Instructions for installing and configuring Squid Proxy on Ubuntu 20.04

  Installing Squid on Ubuntu

The Squid package is readily available in the default repositories of Ubuntu 20.04. To install it, simply execute the following commands:

sudo apt update

sudo apt install squid

Once the installation is complete, the Squid service will start automatically. To check the status of Squid, use the command:

sudo systemctl status squid


If Squid is installed successfully, you will see an output similar to the one below:


squid.service - Squid Web Proxy Server

Loaded: loaded (/lib/systemd/system/squid.service; enabled; vendor preset: enabled)

Active: active (running) since Fri 2020-10-23 19:02:43 UTC; 14s ago

Docs: man:squid(8)


### Configuring Squid


The main configuration file for Squid is located at `/etc/squid/squid.conf`. This file contains comments describing the function of each configuration option. You can write your own configuration files and include them in the main configuration file using the `include` directive.


Before making any changes, it is advisable to back up the original configuration file:


```bash

sudo cp /etc/squid/squid.conf{,.original}

```


Open the file with your preferred text editor, here we use nano:


```bash

sudo nano /etc/squid/squid.conf

```


By default, Squid listens on port 3128 on all network interfaces of the server. If you want to change the port for a specific interface, look for the line starting with `http_port` and specify the IP address of the interface and the new port. If no interface is specified, Squid will listen on all interfaces.


```conf

# Squid normally listens to port 3128

http_port IP_ADDR:PORT

```


Most users run Squid on all interfaces with the default port.


Squid allows you to control client access to web resources using Access Control Lists (ACLs). By default, access is allowed only from localhost. If all clients using this proxy have static IP addresses, the simplest option to control access to the proxy server is to create an ACL containing the allowed IP addresses. Alternatively, you can require authentication to use Squid.


Instead of adding IP addresses directly into the main configuration file, create a separate file to store the allowed IPs, such as `/etc/squid/allowed_ips.txt`, with content like:


```

192.168.33.1

# All other allowed IPs

```


After creating this file, open the main configuration file and create a new ACL named `allowed_ips` and allow access to this ACL using the `http_access` directive:


```conf

# ...

acl allowed_ips src "/etc/squid/allowed_ips.txt"

# ...

#http_access allow localnet

http_access allow localhost

http_access allow allowed_ips

# And finally deny all other access to this proxy

http_access deny all

```


The order of the `http_access` rules is crucial. Ensure you add these lines before the `http_access deny all` line. The `http_access` directive works like firewall rules. Squid reads the rules from top to bottom, and once a rule is successfully matched, subsequent rules are not executed.


After making changes to the configuration file, restart the Squid service for the changes to take effect:


```bash

sudo systemctl restart squid

```


### Authentication in Squid


If IP-based access control is not suitable for your case, you can configure Squid to use a back-end for user authentication. Squid supports Samba, LDAP, and HTTP basic auth. In this guide, we will use basic auth, a simple authentication method using the HTTP protocol.


To create an encrypted password, use the `openssl` tool. The following command adds a `USERNAME:PASSWORD` pair to the `/etc/squid/htpasswd` file:


```bash

printf "USERNAME:$(openssl passwd -crypt PASSWORD)\n" | sudo tee -a /etc/squid/htpasswd

```


For example, to create a user `cloudzone` with the password `Cl@udZ@ne`, use the following command:


```bash

printf "cloudzone:$(openssl passwd -crypt 'Cl@udZ@ne')\n" | sudo tee -a /etc/squid/htpasswd

```


Next, enable HTTP basic authentication and include the file containing login information in the Squid configuration file. Open the main configuration file:


```bash

sudo nano /etc/squid/squid.conf

```


Add the following lines:


```conf

# ...

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/htpasswd

auth_param basic realm proxy

acl authenticated proxy_auth REQUIRED

# ...

#http_access allow localnet

http_access allow localhost

http_access allow authenticated

# And finally deny all other access to this proxy

http_access deny all

```


Restart Squid:


```bash

sudo systemctl restart squid

```


### Configuring the Firewall


To open the port for Squid, enable the UFW profiles:


```bash

sudo ufw allow 'Squid'

```


If Squid is running on a different port, such as 8888, use the following command:


```bash

sudo ufw allow 8888/tcp

```

Post a Comment

أحدث أقدم