Introduction
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows and is licensed under the GNU GPL.
(You can learn more at: http://www.squid-cache.org/ and https://wiki.archlinux.org/index.php/squid)
We will now use squid as a public or private proxy service. Public proxy is prone to abuse so you better be ready for it. Private use we will add username and password authentication to protect our squid proxy service. Let us begin.
Installation and Configuration
$ sudo apt install squid sarg apache2-utils
Let us create a backup file of squid.conf (Note: squid.conf is heavily commented so if you want to read more just read the file or if you are lazy just create a new file and use my configuration.)
$ sudo cp -v /etc/squid/squid.conf /etc/squid/squid.conf.backup
Create a new file for squid.conf and put the following (FOR PUBLIC):
$ sudo nano /etc/squid/squid.conf
# allow all access (CAUTION) acl all src all # hide squid version in error pages httpd_suppress_version_string on # specify proxy port (default 3128) http_port 3128 # improve privacy via off forwarded_for off follow_x_forwarded_for deny all visible_hostname mywebsite.host.com request_header_access From deny all request_header_access Server deny all request_header_access WWW-Authenticate deny all request_header_access Link deny all request_header_access Cache-Control deny all request_header_access Proxy-Connection deny all request_header_access X-Cache deny all request_header_access X-Cache-Lookup deny all request_header_access Via deny all request_header_access X-Forwarded-For deny all request_header_access Pragma deny all request_header_access Keep-Alive deny all pipeline_prefetch on shutdown_lifetime 1 second icp_port 0 htcp_port 0 icp_access deny all htcp_access deny all snmp_port 0 snmp_access deny all #you can probably input your pi-hole address here dns_nameservers 208.67.222.222 #bandwidth limit total #https://wiki.squid-cache.org/Features/DelayPools delay_pools 1 delay_class 1 1 delay_parameters 1 64000/64000 64000/64000 delay_access 1 allow all # individual ip limit acl only128kusers src all delay_pools 1 delay_class 1 3 delay_access 1 allow only128kusers delay_access 1 deny all delay_parameters 1 64000/64000 -1/-1 32000/64000 # you can set access limit (eg. allow proxy access on 8am to 5pm weekdays) acl pub_net src all acl pub_hour time M T W T F 8:00-17:00 http_access allow pub_net pub_hour # disable logging (uncomment to enable) #cache_access_log none #cache_store_log none
For Private Proxy Service: (squid.conf)
Please configure your allowed ports and other options.
# set acl ports acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localhost # hide squid version in error pages httpd_suppress_version_string on # specify proxy port (default 3128) http_port 3128 # improve privacy via off forwarded_for off follow_x_forwarded_for deny all visible_hostname mywebsite.host.com request_header_access From deny all request_header_access Server deny all request_header_access WWW-Authenticate deny all request_header_access Link deny all request_header_access Cache-Control deny all request_header_access Proxy-Connection deny all request_header_access X-Cache deny all request_header_access X-Cache-Lookup deny all request_header_access Via deny all request_header_access X-Forwarded-For deny all request_header_access Pragma deny all request_header_access Keep-Alive deny all pipeline_prefetch on shutdown_lifetime 1 second icp_port 0 htcp_port 0 icp_access deny all htcp_access deny all snmp_port 0 snmp_access deny all #you can probably input your pi-hole address here dns_nameservers 208.67.222.222 #bandwidth limit total #https://wiki.squid-cache.org/Features/DelayPools delay_pools 1 delay_class 1 1 delay_parameters 1 64000/64000 64000/64000 delay_access 1 allow all # individual ip limit acl only128kusers src all delay_pools 1 delay_class 1 3 delay_access 1 allow only128kusers delay_access 1 deny all delay_parameters 1 64000/64000 -1/-1 32000/64000 # Proxy Authentication Config auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwords auth_param digest realm proxy acl authenticated proxy_auth REQUIRED http_access allow authenticated #allow access from internal LAN network acl ip_acl src 192.168.1.0/24 http_access allow ip_acl http_access deny all # disable logging (uncomment to enable) #cache_access_log none #cache_store_log none
Add users to proxy:
# htdigest -c /etc/squid/passwords proxy <usernamehere>
Start squid in debug mode temporarily to check for errors:
# squid -NCd1
View logged users:
# tail -f /var/log/squid/access.log
Protect squid with Fail2ban.
$ sudo apt install fail2ban
Append or create a new file and restart fail2ban.
$ sudo nano /etc/fail2ban/jail.d/default.conf [squid] enabled = true port = 80,443,3128,8080 logpath = /var/log/squid/access.log
Generate squid usage reports using SARG:
Configure sarg configuration.
$ sudo nano /etc/sarg/sarg.conf access_log /var/log/squid/access.log graphs yes graph_days_bytes_bar_color orange graph_font /usr/share/fonts/truetype/ttf-dejavu/DejaVuSans.ttf #modify your output dir to your own server configuration output_dir /var/www/squid-reports #output_dir /var/lib/sarg
Execute sarg manually or use crontab.
$ sudo sarg -x
or (run sarg every hour)
$ crontab -e */40 * * * * sudo sarg -x &
Visit: http://myserver.com/squid-reports
Done!
Disable pinger if you cannot restart squid3.
Except where otherwise noted, this work is licensed under Creative Commons Attribution-ShareAlike 4.0 International License (http://creativecommons.org/licenses/by-sa/4.0/).
I hope that this post is useful to you, if you liked this post you may support me via liberapay. Thank you for your support.
References:
http://www.christianschenk.org/blog/tuning-and-hardening-squid/
https://wiki.squid-cache.org/Features/DelayPools
http://dabase.com/blog/Minimal_squid3_proxy_configuration/
https://www.linode.com/docs/networking/squid/squid-http-proxy-ubuntu-12-04/
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass
https://www.cyberciti.biz/tips/linux-unix-squid-proxy-server-authentication.html