Squid Proxy Server Tutorialhttp://cottagedata.com/security/squid/squid.html Home Services Tutorials Pay Bills Contact Tutorials Sysadmin Network Security Squid Proxy Server Basic Configuration Controlling Traffic Blocking Access Monitoring Traffic Configuring a Squid Proxy Server What's a Proxy Server? A proxy server is simply a middle-man between client PCs (users) and the Internet (typically, websites). The purpose of the proxy server is to maintain a cache of commonly accessed Web sites in order to increase access speed and to reduce bandwith usage. For example, let's say your office has four PCs, all of them sharing the same Internet connection. Every time a user accesses Google, that page needs to be downloaded to the PC (assuming it's not already in the browser cache). If all 4 users try to access Google at the same time, your Internet connection is busy downloading the same page 4 times, one for each user. Clearly, this is not efficient, slows down the connection for everybody, and will cost the company more money if the Internet provider charges by volume. This is where a proxy comes in handy. It acts as a middle-man beteen these user PCs and the Internet connection. When a user wants to access a Web page, his/her browser actually contacts the proxy server rather than the website directly. The proxy server, in turn, contacts the website, downloads that page and feeds it back to the user. However, the proxy server also keeps that page in a disk cache for a certain amount of time. When another user tries to access that same site, the proxy server checks its disk cache, realizes it already has that page in storage, and feeds it back to the user immediately without having to transfer it from the Internet. If your company has 100 PCs instead of 4, you can see how a proxy server can make a big difference to your network performance and cost. This is the gist of it. Configurations can get a lot more complex, such as one proxy server getting pages from other proxy servers, or your proxy keeping track of who accessed what site and when. The proxy server can also be configured to block certain sites or impose various restrictions such as which ports will be allowed. For instance, you can allow Web browsing through the proxy but disallow FTP transfers, or you can allow selected PCs on your network access to certain sites and disallow all others. All this control, of course, can be good or bad, depending on your point of view. However, we're not going to discuss these ethical issues here; my goal here is simply to get you up and running with a no-frills proxy server using the free software package squid. Services Linux problems? I can help. Secure, unattended, off-site backups for your Linux servers. Linux Skills Miscellaneous eBook Programming for Money Sponsors Step 1: Decide on Your Network Topology Assuming you've decided to go ahead with this project, you have two options: 1. configure one of your existing user PCs to serve as the proxy; or 2. install a new computer to be used as a dedicated proxy server and placed between your LAN and the Internet connection. The first option is certainly cheaper, but since your users will still have direct access to the Internet connection, they can get around the proxy if they wish. The second option obviously adds to the cost of the project because of the extra hardware involved, but it forces users to use the proxy to gain access to the Internet since they don't have another way around. Generally, if you are dealing with a few computers at home or a small, collaborative office, the first option might be suitable. On the other hand, if you are dealing with a large company where you need to control bandwith costs and might want to gather usage statistics, then the second option would be preferable. In this document, we will examine both scenarios. There really is not much difference between them anyway in terms of implementation. Download Free PC Software mobogenie.com/download-pc… Download Free PC Manager Software. Easy File Transfer. Download Now ! Step 2: Installing Squid Once you have decided on your topology, you need to install squid on the computer that you have selected as the 1 of 7 10/7/2013 2:19 PM Specifically.Squid Proxy Server Tutorial http://cottagedata. So. The sample configuration file that comes with squid uses "localnet" for this purpose but you can create your own.168. Fortunately. Simply follow the procedure appropriate to your operating system. this is the machine name you gave to this computer. you need to identify your network using an Access Control List. For instance. Finally.0 for instance. you would simply login as root to do this work. if your local network is 192. as in: icp_access allow mylan ICP stands for "Internet Cache Protocol" and this is what squid uses to find the most appropriate location for the requested object (such as its own cache. And since squid will normally be configured to start up automatically at boot-time. Typically. meaning it will allow clients (users) to access the Web through the proxy server. you may need to use the sudo command to elevate your privileges. For instance. on OpenSUSE.168. squid is now configured for basic functionality. The name_of_your_choice in this case is any word that you may want to use to refer to your network.255. To this end. such as "mylan" or "family_net". The keyword "src" stands for source address. some installations will require you to specify the name under which your server will be known. I am assuming you are familiar enough with your own system to know what to do. on Ubuntu. For our examples. there are only 3 lines that need to be modified or added to get minimal functionality out of squid. The central configuration file is named squid. be sure to insert this line at the correct place in the file. using "dst" instead