Yet Another Programming and Electronics Blog raspberry pi orange pi esp8266 microcontrollers arduino attiny wemos nodemcu gnu linux windows

Introduction

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows and is licensed under the GNU GPL.

 

(You can learn more at: http://www.squid-cache.org/ and https://wiki.archlinux.org/index.php/squid)

We will now use squid as a public or private proxy service. Public proxy is prone to abuse so you better be ready for it. Private use we will add username and password authentication to protect our squid proxy service. Let us begin.

Installation and Configuration

$ sudo apt install squid sarg apache2-utils

Let us create a backup file of squid.conf (Note: squid.conf is heavily commented so if you want to read more just read the file or if you are lazy just create a new file and use my configuration.)

$ sudo cp -v /etc/squid/squid.conf /etc/squid/squid.conf.backup

Create a new file for squid.conf and put the following (FOR PUBLIC):

$ sudo nano /etc/squid/squid.conf

# allow all access (CAUTION)
acl all src all

# hide squid version in error pages
httpd_suppress_version_string on

# specify proxy port (default 3128)
http_port 3128

# improve privacy
via off
forwarded_for off
follow_x_forwarded_for deny all
visible_hostname mywebsite.host.com
request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all

pipeline_prefetch on
shutdown_lifetime 1 second
icp_port 0
htcp_port 0
icp_access deny all
htcp_access deny all
snmp_port 0
snmp_access deny all


#you can probably input your pi-hole address here
dns_nameservers 208.67.222.222

#bandwidth limit total
#https://wiki.squid-cache.org/Features/DelayPools
delay_pools 1
delay_class 1 1
delay_parameters 1 64000/64000 64000/64000
delay_access 1 allow all


# individual ip limit
acl only128kusers src all
delay_pools 1
delay_class 1 3
delay_access 1 allow only128kusers
delay_access 1 deny all
delay_parameters 1 64000/64000 -1/-1 32000/64000

# you can set access limit (eg. allow proxy access on 8am to 5pm weekdays)
acl pub_net src all
acl pub_hour time M T W T F 8:00-17:00
http_access allow pub_net pub_hour

# disable logging (uncomment to enable)
#cache_access_log none
#cache_store_log none

 

For Private Proxy Service: (squid.conf)

Please configure your allowed ports and other options.

# set acl ports
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777

acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost

# hide squid version in error pages
httpd_suppress_version_string on
# specify proxy port (default 3128)
http_port 3128

# improve privacy
via off
forwarded_for off
follow_x_forwarded_for deny all
visible_hostname mywebsite.host.com
request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all

pipeline_prefetch on
shutdown_lifetime 1 second
icp_port 0
htcp_port 0
icp_access deny all
htcp_access deny all
snmp_port 0
snmp_access deny all

#you can probably input your pi-hole address here
dns_nameservers 208.67.222.222
#bandwidth limit total
#https://wiki.squid-cache.org/Features/DelayPools
delay_pools 1
delay_class 1 1
delay_parameters 1 64000/64000 64000/64000
delay_access 1 allow all

# individual ip limit
acl only128kusers src all
delay_pools 1
delay_class 1 3
delay_access 1 allow only128kusers
delay_access 1 deny all
delay_parameters 1 64000/64000 -1/-1 32000/64000
# Proxy Authentication Config
auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwords
auth_param digest realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

#allow access from internal LAN network
acl ip_acl src 192.168.1.0/24
http_access allow ip_acl
http_access deny all

# disable logging (uncomment to enable)
#cache_access_log none
#cache_store_log none

Add users to proxy:

# htdigest -c /etc/squid/passwords proxy <usernamehere>

Start squid in debug mode temporarily to check for errors:

# squid -NCd1

View logged users:

# tail -f /var/log/squid/access.log

Protect squid with Fail2ban.

$ sudo apt install fail2ban

Append or create a new file and restart fail2ban.

$ sudo nano /etc/fail2ban/jail.d/default.conf

[squid]
enabled  = true
port     =  80,443,3128,8080
logpath  = /var/log/squid/access.log

Generate squid usage reports using SARG:

Configure sarg configuration.

$ sudo nano /etc/sarg/sarg.conf

access_log /var/log/squid/access.log
graphs yes
graph_days_bytes_bar_color orange
graph_font /usr/share/fonts/truetype/ttf-dejavu/DejaVuSans.ttf

#modify your output dir to your own server configuration
output_dir /var/www/squid-reports
#output_dir /var/lib/sarg

Execute sarg manually or use crontab.

$ sudo sarg -x

or (run sarg every hour)

$ crontab -e

*/40 * * * * sudo sarg -x &

Visit: http://myserver.com/squid-reports

 

Done!
Disable pinger if you cannot restart squid3.

Except where otherwise noted, this work is licensed under Creative Commons Attribution-ShareAlike 4.0 International License (http://creativecommons.org/licenses/by-sa/4.0/).
I hope that this post is useful to you, if you liked this post you may support me via liberapay. Thank you for your support.

References:

http://www.christianschenk.org/blog/tuning-and-hardening-squid/

https://wiki.squid-cache.org/Features/DelayPools

http://dabase.com/blog/Minimal_squid3_proxy_configuration/

https://www.linode.com/docs/networking/squid/squid-http-proxy-ubuntu-12-04/

https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass

https://www.cyberciti.biz/tips/linux-unix-squid-proxy-server-authentication.html