Install and configure Squid proxy server on Ubuntu 20.04

The
You can download this article in PDF format to support us through the following link.

Download the guide in PDF format

turn off
The

The
The

Squid is a proxy and cache server. It acts as a proxy by forwarding the request to the desired destination and can also save the content of the request. If another server requests the same information before the squid server has expired, it will provide the same content to the requester, so it can increase the download speed and save bandwidth.

The Squid proxy server supports caching of content requested through different protocols (such as http, SSL requests, DNS lookup, and FTP). This guide explains how to install and configure Squid agent on Ubuntu 20.04

Squid proxy server on Ubuntu 20.04

First, update the system software package. Please note that for all commands, I will run them as root

sudo apt-get update
sudo apt-get upgrade

Next, install the Squid agent on Ubuntu 20.04. It is easy to install the Squid agent in Ubuntu 20.04 because it is already available in the Ubuntu 20 repository. Confirm with the following command.

sudo apt-cache policy squid

Output

To install the Squid agent, run the following command. Also enable to start system boot and check status

sudo apt-get install -y squid
sudo systemctl start squid
sudo systemctl enable squid
sudo systemctl status squid

If Squid is correctly installed and running, it should display the following output:

Install and configure Squid proxy server on Ubuntu 20.04

Configure Squid proxy server on Ubuntu 20.04

The default Squid proxy configuration file is located in /etc/squid/squid.conf. The file already has many settings, which at least work, but we can modify it to suit our preferences. First, create a backup of the original file.

sudo cp /etc/squid/squid.conf  /etc/squid/squid.conf.orig

Now, make custom settings in /etc/squid/squid.conf. Open the file with your favorite file editor

sudo vim /etc/squid/squid.conf

1. Change the default port of squid

The default Squid tcp port is 3128. To change this port, open the squid.conf file and look for the http_port line. Change to the desired port number and save the file.

#http_port 3128
http_port 8080

Make sure the port is allowed through the firewall

sudo ufw allow 8080/tcp
sudo ufw enable

2. Set the Squid cache size

To set the required cache, use the following settings. In my case, I am using 256 MB

cache_mem 256 MB

3. Specify the DNS name server to use

To define your own DNS server, use the command shown below

dns_nameservers 8.8.8.8 8.8.4.4

4. Squid ACL and http_access

Now, edit squid.conf to add the rules of your choice. The proxy server can select the server to pass. We can allow access from a specific network/IP address and deny others. It can also be used to filter traffic by restricting access to certain sites or blocking content based on certain keywords. This is achieved through the use of ACLs (access control lists), which define what is allowed and denied. Http_access defines ACL-based permission or denial.

How to define ACL for Squid proxy server

ACL (Access Control List) is a statement that defines what content is allowed to pass through the proxy server and what content is denied. Each statement must start with ACL Then comes the rule name. After the name acltype Finally argument Or file. Where files are used, each line in the file can only contain one item.

acl aclname acltype argument..
acl aclname acltpe “file”…

The ACL rules defined by default are as follows. You can choose to disable by adding # at the beginning of each line. To create a new rule, follow the example below:

Example 1: Allow LAN network via Squid proxy server

Create ACL rules

acl my_lan src 192.168.100.0/24

Now, according to the defined rules, use the following commands to allow or deny http_access Instructions. As far as we are concerned, we need to allow

http_access allow my_lan

Please note that every time an ACL access rule is created, the last rule should be Reject all. After allowing all necessary sites, you should do this, otherwise you may prevent yourself from accessing some necessary sites.

http_access deny all

How to deny access to specific websites in Squid proxy server

When dealing with multiple websites, it would be easier and more organized to put all the sites in a file and call it, otherwise, you will list the references in the acl rules. In our example, I will create a file named dennedsites.squid in the squid directory.

sudo vim /etc/squid/deniedsites.squid

Add the site you want to deny access to. In my case, I am using facebook and youtube. Save the file afterwards.