of "src. however. you can probably just shut down and reboot your computer if you can't find a more elegant way to start the daemon. we now need to tell squid that HTTP traffic is to be allowed for members of acl "mylan. I will assume the server is a Linux system. Step 4: Configuring the Client PCs 2 of 7 10/7/2013 2:19 PM . This file is quite large and includes abundant comments about every option. Search the configuration file for lines that begin with "icp_access" and insert your own line in that area. For instance. First. we would create this instruction: http_access allow mylan Since access rules are position-dependent.com/security/squid/squid. squid will not allow any HTTP traffic (Web browsing) from any of your users by default. The above line tells squid to allow members of mylan to use this protocol to fetch pages. On some Linux distributions. Search for the phrase "INSERT YOUR OWN RULE(S) HERE" in the configuration file to find that place. On most systems.conf and is usually located in /etc/squid.0/24 Note that the "acl" instruction can take many other forms as you will see in the profuse comments in squid. or retrieving the page from the website itself). you need to create an "icp_access" instruction with the same format as the http_access line we just created. you would install squid with this simple command: sudo apt-get install squid Step 3: Configuring Squid Once squid has been installed.xxx and uses a subnet mask of 255. you would add this line to the configuration file: acl mylan src 192." The line will have the following format: acl name_of_your_choice src your_network_address On a Unix-type system.conf.0. you would use rcsquid start." you can specify destination addresses instead of source addresses. you will need to have superuser powers to edit the configuration file. we will use "mylan". a cache on a different proxy server.html proxy server. you would use service squid start." This is done with the http_access directive in the form: http_access allow your_acl_name In our case.255. Make sure your new line comes before the line that denies access to all others (icp_access deny all). Simply edit (or create) the line beginning with "visible_hostname" and specify your machine name. Next. as in: visible_hostname hal9000 That's it! With the above 4 modifications.0. For this article. we will limit the scope of our discussion to the bare necessities to get your users on the Web through the proxy server. Start the squid daemon using the command appropriate for your Linux distribution. For our purposes here. or "acl. you need to edit its central configuration file before it can be of any use to you. on a Ubuntu server. Transparent or Intercepting Proxy One common complaint about setting up a proxy server is that every user PC must be reconfigured to use that proxy. For instance. but look for the line that starts with "http_port" in squid. In fact. especially if some of them are mobile laptops that need to operate on other networks as well. but the users' PCs must also be told to use the new proxy server. this type of proxy configuration is sometimes called an "intercepting proxy" or a "forced proxy." Also. Controlling Access and Traffic with Squid Forcing Users Through the Proxy In the introduction. your Web browser will now access the Web through the proxy server. their request is re-routed to the proxy without having to change anything on the PC. such as other Web browsers. Make this same modification on all the PCs that need to use the proxy and you're done! This change affects all other applications on the PC. you can access the same panel through the Internet Explorer Web browser by clicking on Tools→Internet Options→Connections→LAN Settings. whenever any of your user PCs is trying to access a Web page. If you are the IT manager for such as site.conf to be sure. Before we go any further. There are various ways to achieve this. they have no choice but to direct their network queries to the proxy server if they are to access the Internet. See the section "Transparent Proxy" in the next section for details. then you can simply install squid on that firewall machine since your network topology is already configured as shown in the graph on the right. unless you changed it)." so check this out if you're having difficulty using this program through a proxy server. the configuration is often called a "transparent proxy. let me clarify that a transparent proxy is a limited solution with a number of technical drawbacks. Specifically. If your organization is already using a Linux machine as its firewall. since the method is transparent to users (i. under some conditions. This way. For instance." This is the term we will be using from now on in this document. In that panel. NOTE: It is possible.Squid Proxy Server Tutorial http://cottagedata. one belonging to your LAN and the other one connecting directly to the Internet. it's impractical to provide detailed directions here. as well as to gather usage statistics or exercise certain controls over Internet access. they don't know it's happening). That value will usually be 3128.com/security/squid/squid. so that users don't have direct access to the Internet modem or router. each with slightly different menus under the Control Panel. Unfortunately. check the box for "Use a proxy server" and enter the IP address of your proxy server as well as the port specified in the squid. On a Windows PC. the computer used as the proxy server would have two network interface cards (NICs). the Firefox browser features a checkbox in the Advanced→Network configuration screen for "No proxy. only the ports you specifically redirect will be affected.conf file.html The server may well be ready for action. it will continue to operate normally when it leaves your premises and hooks up to another network