6.13 How to install and configure Squid proxy server

Banner

Squid is a convenient open-source proxy server that provides caching and proxy services for HTTP, HTTPS, FTP, and other network protocols. It is widely used in corporate networks for traffic optimization, security enhancement, and access control to web resources.

The main advantages of Squid are its high performance, configuration flexibility, and the ability to significantly reduce bandwidth load through caching. This makes it an excellent choice for both small offices and large organizations.

Over the years of development, Squid has become the de facto standard for Linux systems, offering rich functionality for content filtering, user authentication, and network traffic monitoring.

Important: before installation, make sure Your system meets the minimum requirements.

  • Minimum 1 GB of RAM.
  • At least 10 GB of free disk space.
  • Static IP address.
  • Superuser (root) privileges.

Installation Procedure

Installation for Debian/Ubuntu OS:
  1. Update the system:
  1. sudo apt update

  2. sudo apt upgrade -y
  1. Install Squid:
  1. sudo apt install squid -y
  1. Check status:
  1. sudo systemctl status squid
Installation for CentOS, AlmaLinux, RockyLinux:
  1. Update the system:
  1. sudo yum update -y
  1. Check status:
  1. sudo yum install squid -y
  1. Status check:
  1. sudo systemctl status squid

Basic Configuration

  1. Open the configuration file:
  1. sudo nano /etc/squid/squid.conf
  1. Basic settings:
http_port 3128
acl localnet src 192.168.1.0/24
http_access allow localnet
http_access deny all
  1. Restart the service:
  1. sudo systemctl restart squid

Authentication Configuration Setup

Creating Password File

  1. Create a user using digest authentication:
  1. sudo htdigest -c /etc/squid/passwords proxy newuser

Adding subsequent users (without the -c option):

  1. sudo htdigest /etc/squid/passwords proxy seconduser
  1. Set correct permissions:
  1. sudo chown -R proxy:proxy /etc/squid/passwords

  2. sudo chmod -R 640 /etc/squid/passwords

Authentication Configuration Setup

Edit the /etc/squid/squid.conf file:

# Digest authentication setup
auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwords
auth_param digest realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_port 3128
dns_v4_first on

Important: when setting up digest authentication.

  1. Make sure the path to digest_file_auth is correct for Your system.
  2. Realm (proxy in our case) must match when creating users and in configuration.
  3. Regularly update user passwords.
  4. Remove inactive users.

Additional Authentication Security Settings

  1. Limiting simultaneous connections:
acl user1 proxy_auth username1
tcp_outgoing_connection_limit user1 10
  1. Speed limiting:
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 10000/20000
delay_access 1 allow authenticated
  1. Time-based access restrictions:
acl working_hours time MTWHF 9:00-18:00
http_access allow authenticated working_hours

User Access Monitoring

To view user activity, use:

sudo tail -f /var/log/squid/access.log | grep username

Important: when setting up authentication.

  1. Change passwords regularly.
  2. Use complex passwords.
  3. Remove inactive users.
  4. For corporate use, consider integration with LDAP or Active Directory.

Firewall Configuration

Iptables Configuration

Important: before making changes to Iptables, always save the current rules.

This will allow You to restore settings in case of an error.

  1. sudo iptables-save > /root/iptables.backup

To restore rules, You can use the command:

  1. sudo iptables-restore < /root/iptables.backup

Basic Rules for Squid:

  1. # Allow incoming connections to proxy port

  2. sudo iptables -A INPUT -p tcp --dport 3128 -j ACCEPT

  3. 

  4. # Allow outgoing connections for proxy

  5. sudo iptables -A OUTPUT -p tcp --sport 3128 -j ACCEPT

  6. 

  7. # Allow NAT for proxy clients

  8. sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Advanced Security Rules:

  1. # Restrict proxy access to local network only

  2. sudo iptables -A INPUT -p tcp --dport 3128 -s 192.168.1.0/24 -j ACCEPT

  3. sudo iptables -A INPUT -p tcp --dport 3128 -j DROP

  4. 

  5. # Log rejected connection attempts

  6. sudo iptables -A INPUT -p tcp --dport 3128 -j LOG --log-prefix "SQUID_DENIED: "

Port Forwarding Configuration:

  1. # Redirect HTTP traffic to Squid

  2. sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

  3. 

  4. # Redirect HTTPS traffic

  5. sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128

How to save firewall rules for different systems.

iptables for Debian/Ubuntu:

Use iptables-persistent to save rules.

  1. sudo apt install iptables-persistent

  2. sudo netfilter-persistent save
iptables for CentOS:

Use the iptables service.

  1. sudo service iptables save
ufw for Ubuntu/Debian:

Allow the required port through UFW.

  1. sudo ufw allow 3128/tcp
firewalld for CentOS:

Save the rule for the required port through firewalld.

  1. sudo firewall-cmd --permanent --add-port=3128/tcp

  2. sudo firewall-cmd --reload

Each method allows saving rules to be automatically applied after system reboot.

Automating Iptables Configuration

Create a file setup_squid_iptables.sh, this can be done with the command: sudo nano setup_squid_iptables.sh;

#!/bin/bash

# Clear existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

# Set base policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow local traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Rules for Squid
iptables -A INPUT -p tcp --dport 3128 -s 192.168.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Save rules
if [ -f /etc/debian_version ]; then
    netfilter-persistent save
else
    service iptables save
fi

Operation Check.

To check the proxy server operation, you can use the command:

  1. curl -x http://localhost:3128 http://www.example.com

Additional Settings

Cache Configuration:

cache_dir ufs /var/spool/squid 10000 16 256
maximum_object_size 4096 KB

Logging Configuration:

access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log

We recommend: regularly checking logs for suspicious activity and monitoring Squid security updates.

We inform: for additional information, You can use official resources.