Background
Most of the big companies have their own proxies through which all the company data is routed through. This ensure malicious sites are blocked and all other traffic is audited via proper authentication.
To give a little background on Squid proxy -
Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including Internet Gopher, SSL,[6] TLS and HTTPS. Squid does not support the SOCKS protocol.
Squid was originally designed to run as a daemon on Unix-like systems. A Windows port was maintained up to version 2.7. New versions available on Windows use the Cygwin environment.[7] Squid is free software released under the GNU General Public License.
Squid was originally designed to run as a daemon on Unix-like systems. A Windows port was maintained up to version 2.7. New versions available on Windows use the Cygwin environment.[7] Squid is free software released under the GNU General Public License.
Source : Wiki
Installing Squid proxy on Ubuntu
To install squid server simply run following command in your terminal -
- sudo apt install squid
Squid run as daemon service in Ubuntu. You can execute following command to see the status of this service -
Some important file paths are -
- service squid status
Some important file paths are -
- /etc/sqid : This is where your squid configuration resides
- /var/log/squid : This is where your squid logs reside
- /usr/lib/squid3,/usr/lib/squid : This is where your squid modules or libraries reside.
Now that we have Squid proxy installed. Let's configure it.
Squid configuration is located at -
Default TCP port that Squid listens to is 3128. Go ahead and change it to 8888. I prefer using 8888 port since this is used by other proxies as well like Charles and Fiddler. To do this find a line called
Squid configuration is located at -
- /etc/squid/squid.conf
- sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.original
- sudo chmod a-w /etc/squid/squid.conf.original
Default TCP port that Squid listens to is 3128. Go ahead and change it to 8888. I prefer using 8888 port since this is used by other proxies as well like Charles and Fiddler. To do this find a line called
- http_port 3128
- http_port 8888
Next you need to provide rules to allow and disallow traffic. If you want to just allow trafic from your local machine you can add the following lines to the configuration -
- acl localhost src 127.0.0.1/32
- http_access allow localhost
acl is nothing but access control list. it's a keyword that states acl is starting. Next localhost is the name that is used to indentify the acl. I have named it localhost but it can be anything. Next we have src which is used to identify local IP addresses. Other options are -
- srcdomain : used for declaring local domain,
- dst : used for public IP &
- dstdomain : used for public domain name
Next we have http_access that will basically take action provide in it's next word on the acl we define. In this we we are saying allow and for acl named localhost that we defined above. So Squid proxy is going to allow all http traffic from local machine (i.e with IP 127.0.0.1)
Last line you can add as -
For each request that Squid receives it will look through all the http_access statements in order until it finds a line that matches. It then either accepts or denys depending on your setting. The remaining rules are ignored.
This was basic settings for squid proxy. Now let's see how we can add an authentication to this scheme.
Post configuration you can just restart the squid service -
Last line you can add as -
- http_access deny all
For each request that Squid receives it will look through all the http_access statements in order until it finds a line that matches. It then either accepts or denys depending on your setting. The remaining rules are ignored.
This was basic settings for squid proxy. Now let's see how we can add an authentication to this scheme.
Post configuration you can just restart the squid service -
- service squid restart
- less /var/log/squid/cache.log
- less /var/log/squid/access.log
How to set up a squid Proxy with basic username and password authentication?
For this you can add following lines to your squid configuration file squid.conf -
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/passwords auth_param basic realm proxy acl authenticated proxy_auth REQUIRED http_access allow authenticated ident_lookup_access deny all http_access deny all
Above configuration will ensure all traffic is authenticated. The username/password that would be needed to provide access will be stored in a file - /etc/squid/passwords. We will now see how we can create this file.
To generate username/passwrod you need to use a command called htpasswd. You can install this using -
- apt-get install apache2-utils
- sudo htpasswd -c /etc/squid/passwords YOUR_USERNAME
NOTE : htpasswd stores the password hashed.
One done you can restart your squid service -
- service squid restart
acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_port 8888 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/passwords auth_param basic realm proxy acl authenticated proxy_auth REQUIRED http_access allow authenticated ident_lookup_access deny all http_access deny all
Now you can test this by adding a proxy in firefox and trying to go to a http URL.
Add username/password that you just created before and the URL should be accessible.