since you never configured it to use a proxy server so it doesn't need to be reconfigured. Since users don't have a physical connection to the Internet modem or router in this scenario. Since this strategy involves "intercepting" HTTP request on the fly. I mentioned that it may be desirable to force users to use the proxy server in order to realize the performance and cost benefits made possible by this technology. this is a fairly simple procedure but it can be an unwelcome chore if your site is using hundreds of PCs. For one thing. With this small change done. FTP clients and telnet communication programs unless they have been specifically configured not to use a proxy. If this PC happens to be a wireless laptop. you would do this through the Control Panel by navigating to the Networking panel down to Internet Options and LAN Settings. but probably the simplest method is to segregate the client PCs from the Internet by physically placing the proxy server between your LAN and the Internet connection. if your redirect 3 of 7 10/7/2013 2:19 PM . you probably wish you could somehow "trick" all PCs into using the proxy server without their knowledge.e. Fortunately. There is a faily simple way to accomplish this by reconfiguring your router or firewall so that all HTTP connection requests (port 80) are routed to the proxy server on the appropriate port (3128 by default. As we described in the previous section. since there are so many different versions of Windows. this is the typical configuration for a firewall machine. to implement a proxy server without having to manually configure each client PC as we have just described here. 168. port 3128. if your topology involves using the Squid server as your firewall (as shown on the right).1. By the way. 1. you should specify your custom port number here instead. In most cases.Squid Proxy Server Tutorial http://cottagedata. but that would be less flexible since your router configuration would have to be updated if the hardware were ever upgraded or replaced. Another issue is that port HTTPS (secure HTTP) may not work correctly if you intercept it since.1. then you will need to modify your firewall setting in Linux to redirect traffic from your LAN for port 80 to the local machine. Let's examine each step in greater detail. that topic is outside the scope of this document. Step 1: Redirecting Traffic to the Proxy Server For this example. Some routers may not have the ability to redirect one port to a different port on another machine. you can customize the router settings through its Web-based configuration interface by simply pointing your browser to it.200. kernel 2. let me simply say that while a transparent proxy is very convenient. On modern Linux distributions (i. you should only consider it if the alternative — configuring your client PCs manually — is truly undesirable. you probably have a shell script somewhere with lines similar to those above and you should incorporate these instructions in that script so that they are executed automatically whenever the system is booted.6). this can be done with these two instructions (entered as root): echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128 The first line enables packet forwarding on the system.com/security/squid/squid. we are going to assume you only wish to redirect Web traffic (port 80) to the proxy server and not bother with the other protocols. Note that if you have changed the default port in your squid. Unfortunately. Note that if your system is already configured as a router or firewall. Step 2: Telling the Proxy to go Transparent This second step is actually trivial to implement on current versions of squid (starting at version 2.200. Configure your router or firewall to redirect port 80 to the IP address and port of your proxy server. If your proxy server is a single-NIC machine on the same LAN as your client workstations and under control of the same router (as shown on the left). If you are still interested in setting up a transparent proxy. Another method would be to use the unique hardware address of its network card. We would then access the configuration menu of the router and tell it to redirect all traffic for port 80 cming from our LAN to 192. ftp and telnet.xxx address block and that we have configured our proxy server with a static address of 192.html port 80 (HTTP) to your proxy server. In practice. as a secure protocol. although it should be entered as a single command) causes all incoming traffic for port 80 to be redirected to port 3128 on the same system. Without going into these details.1. you may want to give your proxy server a static IP address on your system to make it simpler to tell the router where to redirect the Web requests from your LAN. so you may have to upgrade your router if that's your situation. On the other hand. then you will need to reconfigure this router to perform the port redirection using the method appropriate to that device. here is how it's done. In this case.6): all you have to do is locate the http_port line in the squid configuration file (squid. such as email. port 3128. 