Squid Proxy for Linux Installation and Configuration

A little about Squid Proxy

In this article, Squid Proxy Linux Installation and Configuration, we will cover the installation and configuration of the Squid proxy server. In this sense, Squid has been used by many private and public companies.

Thus, part of this popularization of Squid is related to the operational safety of the tool and its flexibility. Thus, this flexibility of Squid allows a wide range of access control. In addition, Squid can operate on various operating systems such as Linux, Windows, and BSD.

List of the Squid and SquidGuard tutorial:

Lesson 1: Squid Proxy Installation and Configuration

Lesson 2: Squid Proxy: Filter clients by IP and MAC

Lesson 3: Squid: User Authentication

Lesson 4: SquidGuard : Installation and Configuration

Lesson 5: SquidGuard : how to import blocklist

A fascinating point of Squid is its ability to use the GNU GPL license. In this way, developers feel attracted to using the tool and contributing modifications. Similarly, it is worth noting that many service providers have also used Squid between their clients and servers.

Topics that will be covered in Squid Proxy for linux Installation and Configuration:

1) Squid Installation

Let us present a practice where we install Squid and do the initial configuration. This way, Windows users can get the tool by going to the Squid website: www.squid-cache.org/. For Linux users, installation can be done using the repositories:

sudo apt-get install squid

In this sense, after installation, let’s check if Squid is running satisfactorily. So, let’s use the following command:

sudo service squid status

2) Squid Proxy for linux Configuration

After the installation, we will start the configuration phase. That way we’ll access the directory  /etc/squid and then we will create a copy of the configuration file “squid.conf”.

sudo cd /etc/squid 

sudo cp squid.conf squid.conf.backup

Next, let us edit the “squid.conf” file, and we’ll delete all the lines in that file. We are deleting the lines of the file so the reader can identify each part of the configuration in a segmented way.

However, it is possible to edit specific lines of the file as the reader acquires more knowledge in the tool.

sudo nano squid.conf

First of all, let’s delete all the lines in the file. Next, let’s add lines representing access ACLs. Later, we’ll add the following lines to the “squid.conf” file:

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl CONNECT method CONNECT

## Deny requests to certain unsafe ports

http_access deny !Safe_ports

## Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

#porta que o squid vai ouvir / Squid listen port

http_port 3128

# only my network is allowed

acl Minha_Rede src 192.168.10.0/24
http_access allow Minha_Rede

#o resto bloqueia, Block all the rest

http_access deny all

We present below the figure with the description of ACLs that receive the name and right after the port.

This part Denies (deny) http (http_access) access to ports that are not (!) Safe_ports.

This part denies (deny) http (http_access) connection to ports that are not (!)  SSL_ports.

Later, we will specify the port where Squid will listen. So, when a client wants to access a WEB server, it will send it to the Squid port. Soon after, the Squid will make the WEB request to the server.

After that, let’s create an ACL “Minha_Rede” that says the source network (SRC) will be “192.168.10.0/24”. In addition, this network will be allowed (ALLOW). Therefore, you must switch to your internal network.

Soon after, we introduced a block to everything else. In this way, all traffic (ALL) that does not meet the initial ACLs will be blocked (DENY).

Then we’ll restart Squid for the settings to take effect. Later, we’ll check the status of Squid. After that, test the client’s internet connection.

sudo service squid restart
sudo service squid status

“Clear the browser cache”

Also, if you have errors, we can check the syslog. So, for that we can use the command below:

sudo cat /var/log/syslog | grep squid

Configuring the client browser:

The client browser should point its proxy setting to Squid’s LAN interface IP and use Squid’s proxy port. In our case the port used was 3128 and the IP 192.168.10.1.

Testing ACLs

Let us go through some tasks to test the effectiveness of the configured ACLs. Remember that after each change, the server Squid must be restarted.

sudo service squid restart
  1. Change port 443 and 80 in Squid.conf and try to access the internet with the client.
  2. Modify the 192.168.10.0/24 network ( or your network ) in Squid.conf and try browsing with the client.

3) Time-based configuration

Soon after, we’ll start the time-based configuration of Squid. So, the idea is to use an ACL that works at a specific time. Also, it is important to show the table of abbreviations that Squid uses for time-based ACLs:

“acl aclname time [day-abbrevs] [h1:m1-h2:m2]
day-abbrevs:
S – Sunday
M – Monday
T – Tuesday
W – Wednesday
H – Thursday
F – Friday
A – Saturday
h1:m1 must be less than h2:m2″

Next, let us configure Squid to allow client access only at a specific time during a few days of the week: (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday) and at a specific time (10:00-18:00).

