Installing Squid on Ubuntu
The Squid package is readily available in the default repositories of Ubuntu 20.04. To install it, simply execute the following commands:
sudo apt update
sudo apt install squid
Once the installation is complete, the Squid service will start automatically. To check the status of Squid, use the command:
sudo systemctl status squid
If Squid is installed successfully, you will see an output similar to the one below:
squid.service - Squid Web Proxy Server
Loaded: loaded (/lib/systemd/system/squid.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2020-10-23 19:02:43 UTC; 14s ago
Docs: man:squid(8)
### Configuring Squid
The main configuration file for Squid is located at `/etc/squid/squid.conf`. This file contains comments describing the function of each configuration option. You can write your own configuration files and include them in the main configuration file using the `include` directive.
Before making any changes, it is advisable to back up the original configuration file:
```bash
sudo cp /etc/squid/squid.conf{,.original}
```
Open the file with your preferred text editor, here we use nano:
```bash
sudo nano /etc/squid/squid.conf
```
By default, Squid listens on port 3128 on all network interfaces of the server. If you want to change the port for a specific interface, look for the line starting with `http_port` and specify the IP address of the interface and the new port. If no interface is specified, Squid will listen on all interfaces.
```conf
# Squid normally listens to port 3128
http_port IP_ADDR:PORT
```
Most users run Squid on all interfaces with the default port.
Squid allows you to control client access to web resources using Access Control Lists (ACLs). By default, access is allowed only from localhost. If all clients using this proxy have static IP addresses, the simplest option to control access to the proxy server is to create an ACL containing the allowed IP addresses. Alternatively, you can require authentication to use Squid.
Instead of adding IP addresses directly into the main configuration file, create a separate file to store the allowed IPs, such as `/etc/squid/allowed_ips.txt`, with content like:
```
192.168.33.1
# All other allowed IPs
```
After creating this file, open the main configuration file and create a new ACL named `allowed_ips` and allow access to this ACL using the `http_access` directive:
```conf
# ...
acl allowed_ips src "/etc/squid/allowed_ips.txt"
# ...
#http_access allow localnet
http_access allow localhost
http_access allow allowed_ips
# And finally deny all other access to this proxy
http_access deny all
```
The order of the `http_access` rules is crucial. Ensure you add these lines before the `http_access deny all` line. The `http_access` directive works like firewall rules. Squid reads the rules from top to bottom, and once a rule is successfully matched, subsequent rules are not executed.
After making changes to the configuration file, restart the Squid service for the changes to take effect:
```bash
sudo systemctl restart squid
```
### Authentication in Squid
If IP-based access control is not suitable for your case, you can configure Squid to use a back-end for user authentication. Squid supports Samba, LDAP, and HTTP basic auth. In this guide, we will use basic auth, a simple authentication method using the HTTP protocol.
To create an encrypted password, use the `openssl` tool. The following command adds a `USERNAME:PASSWORD` pair to the `/etc/squid/htpasswd` file:
```bash
printf "USERNAME:$(openssl passwd -crypt PASSWORD)\n" | sudo tee -a /etc/squid/htpasswd
```
For example, to create a user `cloudzone` with the password `Cl@udZ@ne`, use the following command:
```bash
printf "cloudzone:$(openssl passwd -crypt 'Cl@udZ@ne')\n" | sudo tee -a /etc/squid/htpasswd
```
Next, enable HTTP basic authentication and include the file containing login information in the Squid configuration file. Open the main configuration file:
```bash
sudo nano /etc/squid/squid.conf
```
Add the following lines:
```conf
# ...
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/htpasswd
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
# ...
#http_access allow localnet
http_access allow localhost
http_access allow authenticated
# And finally deny all other access to this proxy
http_access deny all
```
Restart Squid:
```bash
sudo systemctl restart squid
```
### Configuring the Firewall
To open the port for Squid, enable the UFW profiles:
```bash
sudo ufw allow 'Squid'
```
If Squid is running on a different port, such as 8888, use the following command:
```bash
sudo ufw allow 8888/tcp
```
Post a Comment