Exploring Squid Server in Linux
You want to have control on what people browse on your LAN. You have a machine connected directly to Internet that you are going to use as a proxy server for other machines on your network. The machines on your network are using 192.168.2.0/24 as private address space. You can use anyone/multiple address spaces of the available but for this howto we assume 192.168.2.0/24 as the local network. The local IP address of the machine which will run squid proxy server is 192.1682.111. You can have any IP, but for this howto we assume this.
A client program (e.g. browser) either has to specify explicitly the proxy server it wants to use (typical for ISP customers), or it could be using a proxy without any extra configuration: “transparent caching”, in which case all outgoing HTTP requests are intercepted by Squid and all responses are cached. The latter is typically a corporate set-up (all clients are on the same LAN) and often introduces the privacy concerns mentioned above.
In this tutorial, my Squid server is running Debian and the squid client is running OpenSUSE. Both machines are in a virtualized environment using KVM virtualization on my notebook.
Install Squid
To install squid server on Ubuntu, type:
#apt-get install squid
Configuring the /etc/squid/squid.conf file
To edit the squid configuration file, type:
#vi /etc/squid/squid.conf.
You should look for text that begins with “INSERT YOUR OWN RULE…” and “Example rule allowing access from local networks…”.
My configuration file looks like this:
# grep -v “^#” /etc/squid/squid.conf | sed -e ‘/^$/d’
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl mylan src 192.168.2.0/24
acl badpc src 192.168.2.119
acl cleantime time SMTWHFA 12:00-18:00
acl file_exe urlpath_regex -i \.exe$
acl bad_domains dstdomain “/etc/squid/bad_domains”
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow mylan
http_access allow badpc cleantime
http_access deny file_exe
http_access deny bad_domains
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128 (you can also try http_port 192.168.2.108:3128)
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid
The lines in bold are the ones that I added.
Now, start the squid proxy server as
#/etc/init.d/./squid reload
Real Life experience
In my LAN, to test if Squid is working, I include the following :
acl mylan src 192.168.1.0/24
http_access allow mylan
Now remember to change the LAN IP with that of yours. You can then change to allow or deny mylan.
You will also need to edit the browser prferences of your Squid clients. In firefox browser, click Edit–>Preferences->>Advance–>Network–>Settings–>HTTP Proxy
Now to block a website e.g. Facebook, I included the following lines:
acl blockfacebook dstdomain .facebook.com
http_access deny blockfacebook
or
acl badsite dstdomain .facebook.com
http_access deny badsite
Configuring the Squid Client
You have a squid proxy server running now. You can ask clients to configure there browsers to use IP address of your Squid server, in my case it’s 192.168.2.114 as a proxy server with 8080 or 3128 proxy port.
In firefox browser, click Edit–>Preferences->>Advance–>Network–>Settings–>HTTP Proxy (type Squid IP address and port 3128 or 8080; depends on what port you use for your Squid server.)
Command line utilities like elinks, lynx, yum, wget etc. can be asked to use proxy by exporting http_proxy variable as below. Users can also add these lines to ~/.bashrc file to avoid exporting every-time.
export http_proxy=’http://192.168.36.204:8080′
export ftp_proxy=’http://192.168.36.204:8080′
The Squid server Logs
The logs are found in the /var/log/squid directory as shown below:
debian:/var/log/squid# ls -lrt
total 1424
-rw-r—– 1 proxy proxy 0 2011-09-24 16:22 access.log.1
-rw-r—– 1 proxy proxy 212 2011-09-24 18:51 store.log.1
-rw-r—– 1 proxy proxy 41339 2011-09-25 09:25 cache.log.1
-rw-r–r– 1 root root 1986 2011-09-25 15:23 config.txt
-rw-r—– 1 proxy proxy 61892 2011-09-25 16:06 cache.log
-rw-r—– 1 proxy proxy 728242 2011-09-25 16:07 store.log
-rw-r—– 1 proxy proxy 596542 2011-09-25 16:07 access.log
Blocking Websites
In the configuration file, you can block certain websites, prevent users from downloading mp3 and exe files, etc.