2. and an intercepting proxy is precisely that. it is designed to defeat man-in-the-middle attacks. bypassing the proxy server.conf file.168. There have also been other technical problems detected with transparent proxies. The method you will use to do this depends on your network topology. if you are not familiar with configuring firewalls on Linux. like this: http_port 3128 transparent 4 of 7 10/7/2013 2:19 PM . Edit the squid configuration file to inform it that it should run as a transparent proxy. that's probably not an issue since those other protocols would not benefit much from a caching proxy and are not usually the protocols you want to control and monitor anyway. these instructions are probably totally cryptic to you. The second instruction (shown on 2 lines here. this is required in order to perform any kind of port redirection. so you may want to read up on the subject in separate documentation.conf) and add the keyword "transparent" to it. will continue to go directly to your Internet connection. especially when dealing with older browsers. but all other types of traffic. all regular Web traffic will go through the proxy. Let's assume our LAN uses the 192.e.168. com" will block "www.com" will only block "youtube.conf matters.com . However.php. The following lines would block any domain name with the strings "porn". there are a number of configuration lines to add to the squid. On most current Linux distributions." IMPORTANT: Be sure to start domain names with a dot if you want to block all sub-domains belonging to that domain. if you need to block access to certain sites or domains on your LAN. such as pornography or gambling. since they may be listed under domain names that give no indication as to their nature. such as "www. these broad restrictions might also have unintended effects.youtube. To do this. just keep fiddling with your settings.facebook.youtube. So. there is no easy way to block all sites dealing with a particular subject matter. stop and restart the squid daemon and you're done. Unfortunately. the procedure is quite simple. let's create the file we specified (/etc/squid/blocked_sites in our example) using a standard text editor. For instance.com" or "facebook.conf. Again. but we will not delve into this here since it is generally simpler to just upgrade your squid software to a current version.conf file to make it operate as a transparent proxy.com" which happen to contain one of our forbidden text strings. For instance. It may also be a safeguard against liability issues in cases of illegal activities by employees. This may be desirable in order to cut down on unproductive use of corporate resources.com/security/squid/squid. Blocking Access to Web Sites One of the most popular reasons for implementing a squid proxy server is to block access to certain websites on your LAN. it can all be made to work! Blocking Access to Ports Another useful feature of squid is the ability to block access to certain ports. If things don't work as expected on your first try. but I find that the simplest and most flexible approach is to create a list of blocked domain names in a separate file and point to it from squid. "sex" or "gambl" in them: porn sex gambl This would successfully block sites like "thegambler. we may want to use the label "banned" to refer to the access control list (acl) that we are creating. IMPORTANT: The order in which the instructions are specified in squid.com/login.html Then. such as blocking access to legitimate sites such as "sussex. For instance.youtube. and we may want to use the name "blocked_sites" for the file that will contain the banned domain names." which means the file we specified may include wild-card expressions to describe the names we wish to blacklist. setting a rule to deny a particular access after another rule that allows this access to "all" will have no effect. you may want to allow email transfers on your network but not Web surfing. such as employees watching YouTube videos or chatting on Facebook instead of working. There are different ways to blacklist specific sites or domains by entering instructions in squid. Let's assume we want to preclude our users from accessing YouTube and Facebook. Whatever your reasons. ". there are people on the Internet who maintain lists of known "undesirable" sites and you should be able to locate a suitable list with a small amount of research. so be careful to place your instructions logically.youtube. you would do this using the command: service squid restart On older versions of squid." However. For instance.com" and "gambling.Squid Proxy Server Tutorial http://cottagedata. such as watching child pornography on the corporate network.com" and no sub-domains of it.conf using these two instructions: acl your_label url_regex your_filename http_access deny your_label The parts in italics can be any name you wish to use.com" while "youtube.com. This would result in these two instructions: acl banned url_regex "/etc/squid/blocked_sites" http_access deny banned The keyword "url_regex" stands for "URL regular expressions. the method to implement this restriction consists of creating an acl (access control list) identifying the port 5 of 7 10/7/2013 2:19 PM . we would add the following lines to that file: .com This would match any domain name containing these strings. " Then. somewhere in the squid installation directories. For instance. if we want to display a custom HTML page called "ERR_BAD_SITE" when users are denied access through the "banned" ACL that we created in our earlier example. Common locations are /etc/squid/errors and /usr/share/squid/errors. as in errors/English. Fortunately. If you have any questions about this policy. we would insert the following line (shown in red) after that ACL definition: acl banned url_regex "/etc/squid/blocked_sites" http_access deny banned deny_info ERR_BAD_SITE banned Monitoring Access with sarg While it's nice to be able to control access to network resources with such great precision. in the following segment.log." our entries in squid. Fortunately. and then we negate it in the http_access deny clause. For instance. most users will probably think there is something wrong on the network or with their browser. typically in /var/log/squid. if we choose to label our acl "blocked_port. so you can use a search tool to find these files on your system. and then specify that the "deny" rule does not apply to it by preceding that acl label with an exclamation mark. you can simply create your own custom-made error