So, notice that the access permission “http_access allow Minha_Rede” now receives the ACL “Horario”. So, this indicates that access will only be allowed during those specific days and times.

acl SSL_ports port 443 #
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_port 3128
acl Minha_Rede src 192.168.10.0/24

#######

acl Horario time S M T W T F 10:00-18:00 #days and hours
http_access allow Minha_Rede Horario # work only during the “Horario”

#######

http_access deny all

Below we have the ACL Horario.

sudo service squid restart
sudo service squid status

“Clear the browser cache”

Also, if you have errors, we can check the syslog. So, for that we can use the command below:

sudo cat /var/log/syslog | grep squid

Testing the Time ACL

  • Now, change the ACL “Horario” indicating a time different from the current one and check if you are able to connect to the internet. (sudo service squid restart)

4) URL/word based configuration

Next, we will restrict WEB pages based on the words in the URL. That way, when we need to block a URL, we can use a word from the URL. However, it is noteworthy that this setting does not apply to HTTPS.

So, for HTTPS, we will show later how to block by domains. So, let us add the rules before the rule: (http_access allow Minha_Rede).

Now let’s create a blocking ACL (DENY). So, let’s create an ACL called “Palavras_Proibidas”. Thus, this ACL uses the words that we insert in: “/etc/squid/palavras_proibidas.txt” to perform the blocking (DENY).

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_port 3128
acl Minha_Rede src 192.168.10.0/24

########

#

#Restriction using words/urls

acl Palavras_Proibidas url_regex -i "/etc/squid/palavras_proibidas.txt"
http_access deny Palavras_Proibidas

########

http_access allow Minha_Rede
http_access deny all

Let’s explain some important points of this configuration:

Below we have ACL of type: URL record.

Below we specify the file with the words/urls.

Below we denies the words of the ACL “Palavras_Proibidas”.

Next, let us create the file that will be used for blocking words in the URL. So, in our case, we have created the “palavras_proibidas.txt” file in “/etc/squid/”.

Thus, we insert the words we want to block in the URLs. For example, Felipe, Games….

sudo nano   /etc/squid/palavras_proibidas.txt

Below we choose 2 words: Felipe and bolota.

sudo service squid restart
sudo service squid status

“Clear the browser cache”

Also, if you have errors, we can check the syslog. So, for that we can use the command below:

sudo cat /var/log/syslog | grep squid

Testing ACL “Palavras_Proibidas”

  • Add another name to the palavras_proibidas.txt and try to browse with the client. (sudo service squid restart)

5) Domain based configuration

Next, we will configure the Squid proxy based on the domains we want to restrict. So, let us create a file, and inside that file, we will insert the domains that will be blocked.

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_port 3128
acl Minha_Rede src 192.168.10.0/24

#######

#domain restriction

acl Dominios_Proibidos dstdomain "/etc/squid/dominios_proibidos.txt"
http_access deny Dominios_Proibidos

#######

http_access allow Minha_Rede
http_access deny all

Let’s explain the settings:
Squid Proxy  dstdomain
Target domain type acl
Squid Proxy  dominio
File where we are going to insert the list of domains.
Squid Proxy  deny 3
Rule to block (DENY) the domains inserted in the file.

Next, let us create the file where we will insert the domains. Thus, the file will be ”dominios_proibidos.txt” located inside “/etc/squid/”. Then, we will insert the domains into the file.

sudo nano /etc/squid/dominios_proibidos.txt

Insert the domains :

  • .youtube.com
  • .facebook.com
sudo service squid restart
sudo service squid status

“Clear the browser cache”

Also, if you have errors, we can check the syslog. So, for that we can use the command below:

sudo cat /var/log/syslog | grep squid

Testing ACL “Dominios_Proibidos

  • Add another domain in dominios_proibidos.txt and try to browse with the client. (sudo service squid restart)

A little more theory about Squid Proxy

Consequently, Squid allows managing resources and caching content when acting between clients and servers. Thus, this content cache allows for better bandwidth optimization.

This optimization happens because other users can access a resource previously accessed by a user. This way, the most accessed static contents can be stored in the Squid’s cache.

Since this content is stored in the Squid’s cache, the request access of this content is faster and avoids Internet bandwidth consumption.

Likewise, the use of Squid also allows the use of cache servers in a hierarchical way. So, this use of cache servers in a hierarchical way enables the optimization of network resources.

Also, the distributed use of Squid allows its use by Web sites. In addition, we can use Squid on the server side. Therefore, it reduces the consumption of resources on the server side.

Furthermore, according to Wikimedia Deployment Information, Squid can quadruple the capacity of WEB servers if we placed after Squid.Therefore, the access to the content is stored in the Squid cache.

Consequently, part of the requests does not reach the WEB server. This behavior allows the WEB server to deal with more requests.

Scenario used for the tests:

Below we have the scenario used for the tests.

Setting up the client machine:

Virtualized network configuration of the client machine in VirtualBox

Setting up the Squid machine:

scenario 3
Configuring the LAN interface of the virtual machine where the squid proxy is in virtualbox
scenario 33
Configuring the virtual machine WAN interface with Squid proxy

In addition to this Squid Proxy Installation and Configuration post, see also:

pfBlockerNG blocklist
Virtualizing the Raspberry Pi – Raspbian
Installing Android on VirtualBox

Juliana Mascarenhas

Data Scientist and Master in Computer Modeling by LNCC.
Computer Engineer