A proxy server has many use cases. it could range from personal internet access to restrict organization systems/servers to access the external world or to limit external internet access for a set of servers on the cloud.
The best way to configure a proxy server is by using the Squid proxy. It is a widely used proxy server.
In this article, we have covered the following.
- Install proxy server
- Configure the proxy server
- Configure basic proxy authentication.
Steps to Install Proxy Server: Squid Proxy
Follow the steps to setup proxy server.
Step 1: Update the server
sudo apt update -yStep 2: Install Squid Proxy
sudo apt -y install squidStep 3: Start and enable Squid server.
sudo systemctl start squid
sudo systemctl enable squidStep 4: Check the status of squid server.
sudo systemctl status squid
Configure Proxy Server: Squid Proxy
All the configurations for the squid server are present in /etc/squid/squid.conf file.
squid.conf , take the backup of the configuration file using the following commandssudo cp /etc/squid/squid.conf /etc/squid/squid.conf.backup sudo chmod a-w /etc/squid/squid.conf.backupStep 1: Configure Proxy Sources to Access the Internet
First, you need to configure the sources from which the squid proxy should accept connections.
For example, you might need to access this proxy server only from your home network or from specific CIDR ranges.
You can add a source IP range with an ACL using the following format.
acl localnet src 110.220.330.0/24
http_access allow localnetOpen /etc/squid/squid.conffile and add the source as shown below. Change the IP to the desired network/IP source based on your needs.
In the following example, we have added a single source IP.
Restart the proxy server after making the ACL changes.
sudo systemctl restart squidStep 2: Test Proxy Server Connectivity
Test if the proxy server is working using a simple curl request. Use the following curl format. By default squid proxy runs on 3128 port.
3128 port for the incoming traffic.If you want to change the default port, you can edit the
squid.conf file and modify the HTTP port entry http_port 3128curl -x http://<squid-proxy-server-IP>:3128 -I http://google.com
Configure Proxy Authentication
Along with access ACL's, you can add basic authentication to your proxy server for extra security. Follow the steps given below for setting up a basic auth for the squid proxy server.
Step 1: Install httpd-tools
sudo apt install apache2-utils -y
Step 2: Create a passwd file and make squid as the file owner.
sudo touch /etc/squid/passwd && sudo chown squid /etc/squid/passwdStep 3: Add pxuser to the password file using htpasswd utility.
It will prompt for a custom password. Enter a strong password you need.
This username and password will be used for all connections through this proxy.
sudo htpasswd /etc/squid/passwd pxuser
Step 4: Open the squid config file.
sudo vi /etc/squid/squid.confAdd the following to the config file and save it.
acl localnet src 110.220.330.0/24
# Authentication parameters
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
# Define ACLs
acl auth_users proxy_auth REQUIRED
# Allow authenticated users (for non-blocked sites)
http_access allow auth_users
http_access allow localnet
# Deny all others
http_access deny all
squid.conf configuration, the setting will work in order so if you want to allow something, that should be before the deny all rule.Use the following command to see whether the syntax is correct.
sudo squid -k parseStep 5: Restart Squid Proxy Service
Now, restart the squid server for the configuration changes to take place.
sudo systemctl restart squidStep 6: Test Squid Proxy Authentication
Now, if you test the proxy connection using curl, you will get the "authentication required message" as shown below.
Now, test the connectivity with proxy user and password we configured in step 3. An example syntax is shown below.
curl -x http://<squid-proxy-server-IP>:3128 --proxy-user pxuser:12345 -I http://google.comWith username and password, your proxy request should go through.
Blocking Websites using Squid Proxy
Another great use of the proxy server is restricting the website access. Follow the steps below for creating a block list.
Step 1: Open a blocked list file.
sudo vi /etc/squid/proxy-block-list.aclAdd the websites to be blocked in the file. For example,
facebook.com
twitter.com
instagram.comStep 2: Adding ACL List in Config File
Open the configuration file.
sudo vi /etc/squid/squid.confAdd the following to the ACL list.
acl bad_urls dstdomain "/etc/squid/proxy-block-list.acl"
http_access deny bad_urls
Step 3: Restart the squid server.
sudo systemctl restart squidNow if you try to access the blocked site through the proxy, you will get a forbidden message as shown below.
Step 4: Test Squid Proxy Blocked Websites
Now, if you try to access the websites that are in the block list, you will get a 403 error as shown below.
Custom Cache on Squid Proxy
The caching feature in Squid proxy stores frequently accessed web content locally.
When we access the same web content again, Squid will initially check the local cache, and if it is valid, it will show us the page from the local cache.
This caching can reduce server load and latency.
Step 1: Modify the Squid Configuration
Open the Squid configuration file.
sudo vi /etc/squid/squid.confAdd the following content to the file.
cache_mem 512 MB
maximum_object_size_in_memory 512 KB
maximum_object_size 1024 MB
cache_dir ufs /var/spool/squid 10000 16 256
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
refresh_pattern -i \.(css|js)$ 1440 90% 10080
refresh_pattern -i \.(html|htm)$ 1440 50% 40320The file contains the cache configuration of what is allocated cache memory size, path and cache object min and max size.
The second section defines what cache objects need to be avoided from being stored or eliminated and what algorithm needs to be used for this removal.
Step 2: Performance Tuning
For the performance tuning, you can use the following parameters
workers 2
client_lifetime 1 day
pipeline_prefetch onStep 3: Log Configuration
For the log configuration related to the cache, use the following parameters.
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
logfile_rotate 10Save and exit the configuration file.
Follow the command to check the configuration syntax.
sudo squid -k parseStep 4: Initialize Cache Directories
First, stop the Squid proxy service.
sudo systemctl stop squidFollow the command to create cache directories.
sudo squid -zStep 5: Start the Squid server and check the status.
sudo systemctl start squid
sudo systemctl status squidStep 6: Test squid proxy cache
Check the cache directory to ensure whether it is storing the cache or not
ls -la /var/spool/squidOutput:
Test the response to requests from another server to ensure it first accesses the specific URL and stores the cache.
curl -x http://10.0.0.10:3128 http://google.com -vOutput:
MISS from master-node means that this URL has been requested for the first time, and if the next time we use the same URL, we will see the cache status is HIT from master-node
The cache will be stored, so we can again access the same URL.
The second time, it takes less time than the initial access
Let's check the performance difference before and after the cache.
Conclusion
The blog primarily covers the setup of the Squid proxy in a Ubuntu server also the configuration.
The features of the Squid proxy are to restrict outgoing traffic, and the caching feature helps to reduce the latency of the web content.
You can customize the configuration more, so go through and configure as per your requirements.