To block certain website, e.g facebook, you can type the following in the configuration file:
acl badsite dstdomain .facebook.com
http_access deny badsite
To prevent users from downloading exe files, you type:
acl file_exe urlpath_regex -i \.exe$
http_access deny file_exe
To prevent users from visiting a list of bad sites, you try one of the following:
acl bad_domains dstdomain “/etc/squid/bad_domains”
or
acl bad_domains url_regex “/etc/squid/bad_domains”
or
acl bad_domains dstdom_regex -i “/etc/squid/bad_domains”
and the http access wiill look like this
http_access deny bad_domains
The file /etc/squid/bad_domains will look something like this:
# more /etc/squid/bad_domains
xxx
breast
#.com
#.sex.com
#.nasty.com
#.naughty.com
#.noclothes.com
.wordpress.com
#wordpress.com
.facebook.com
#www.facebook.com
#i added the line below to add mylan
acl blockfacebook dstdomain .facebook.com
acl mylan src 192.168.2.0/24
#acl badpc src 192.168.2.119
acl cleantime time SMTWHFA 12:00-18:00
acl badsite dstdomain .facebook.com
acl file_exe urlpath_regex -i \.exe$
acl bad_domains dstdomain “/etc/squid/bad_domains”
#acl bad_domains url_regex “/etc/squid/bad_domains”
#acl bad_domains dstdom_regex -i “/etc/squid/bad_domains”
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access deny blockfacebook
http_access allow mylan
#http_access allow badpc cleantime
Annex A
The goal was to speed up web surfing, therefore we need to make sure that “Transparent Cache/Proxy” is enabled.
To do this, add the following (http://www.deckle.co.za/squid-users-guide/Transparent_Caching/Proxy)
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Transparent Cache/Proxy with Squid version prior to 2.6
Prior to Squid 2.6 there was no quick and direct method of enabling Squid to be a transparent proxy. This has since changed in the latest stable version of Squid and it is highly recommended that the latest stable version of Squid be used in preference to any previous edition, unless there exists an overriding reason to use an older release of Squid.
In older versions of Squid, transparent proxy was almost a “hack”, achieved through the use of the httpd_accel options. Transparent proxy can be achieved in these versions of Squid by appending/uncommenting the following four lines of code in the squid.conf file:
httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on
The four lines inform Squid to run as a transparent proxy, below is a list of what each individual line acheives:
- httpd_accel_host virtual – This tells the accelerator to work for any URL that it is given (the usual usage for the accelerator is to inform it which URL it must accelerate)
- httpd_accel_port 80 – Informs the accelerator which port to listen to, the accelerator is a very powerful tool and much of its usage is beyond the scope of this section, the only knowledge required here is that this setting ensures that the transparent proxy accesses the websites we wish to browse via the correct HTTP port, where the standard is port 80.
- httpd_accel_with_proxy on – By default when Squid has its accelerator options enabled it stops being a cache server, to reinstate this (this is obviously important as the whole purpose behind this configuration is a cache server) we turn the httpd_accel_with_proxy option on
- httpd_accel_uses_host_header on – In a nutshell with this option turned on Squid is able to find out which website you are requesting
Transparent Cache/Proxy with Squid version 2.6 and beyond
In this version of Squid, transparent proxy has been given a dedicated parameter — the transparent parameter — and it is given as an argument to the http_port tag within the squid.conf file, as the following example demonstrates:
http_port 192.168.0.1:3128 transparent
In this example, the IP address that Squid is set to listen to is 192.168.0.1 using port number 3128, and your firewall rules is already set up to transparently intercept port 80 and forward to this port. The transparent option is then used to inform squid that this IP and port should be listened to as a transparent proxy. This completes the configuration of Squid as a transparent proxy server.