Squid is probably the most famous and popular open source caching proxy server. The Squid proxy server supports a large number of caching protocols (ICP, HTCP, CARP, WCCP), allows you to proxy HTTP, HTTPS, FTP, etc. traffic. Squid is easily scalable, it can be used to filter content and control the speed of access to sites for different categories of users, it supports user authentication (including Active Directory users via LDAP). In this article, we'll look at a typical installation of a Squid proxy server on Linux.
Installing a Squid Proxy Server on Linux.
Install the Squid package on the host using your package manager. Depending on your Linux version, run one of the following commands:
- Oracle, Rocky, CentOS or Red Hat Enterprise Linux: dnf install -y squid
- SUSE Linux Enterprise Server: zypper install squid
- Ubuntu or Debian: apt-get install squid
If you want to use user authentication in Squid, you need to additionally install the package:
- On RHEL/CentOS/Fedora: dnf -y install httpd-tools
- On Debian/Ubuntu: sudo apt install apache2-utils
Add the Squid service to Linux startup via systemd, start the service and check the status:
systemctl enable squidTo enter all the options that squid is built with:
systemctl start squid
systemctl status squid
squid –v
Squid Cache: Version 4.15
Service Name: squid
This binary uses OpenSSL 1.1.1k FIPS 25 Mar 2021. For legal restrictions on distribution see https://www.openssl.org/source/license.html
configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--libexecdir=/usr/lib64/squid' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM' '--enable-auth-ntlm=SMB_LM,fake' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' '--enable-storeid-rewrite-helpers=file' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-diskio' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' '--disable-security-cert-validators' '--with-swapdir=/var/spool/squid' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CXXFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
Configuring Squid Caching Proxy Server.
By default, squid uses the /etc/squid/squid.conf configuration file.
Before editing this file, make a copy of it and write-protect it:
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.original
In the future, we can return to the original configuration file or use it as a directive reference.
sudo chmod a-w /etc/squid/squid.conf.original
To edit the squid configuration file, run:
sudo mcedit /etc/squid/squid.conf
At the beginning of the Squid configuration file, an access control list is specified that defines the IP addresses (subnets) of clients from which it is allowed to connect to the proxy server.
For example, you want to allow access only from your local network. Add a directive:
acl localnet src 192.168.10.0/24
The rest of the acl localnet lines can be commented out.
A little lower in the configuration there is a directive that allows access for these networks:
http_access allow localnet
By default, Squid accepts user connections on port 3128. You can change this port in the http_port directive . I will install Squid on port 4555:
http_port 4555
If you want to use a proxy server for caching, you need to set up a directory for the cache:
cache_dir ufs /var/spool/squid 5120 32 256
- 5120 - cache size in MB
- 32 - the number of first-level directories for the cache, 256 - second-level directories
squid -z
To authenticate users on squid, you can use the simplest basic authentication. First, create a file to store users and passwords:
sudo touch /etc/squid/passwd && sudo chown squid /etc/squid/passwdTo add a user to this file, run the command:
sudo htpasswd -c /etc/squid/passwd username1When adding the following users, you do not need to specify the -c option.
Then add the following lines to the top of the squid.conf configuration file:
#use basic auth and specify the path to the password file auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
# number of concurrent connections auth_param basic children 5 auth_param basic realm Squid Basic Authentication
# session duration without re-entering login and password auth_param basic credentialsttl 8 hours auth_param basic case sensitive off acl auth_users proxy_auth REQUIRED http_access allow auth_users
On different Linux distributions, the path to the basic_ncsa_auth file may differ:
- /usr/lib64/squid/basic_ncsa_auth (Oracle Linux, RHEL, CentOS)
- /usr/lib/squid/basic_ncsa_auth (Debian, Ubuntu, Kali Linux)
You can implement authentication in AD using basic auth:
auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b "dc=winitpro,dc=ru" -D "squid_srv@site.io " -w "<user password>" -f "sAMAccountName=%s" < AD domain controller IP address>
The disadvantage of Basic authentication is that the password is transmitted as text encrypted with Base64 (easy to decrypt, see an example in the article on sending emails via telnet with authentication ). Therefore, for integration with Active Directory, it is better to use Kerberos authentication in Squid. If there is no AD, you can set up HTTP Digest authentication in Squid. But this is beyond the scope of this article.
Allowing and denying rules are set at the end of the configuration file using the http_access directives. For example, to allow access only to authenticated users:
http_access allow localhost
http_access allow authenticated
http_access deny all
Squid allows you to block specific sites. Create a file with a list of banned sites:
sudo vi /etc/squid/blocked_sites
Add a list of websites to which you want to block access to the file:
facebook.com
twitter.com
instagram.com
And add these lines to the squid config file:
acl blocked_sites dstdomain "/etc/squid/blocked_sites"
http_access deny blocked_sites
After making changes to the squid configuration file, you need to check it for syntax errors:
sudo squid -k parse
If there are no errors, reread the squid configuration to apply the new settings (no need to restart the daemon):
sudo squid -k reconfigure
Allow the firewall to connect to the proxy server port (in our example, this is TCP 4555). If you are using firewalld, add an allow rule like this:
firewall-cmd --zone=public --add-port=4555/tcp
firewall-cmd --reload
If your Linux server is hosted by an external provider (AWS, Azure, Oracle Cloud, etc.), don't forget to add an allow rule for port 4555 to the appropriate Security Group.
Check that Squid is listening on the port specified in the http_port directive:
netstat -tulnpUsing curl, you can check the availability of the squid proxy server:
curl -x http://xx.xx.xx.xx:4555 -L http://google.com
If an error appears authentication required/ Access Denied , then you need to pass the username and password to connect to squid:
curl -x http://xx.xx.xx.xx:4555 --proxy-user proxyuser1:TGFTM0xDVjNm -I http://google.com
To analyze squid logs in real time, use the command:
sudo tail -f /var/log/squid/access.logIf the browser displays an error The proxy server is refusing connections and there is a line in the access.log log TCP_DENIED/403 4041 CONNECT, check your ACLs.
TCP_TUNNEL/200 39 CONNECT site.io:443 proxyusername HIER_DIRECT/xx.xx.xx.xx If the user is successfully authenticated, a message or will appear in the squid log TCP_MISS/200 .
Don't forget to set proxy server settings in browsers on users' computers. Set the IP address (name) of the squid host and port in the browser settings. You can propagate proxy settings to Windows computers through a GPO.