page. possibly called "ERR_CUSTOM" for instance.Squid Proxy Server Tutorial http://cottagedata. This exact location may vary from one platform and software release to another. which sites or domains are being accessed by your users? Who accesses them most frequently? At what time of the day are these being accessed? And so on. aptly named access.1.123 http_access deny blocked_port !allowed_pc These instructions tell squid: "Deny access to the access list specified by 'blocked_port' but not to the access list specified by 'allowd_pc'.com/security/squid/squid. thus excluding it from the rule: acl blocked_port port 80 acl allowed_pc src 192." Redirecting Users When Access is Denied When Squid denies access to a particular website or port. The standard error messages displayed by squid are stored in small HTML pages located in a directory named "errors" and a subdirectory named after the language used. so you may have to search for it.conf to introduce the instruction "deny_info" using this syntax: deny_info your_error_page the_affected_acl This instruction tells squid to display the page you specify as your_error_page when access was denied as the result of the ACL specified as the second parameter. the names of all these error files begin with "ERR_" (as in ERR_ACCESS_DENIED). this log gets really big really fast and it's pretty cryptic to look at. edit squid. it's fairly pointless to have this control if you don't know exactly what should be restricted. to tell squid to use your new-and-improved error page instead of the stock version. to disallow Web traffic (port 80) on our LAN. we are creating an acl named "allowed_pc" corresponding to a given source address (src). At first glance.168. 6 of 7 10/7/2013 2:19 PM .html or ports we want to affect. we would create the following instructions: acl some_name port 80 http_access deny some_name For instance. especially if you are reasonably familiar with creating simple HTML pages. it displays a fairly terse and technical error message instead of the page the user was probably expecting. For instance. access to this site is not allowed on the company network. which might feature a simpler message such as "Sorry. and then creating an http_access deny rule to preclude this access. The bad news is. squid maintains a thorough access log. For instance.conf would look like this: acl blocked_port port 80 http_access deny blocked_port What is we wanted to give Web access to one particular computer on our network while disallowing all others? We would create a second acl corresponding to the IP address of the privileged computer. so you may wish to display a more helpful page to indicate that access was actually denied based on corporate policy. The good news is. Fortunately. talk to the hand. this log has all the information you might need to keep an eye on what's happening on your network. this is fairly easy to do. which indicates the negative. Once you have located the right directory on your system. downloads and denied accesses. 2011.com/security/squid/squid. the Squid Analysis Report Generator. sites and users. the Internet is also full of helpful blogs and documentation. and can also be configured through its configuration file.conf. the output directory for the HTML report. Finally. On that page. that can be used to parse this log. all you need to do is point your browser to the latest HTML report when you get to work in the morning. Conclusion We have only scratched the surface of squid's impressive set of features in this document.conf to help you customize your reports as desired. there is a lot of information available on squid. For instance. such as this daily report. the report is created in /var/lib/sarg under a subdirectory named after the date range covered by the log file you specified as an argument. /etc/sarg/sarg. We are not going to examine all these options here. The sarg utility features a number of command-line options to modify its default behavior. Of course. there is a utility named sarg. the HTML report will be found in a directory named /var/lib/sarg/2011Mar17-2011Apr05.log In mere seconds. The rich array of configuration options offered by squid should allow you to implement just about any set of controls and restrictions you wish to have on your network. starting with the generous comments in squid. if entering commands from the shell prompt isn't your thing and you just want to be able to check out the usage log every morning to see who's doing what. and generate a friendly and convenient Web-browsable report that you can examine with any Web browser. Fortunately. and numerous display options for the final report. *Note: crontab is a standard service on Unix-type operating systems to schedule periodic tasks. but you are encouraged to check out the documentation and examine the contents of sarg. you invoke sarg with the name of the log file you wish to examine. A description of how to use this service is unfortunately outside the scope of this tutorial. gather useful statistics from it. point your browser to the file index. This file specifies the default location of the squid log.html Lucky for us.html in that directory. including custom titles and font styles. By default. if the log file covered the period March 17 to April 5. To read it. you can simply create a crontab* entry to run the report once a day automatically. This way.Squid Proxy Server Tutorial http://cottagedata. you will get a summary of usage as well as clickable links to list the top sites. Did you find an error on this page or do you have a comment? 7 of 7 10/7/2013 2:19 PM . In its simplest form. like this: sarg /var/log/squid/access. sarg will have created an HTML report that you can then examine with your Web browser.conf and the documentation that comes with the package (look in /usr/share/doc/squid).