How to install and configure Squid proxy server on Linux? , Ranjan.info

5 months ago
by Ranjan Chatterjee

squid Probably the most known and popular open-source caching proxy server. Squid Proxy Server supports multiple caching protocols (ICP, HTCP, CARP, WCCP), and allows proxying HTTP, HTTPS, FTP, etc. traffic. Squid is easily scalable, you can use it to filter content or limit bandwidth per user or site, it supports user authentication (including Active Directory LDAP authentication). In this article, we will show how to install Squid proxy server on Linux.

material:

Installing Squid Proxy Server on Linux

Install squid packages on the host using your package manager. Depending on your Linux version, use one of the following commands:

  • Oracle, Rocky Linux, CentOS, Fedora, or Red Hat Enterprise Linux: # dnf install -y squid
  • SUSE Linux Enterprise Server: # zypper install squid
  • Ubuntu or Debian: # apt-get install squid

install squid proxy on linux

If you want to implement user authentication in Squid, install another package:

  • RHEL/CentOS/Fedora: # dnf -y install httpd-tools
  • debian/free: # sudo apt install apache2-utils

Enable Squid using systemd in Linux, run the service, and check its status:

# systemctl enable squid
# systemctl start squid
# systemctl status squid

systemctl status squid on linux

To list all the options Squid is built with:

# squid –v

Squid Cache: Version 4.15
Service Name: squid
This binary uses OpenSSL 1.1.1k FIPS 25 Mar 2021. For legal restrictions on distribution see 
configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--libexecdir=/usr/lib64/squid' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM' '--enable-auth-ntlm=SMB_LM,fake' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' '--enable-storeid-rewrite-helpers=file' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-diskio' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' '--disable-security-cert-validators' '--with-swapdir=/var/spool/squid' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CXXFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

Squid caching proxy server configuration

By default, Squid is using the /etc/squid/squid.conf configuration file.

Before editing the original configuration file, copy it and make it read-only.

$ sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.original
$ sudo chmod a-w /etc/squid/squid.conf.original

You can go back to the original configuration file later or use it as an instructional reference.

Edit squid configuration file:

$ sudo mcedit /etc/squid/squid.conf

At the beginning of the Squid configuration file, an access control list is specified that defines the IP addresses (subnets) of clients that are allowed to connect to the proxy server.

For example, you want to allow access only to clients on your local network. Add the following instructions:

acl localnet src 192.168.50.0/24

you can comment more acl localnet lines.

The allow directive for this network is set as below in the configuration file: 

http_access allow localnet

By default, Squid accepts user connections on port TCP/3128. You can change to port number http_port, I’ll change the Squid listening port to 4555:

http_port 4555

If you want to use a proxy server for caching, configure the cache directory:

cache_dir ufs /var/spool/squid 5120 32 256
  • 20480 – is the cache size in MB
  • 32 – is the number of first-level directories for the cache, 256 second level directories are

To create a folder structure for Squid cache on disk, run the command below:

$ squid -z

To authenticate users in Squid, we will use simple basic authentication. First, create a file to store the username and password:

$ sudo touch /etc/squid/passwd && sudo chown squid /etc/squid/passwd

To add a new user to the file, run this command:

$ sudo htpasswd -c /etc/squid/passwd username1

When adding next users, you don’t need to use -C alternative.

Proxy Squid: User Authentication

Then add the following lines at the beginning of the squid.conf file:

# use basic auth and password file
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
# the number of concurrent connections
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
# session length without re-entering login and password
auth_param basic credentialsttl 8 hours
auth_param basic casesensitive off
acl auth_users proxy_auth REQUIRED
http_access allow auth_users

Different Linux distros may have different paths basic_ncsa_auth file:

  • /usr/lib64/squid/basic_ncsa_auth (Oracle, Rocky Linux, RHEL, CentOS)
  • /usr/lib/squid/basic_ncsa_auth (Debian, Ubuntu, Kali Linux)

Enable Basic Authentication in Squid

You can implement AD authentication using the Basic Authentication package:

auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b "dc=woshub,dc=com" -D "[email protected] " -w "<user password>" -f "sAMAccountName=%s" <AD domain controller IP address>

Basic authentication has the disadvantage that the password is transmitted as text encrypted with Base64 (it is easily decrypted, see an example in the article Send email using Telnet with SMTP authentication). Thus, it is more secure to use Kerberos Active Directory authentication in Squid. If you don’t have AD, you can configure HTTP Digest authentication in Squid. But this is beyond the scope of this article.

Set up using allow and deny rules http_access directive at the end of the squid config file. For example, to allow access only for authenticated users:

http_access allow localhost
http_access allow authenticated
http_access deny all

Squid allows you to block specific websites. Create a file containing a list of blocked sites:

$ sudo vi /etc/squid/blocked_sites

Add the list of websites you want to deny access to:

facebook.com
twitter.com
instagram.com

Then add the following lines to the squid configuration file:

acl blocked_sites dstdomain "/etc/squid/blocked_sites"
http_access deny blocked_sites

After making changes to the Squid configuration file, check it for syntax errors:

$ sudo squid -k parse

If there are no errors, you can apply the new Squid configuration options (you don’t need to restart the daemon):

$ sudo squid -k reconfigure

Allow connections to the proxy server port in your firewall (in our example, this is TCP 4555). If you are using a firewall, add the allow rule as follows:

# firewall-cmd --zone=public --add-port=4555/tcp
# firewall-cmd --reload

If your Linux server is hosted by an external provider (AWS, Azure, Oracle Cloud, etc.), remember to add a rule allowing port TCP/4555 to the relevant security group.

Check that Squid is listening on the port specified in the http_port directive:

$ netstat -tulnp

Using curl, you can check the availability of your squid proxy server:

$ curl -x -L

If authentication required/ Access Denied error appears, please submit a username and password to access Squid:
$ curl -x --proxy-user proxyuser1:NDMk23C3jvm -I

test squid proxy with curl

Use the command to check the squid log in real time:

$ sudo tail -f /var/log/squid/access.log

If your browser shows the error: The proxy server is refusing connections and there is TCP_DENIED/403 4041 CONNECT line in access.log, check your ACLs.

If a user is successfully authenticated, the squid log will contain the line TCP_TUNNEL/200 39 CONNECT woshub.com:80 proxyusername HIER_DIRECT/xx.xx.xx.xx Or TCP_MISS/200,
It remains to set the proxy server settings in browsers on users’ computers. Set the IP address (name) of the squid host and port in the browser settings. You configure proxy settings on a Windows computer through a GPO.

You may also like

Leave a Comment