginx
  • Tinyproxy
  • Apache.

Proxy SSL

When a browser fetches an https:// URI, one of the following things happen:

  • CONNECT method request is made to the proxy server, and traffic is transparently forwarded to the destination. The proxy has no ability to filter on URI, path, query string, or other information.
  • The browser directly connects to the HTTPS server, bypassing the proxy.
  • SslBump Peek and Splice – makes bumping decisions after the origin server is known.

Because the CONNECT method passes any TCP traffic, you should enable this option with care. It is possible to decrypt and monitor the SSL traffic using Squid. However, there are legal, ethical, and security concerns in doing so.

Cache Hierarchy

Cache hierarchies are an extension of the caching concept. Working together, a group of cache servers can improve caching efficiency, route traffic to the optimal link, and accommodate a larger number of customers. There are two sorts of cache server hierarchy configurations that may be combined and matched.

Peer to Peer: Cache servers check with all or some of their peers to see whether they have cached material, and if they haven’t, the cache server requests the content.

Parent/Child: Cache servers query a parent server whether it has anything, and the parent retrieves it on the child’s behalf.

Squid – Basic Configuration

The main squid configuration file, squid.conf, can be found in the following locations:

/etc/squid/squid.conf
/etc/squid3/squid.conf

Commonly configured options include:

  • http_port: Port to listen on for incoming proxy requests.
  • http_access: Allow or deny access to certain HTTP requests.
  • hierarchy_stoplist: Set of strings which disable the cache hierarchy settings.

Squid can also parse and check its syntax with a built-in syntax checker:

# squid -k parse

The -k switch takes the following options as well:

  • reconfigure: Reload the configuration file.
  • shutdown: Safe shutdown.
  • kill: Hard unclean shutdown.

Please consult man squid for more options and details.

Security Configuration

Access list begins with an aclname and acltype followed by:

  • type-specific argument(s), or
  • a quoted filename with one item per line.

Access Control Lists (ACL) format:

acl aclname acltype argument ...
acl aclname acltype "file" ...

To see the possible ACL types, review the “Access Controls in Squid” documentation. To enable a parent cache server, use the following configuration option:

cache_peer parent.example.com parent 3128 3130

To enable a sibling peer cache server, use the following configuration option:

cache_peer childcache.example.com sibling 3128 3130

Access to the peer cache can be controlled with the following option:

cache_peer_access <PEER_NAME> <allow|deny> <ACLNAME>

Access Control

Access control is one of the main reasons to use a proxy. The ACL system of Squid has options to control almost every aspect of an HTTP request. Access control can be restricted by time of day, by domain/URI, by the user (logging into proxy), and by content. Configuration files are processed sequentially.

To enable the ACL named hourlyworkers to only use the proxy during business hours, do:

acl workinghours time MTWHF 08:00-18:00
http_access allow hourlyworkers workinghours
http_access deny hourlyworkers

To restrict by a part of the URI, do:

acl banned_reddit url_regex ˆhttp://.*reddit.com/.*$
http_access deny banned_reddit

To allow only authenticated users to use the following configuration, do:

acl valid_users proxy_auth REQUIRED
http_access allow valid_users
http_access deny all

When building ACLs or configuration files for Squid, remember that the first match wins. Therefore, start your ACLs with the most specific options in the beginning.

Create a Basic squid Forward Proxy

Ascertain that squid is installed enabled

$apt install squid
enable
apt install squid

verify the default route by using the command below

$ ip route
route
verify route

verify the IP address by using the command below

$ip addr
ipaddress
verify ip address

Create an ACL for your network. Edit/etc/squid/squid. conf

#acl localnet src 192.168.125.160/24
acl-added
editing squid.conf file

Locate where you can insert your own rules as shown below in the screenshot below

ur-rules
insert your own rules

Explicitly allow HTTP access for the newly created ACL

http_access allow localnet src 192.128.125.160/25
rule-added
create your own rules

Test the syntax of squid.conf

squid -k parse
test-squid-1
reconfiguring with squid -k parse

Start or restart the Squid daemon

systemctl  restart squid

Test the proxy

by visiting any known website like CNN.com on your VM's browser

Visit a known non-existent URI (http://abcdcef.example.com). You should notice a squid error when u visit the non-existent page

Summary

Squid is a Unix-based proxy server that caches Internet material closer to the requestor than the source. It can be installed and configured by following the steps above.

Subscribe
Notify of
guest

1 Comment
Inline Feedbacks
View all comments
Rabbit Slayer
Rabbit Slayer
1 month ago

Syntax error correction:

When allowing the ACL, do not specify the src ip:

Explicitly allow HTTP access for the newly created ACL

http_access allow localnet
Last edited 1 month ago by Rabbit Slayer
1
0
Would love your thoughts, please comment.x
()
x