Install and Configure Squid Server on Ubuntu 18.04 in Cloudraya

Squid is a full-featured web proxy cache server application which provides proxy and cache services for HTTP, FTP, and other popular network protocols.

This guide will show you how to create your own HTTP proxy using Squid, a highly customizable proxy/cache application, on Ubuntu 18.04 VM Instance in Cloudraya.

An HTTP proxy acts as an intermediary between you and the internet. While connected to your Squid HTTP proxy, you will be able to:

  • Anonymously access internet services.
  • Bypass certain regional and local network restrictions.

Squid Installation

First, make sure the server is up to date by running the following commands as sudo user:

$ sudo apt update && sudo apt upgrade

After you make sure your system is up to date, continue with the Squid Installation.

$ sudo apt install squid

Then check the installation by using following command if the installation succeeded, it would produce this following output:

$ sudo systemctl status squid

Output:
● squid.service - LSB: Squid HTTP Proxy version 3.x
   Loaded: loaded (/etc/init.d/squid; generated)
   Active: active (running) since Thu 2020-09-17 12:06:07 UTC; 4min 46s ago
     Docs: man:systemd-sysv-generator(8)
.....

Configure Firewalls

We should make sure that our Ubuntu VM Instance Squid Port (TCP Port 3128) is not being blocked by Cloudraya Security Profile and UFW Firewall.

To modify Cloudraya Security Profile, open Cloudraya panel and navigate to Networking Sidemenu -> Security Profile. Then, edit or create a new Security Profile.
On the Security Profile page, Add new Firewall Rule which open TCP port 3128. Then apply the security profile.

We also need to make sure Inbound TCP port is allowed in Ubuntu UFW. To do this run the following command in the Ubuntu VM that we just installed with Squid server.

$ sudo ufw allow 'Squid'

To verify the firewall status, type the following command, and the output will be shown below

$ sudo ufw status

Output:
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Squid                      ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Squid (v6)                 ALLOW       Anywhere (v6) 

Configuring Squid

Now that we have Squid Instaled on our Cloudraya Ubuntu VM, we can configure it to accept connections and serve as an HTTP proxy.

Squid can be configured by editing the /etc/squid/squid.conf file. You can also use separate files with configuration options which can be included using the “include” directive.

The configuration file contains comments that describe what each configuration option does.

Before making any changes, it is a good practice to back up the original configuration file by running the following commands:

$ sudo cp /etc/squid/squid.conf{,.orginal}

Edit the file by opening it using nano (or other text editor):

$ sudo nano /etc/squid/squid.conf

Configure Client Access via IP ACL

In Squid, you can control how the clients can access the web resources using the Access Control Lists (ACLs).

By default, Squid allows access only from the localhost.

If all of the clients that will use the proxy have a static IP address you can create an ACL that will include the allowed IPs.

Instead of adding the IP addresses in the main configuration file we will create a new dedicated file that will hold the IPs:

$ sudo nano /etc/squid/allowSourceIP.txt

192.168.33.1
# All other allowed IPs

Once done open the main configuration file and create a new ACL named allowSourceIP (first highlighted line) and allow access to that ACL using the http_access directive (second highlighted line):

# ...
acl allowSourceIP  src "/etc/squid/allowSourceIP.txt"
http_access allow localhost
 #Allow access from localhost
http_access allow allowSourceIP #Allow access from IP List

# And finally deny all other access to this proxy
http_access deny all

The http_access directive works sort of similar as the firewall rules. Squid reads the rules from top to bottom, and when a rule matches the rules below are not processed.

Since the order of http_access rules are important. Make sure you add the line before http_access deny all.

Please keep mindful that whenever you make changes to the config file, you need to restart the Squid service with this following command:

$ sudo systemctl restart squid

Configure Client Access via Basic Authentication

Beside limiting access via IP, we can also configure Squid HTTP proxy via basic HTTP authentication.

  1. Install htpasswd by installing the Apache utility programs. If you have installed Apache on your Cloudraya Ubuntu VM, you will already have it and can skip this step.
$ sudo apt-get install apache2-utils

2. Create a file to store Squid users and passwords:

$ sudo touch /etc/squid/squid_usr

3. Change ownership of the password file:

$ sudo chown proxy /etc/squid/squid_usr

4. Check the location of the ncsa_auth file:

$ sudo dpkg -L squid | grep ncsa_auth

5. Edit the Squid configuration file (/etc/squid/squid.conf) and add the following lines at the beginning of the file. Make sure that you update /usr/lib/squid/basic_ncsa_auth below with the location of the ncsa_auth file that you checked in the previous step:

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users

Once you’ve saved and exited the file, complete user removal by restarting Squid:

$ sudo systemctl restart squid

Block access to restricted domain

One of the feature of Squid proxy server is blocking websites for the client that connects to our Squid Proxy server. It can be done using forbidden dstdomain keyword in ACL directive.

First we need to create the file. Then add a domain names that we need to restrict:

$ sudo nano /etc/squid/forbidden_domains.txt

Contains:
.facebook.com
.twitter.com
.tiktok.com

After we create the list of domains in a text file, we modify the Squid configuration file as follows:

# ...
acl allowSourceIP src "/etc/squid/allowSourceIP.txt"

#Add a new ACL directive
acl forbidden dstdomain "/etc/squid/forbidden_domains" 

http_access allow localhost
 #Allow access from localhost
http_access allow allowSourceIP #Allow access from IP List
#Add the restricted server in the deny list
http_access deny forbidden

# And finally deny all other access to this proxy
http_access deny all

After that, don’t forget to restart the Squid service to apply the changes

$ sudo systemctl restart squid

Anonymize Traffic

We also can anonymize clients that connects to our Squid proxy. Thus, IP address of the clients that connects to our Squid proxy will not be forwarded to servers that receive traffic from our Squid Proxy.

This is done via rules below. Add the following lines at the beginnning of the Squid configuration file:

forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

After that, close the config file and restart your Squid proxy.

Connect to your Squid Proxy

Your Squid Proxy Server is now ready, Congratulations !

At this point, you can configure your local browser or operating system’s network settings to use your Cloudraya VM as an HTTP proxy. The settings to do this will vary depending on your OS and browser.

You may find several official article below to configure your Client OS or Browser to connect to the Squid Proxy :

This post is also posted on Cloudraya knowledgebase on 2 October 2020
https://cloudraya.com/knowledge-base/installing-and-configuring-squid-proxy-in-ubuntu/

Leave Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.