.facebook.com
.youtube.com

Now open squid.conf and create acl rules for the rejected sites, add a rejection rule, and save the file.

acl deniedsites dstdomain “/etc/squid/deniedsites.squid”
http_access deny deniedsites

If you want to list sites in acl rules:

acl deniedsites dstdomain facebook.com youtubecom
http_access deny deniedsites

Please note that every time you make a change, you must restart the Squid server

systemctl restart squid

How to block traffic based on certain keywords in Squid proxy server

Create a file containing keywords. Create an ACL rule using the file name to deny traffic.

sudo vim /etc/squid/keywords.squid.

Add your keywords and save.

gamble
nudes

Edit squid.conf to create acl and refuse to save the rules and remember Restart the squid.

acl keywords url_regex -i "/etc/squid/keywords.squid"
http_access deny keywords

Your file finally appears, and the following is added.

For ACL

Install and configure Squid proxy server on Ubuntu 20.04

For http_access

Install and configure Squid proxy server on Ubuntu 20.04

To open the port in the Squid proxy server, use the command syntax shown below

acl Safe_ports port 

How to block outgoing traffic on Squid proxy server

The proxy server should hide our identity by exposing the proxy IP address instead of our own IP address. However, the proxy can let our IP know about the outgoing traffic through http. To disable this feature, please edit squid.conf The file is disabled by the title. For this, please check if there is #by. Uncomment and from Up to turn off.

# via on
via off

In addition, the proxy server should not append the client IP address to the forwarded http request. Disable this feature by modifying the following line squid.conf file.

To avoid leaking the Squid proxy server, you can delete the Squid proxy header. Add the following line in TAG; request_header_access.

request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all 
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all

Save the squid.conf file, and remember to restart squid

systemctl restart squid

How to check Squid configuration errors

The following command will point out possible errors in your configuration file

sudo squid -k parse

How to configure the client to connect through the Squid proxy server

Configure user authentication

First, let’s create and allow users to authenticate through Squid proxy. We need to enable http authentication in the squid.conf file. Install apache2-utils.

apt install -y apache2-utils

Create a file for storing users. Mine is called “passwd”. This file should be owned by the default Squid user agent.

touch /etc/squid/passwd
chown proxy: /etc/squid/passwd

We add a user named lorna

htpasswd /etc/squid/passwd lorna
New password:
Re-type new password:
Adding password for user lorna

Now add the following line below squid.conf file. After adding, save and restart Squid.

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow auth_users

It is important to check the location of basic_ncsa_auth to ensure that the correct path is used and that there are no errors. Use the following command:

dpkg -L squid | grep ncsa_auth

Your Squid file should look like this:

Install and configure Squid proxy server on Ubuntu 20.04

To test whether your Squid proxy server is working properly, go to the client web browser, for example Firefox browserAnd configure manual proxy authentication. turn on Firefox browser, ClickHorizontal bar On the far right. Down edit, Click preference. Click set up Down Network settings. On the page that appears, turn on the clock Manual proxy configurationn Radio button and fill in your proxy server details. If needed, you can exclude proxy for other IP addressesNo agent

Install and configure Squid proxy server on Ubuntu 20.04

Now, confirm that your Squid proxy settings are normal. Open the Firefox browser and try to search for a restricted website (eg youtube.com) suitable for my situation. You should see a page that says “Proxy server refused to connect”

Install and configure Squid proxy server on Ubuntu 20.04

Now open another unrestricted site. You should be prompted for authentication, and after entering your username and password, you should be able to access the site.

Install and configure Squid proxy server on Ubuntu 20.04

This is a step-by-step guide on how to install and configure Squid proxy server in Ubuntu 20.04. hope you like it. The following is a detailed guide for your daily Linux installation

  • How to install and configure HAProxy on Debian 10 (Buster)
  • How to configure Nginx proxy for semaphore Ansible Wed UI
  • How to install Envoy agent on Ubuntu/Debian Linux
  • How to manage HAProxy server from web interface

The
You can download this article in PDF format to support us through the following link.

Download the guide in PDF format

turn off
The

The
The

Sidebar