A proxy server has many use cases. it could range from personal internet access to restrict organization systems/servers to access the external world or to limit external internet access for a set of servers on the cloud.
The best way to configure a proxy server is by using the Squid proxy. It is a widely used proxy server.
In this article, we have covered the following.
- Install proxy server
- Configure the proxy server
- Configure basic proxy authentication.
Note: This tutorial is tested on CentOS 7. For Ubuntu setup, check this tutorial – Squid Proxy Setup On Ubuntu
Install Proxy Server: Squid Proxy
Step1: Update the server
sudo yum update -y
Step 2: Configure EPEL repo.
sudo yum -y install epel-release sudo yum -y update sudo yum clean all
Step 3: Install squid
sudo yum -y install squid
Step 4: Start and enable squid server.
sudo systemctl start squid sudo systemctl enable squid
Step 5: Check the status of squid server.
sudo systemctl status squid
Configure Proxy Server: Squid Proxy
All the configurations for the squid server are present in /etc/squid/squid.conf file.
Configure proxy Sources To Access Internet
First, you need to configure the sources from which squid proxy should accept connections. For example, you might need to access this proxy server only from your home network or from specific CIDR ranges.
You can add a source IP range with an ACL using the following format.
acl localnet src 110.220.330.0/24
Open /etc/squid/squid.conffile and add the source add as shown below. Change the IP to the desired network/IP source based on your needs. In the following example, we have added a single source IP.
Restart the proxy server after making the ACL changes.
sudo systemctl restart squid
Test proxy Server Connectivity
Test if the proxy server is working using a simple curl request. Use the following curl format. By default squid proxy runs on 3128 port.
curl -x http://<squid-proxy-server-IP>:3128 -L http://google.com
Configure Proxy Authentication
Along with access ACL’s, you can add basic authentication to your proxy server for extra security. Follow the steps given below for setting up a basic auth for the squid proxy server.
Step 1: Install httpd-tools
sudo yum -y install httpd-tools
Step 2: Create a passwd file and make squid as the file owner.
sudo touch /etc/squid/passwd && sudo chown squid /etc/squid/passwd
Step 3: Add pxuser to the password file using htpasswd utility. It will prompt for a custom password. Enter a strong password you need. This username and password will be used for all connections through this proxy.
sudo htpasswd /etc/squid/passwd pxuser
Step 4: Open squid config file.
sudo vi /etc/squid/squid.conf
Add the following to the config file and save it.
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd auth_param basic children 5 auth_param basic realm Squid Basic Authentication auth_param basic credentialsttl 2 hours acl auth_users proxy_auth REQUIRED http_access allow auth_users
Step 5: Now, restart squid server for the configuration changes to take place.
sudo systemctl restart squid
Step 6: Now if you test the proxy connection using curl, you will get the “authentication required message” as shown below.
Now, test the connectivity with proxy user and password we configured in step 3. An example syntax is shown below.
curl -x http://35.196.101.43:3128 --proxy-user pxuser:12345 -I http://google.com
With username and password, your proxy request should go through.
Blocking Websites
Another great use of the proxy server is restricting the website access. Follow the steps below for creating a block list.
Step 1: Open a blocked list file.
sudo vi /etc/squid/blocked_sites
Add the websites to be blocked in the file. For example,
facebook.com twitter.com instagram.com
Step 2: Open the squid config file.
sudo vi /etc/squid/squid.conf
Add the following to the ACL list.
acl blocked_sites dstdomain "/etc/squid/blocked_sites" http_access deny blocked_sites
Step 3: Restart the squid server.
sudo systemctl restart squid
Now if you try to access the blocked site through the proxy, you will get a forbidden message as shown below.
19 comments
Our squid proxy is set to deny all except whitelisted sites. We added appropriate sites to the whitelist but we still having errors with our devices when trying to reach an external vendor site.
This vendor product is using port 443 to send MQTT traffic to a remote server. We think that our Squid proxy currently only passes http and https. How do you configure squid to allow MQTT?
Hi. I wanted to know if this article is still valid for current linux and squid versions? Thanks!
Hi Mitch, the article was written in 2018. I need to check and update for the latest changes.
yea it worked properly
the only part which I had to change in ubuntu 20 was :
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
that should be changed to :
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
because it’s path was different
is possible use squit to generate proxie from subnet?
does anybody help me with generate proxie ?
hi David,
Do you mean using SQUID as a proxy for the internet from your private subnets? or between subnets? If yes, both are possible.
Good info, thanks
Really very crisp and useful information. Thanks.
You are welcome Gautham. Glad it helped.
Hi,
How do I add multiple proxy servers? My Organization has several restrictions and so many proxies exist for each purpose. So I have to connect to two websites using a different proxy for each and the same user. How do I add them ??
Hi Reddy, is it terminal access or through the application?
Thanks for the good article.
I have setup the proxy on gcp project to call APIs on prem server via a mule gateway. 80% of request is successful but rest are failling due to token expired check at APIs. I have tested API using soapui and it’s passing everytime. So I suspect their is some issue in proxy which is delaying sending request to API before token expired ( token expiry time is 30sec).
Could you tell how to diagnose this issue with proxy ?
I want to use http injector
Thank you for the info. Was wondering if there a way to block all http & https sites and only allow specific sites to be accessed? Appreciate any help!
Thanks
Yes. You can do that using http_access configs http://www.squid-cache.org/Doc/config/http_access/
Please refer that doc..
http_access deny all –> this will deny all websites and allow only whitelisted ones.
Thank you for the quick response! I did set that up and am testing now. For example, I allowed .yahoo.com and it worked but it’s not loading images. I have increased all of the Disk cache and Object size but still not coming up. Any idea what I’m doing wrong? https://uploads.disquscdn.com/images/0a9fdd74ea5bde87fe0b954523823f4ac367127934c09ea1e7b3527001e08a99.png
Hi, very good article.
I’m trying to configure squid in a particular way but i don’t know if its possible …
I need to map a user for one specific port, for example, if i have 3 users in the proxy server but you want that each one only access a specific port …
USER1 – PORT 11111
USER2 – PORT 22222
With the configuration above, if the user2 made a portscan to the proxy server, he finds the port 11111 open and can use it in the same way he uses the 22222, because the access is allowed for every user in the passwd file.
Many thanks,
Best regards,
Hey thanks for the article! I was hoping I could get some clarification/help on being able to create multiple proxies on a dedicated server for example. I would only like one proxy per connection and nothing like rotating the proxies under one connection (if this makes sense). I hope to hear back from you regarding this soon :).
I am pulling my hair out. Everytime I check my IP (web running thu squid proxy) from a site like whatsmyip.org, I get a different IP address each time. I only want the public IP address of the squid proxy server to show.