Introduction to Squid: Step-by-Step Setup

Squid logo and Tux

Squid is another application level filter which can complement iptables. Squid is a cached web proxy server, it is very popular and free, and it is cross-platform. Although it can be used to improve the performance of Internet connections, it can also be used for security purposes. Since the project began in the 90s, Squid has been very advanced and now we present it to you so that you know how to use it.

For your installation, you can access the official project website and select the binary packages for your operating system or distribution. If you want to install it from the source code package by compiling, also you have that option. The available tarballs are tar.gz, tar.bz2, and tar.xz. If you do not know how to install, you can go to the article that we edit in this blog about how to install any package from linux. Eye! If you have a Debian or derivative and you have seen that it is installed with sudo "apt-get install squid", it may give you an error, because you have to replace "squid" with "squid3" for it to take effect ...

Now we go directly to action explaining some examples of how to use Squid to protect our equipment. Before I would like to explain that Squid is based on ACLs, that is, on Access Control List or access control list, that is, lists that detail the permissions to control in this case the network flow and implement filters similar to those of iptables but at the application level.

Normally, after installation, a configuration file is included that can be found in /etc/squid3/squid.conf and it is this that we must edit with an editor like nano or gedit. In it we can generate our filtering rules, although there are options cache_dir, cache_mem and http_port, we will use the latter for our security rules. Another detail is that this file specifies the default port used by the Squid service, which by default is 3128 (see the line or directive "http_port 3128" and remove the # to activate it). If you want, you can change it to another port like 8080 ... And another thing that is necessary is to configure the hostname, look for the comment "TAG: Visible_hostname" and you will see a line "visible_hostname" where you must put your hostname.

To know your hostname, you can type in the terminal:

hostname

And the name that appears you add it to the line that should not be preceded by # so that it is not ignored as a comment. That is, it would look like this:

visible_hostname hostname_have_you_appeared

If you see the configuration file, you will see that it is very commented, if you want to override a created rule, you can start the line with # and you transform it into a comment, with which Squid ignores it, to put it back into service, you delete the # and that's it. In fact, there are many created and commented rules that you can use by removing #. So you don't have to delete and rewrite rules. Well, to add a specific rule or filter, it must have an ACL and a directive that indicates what to do.

By the way, when you remove a # to activate a rule, make sure you don't leave spaces at the beginning of the line. For example: uterine

Wrong way:

http_port 3128

Correct way:

http_port 3128

Haven't you heard anything? Well don't worry, with An example you will see everything much better. Imagine this:

acl blocking url_regex as facebook
http_access deny blocking

What this rule means is that the acl with the name "blocking" will prohibit access to the URL that contains "facebook" (therefore if we try to enter Facebook it will skip an error in the browser). If instead of "deny" you use "allow", you would allow access instead of forbidding it. You can also use the! To exclude, for example, suppose you want to allow access to list1 but not list2:

http_access allow lista1 !lista2

Another example could be creating a file / etc / squid3 / ips allowed and in it save a list of IPs that we want to allow access. For example, suppose the content of allowed ips is:

192.168.30.1

190.169.3.250

192.168.1.26

And then we create the acl to allow access to these IPs:

acl nuevaregla src "/etc/squid3/ipspermitidas"

A pretty practical exampleImagine that your computer is used by children under 18 and you want to restrict access to certain adult content sites. The first thing is to create a file called / etc / squid3 / list with the content:

adult

porn

Fri

Poringa

And now in  the squid.conf file we put the following rule:

acl denegados url_regex "/etc/squid3/lista"

http_access allow !denegados

As you see we have used allow which in principle is to allow, but if you look we have added! to deny, therefore, it would be equivalent to putting:

acl denegados url_regex "/etc/squid3/lista"

http_access deny denegados

Lists can also be created, not only of domain names or IPs as we have done, you can also put domains and for example restrict access to domains such as .xxx, .gov, etc. Let's look at an example based on the previous rule. We create a file / etc / squid3 / domains that has:

. Edu

.es

.org

And now our rule, to deny access to the list of prohibited sites that we create, but allowing access to URLs with these domains:

acl denegados url_regex "/etc/squid3/lista" 
acl permitidos dstdomain "/etc/squid3/dominios"

http_access allow !denegados dominios

EXTENSION:

Sorry, when I saw the comments I realized that I have been missing the main thing. I have just put examples of how it is used and forgot to say that to start the Squid server:

sudo service squid3 start

Before it got up with "/etc/init.d/squid start", but now you must use this other line that I have put for you. Just as the configuration file is no longer in /etc/squid/squid.conf, but in /etc/squid3/squid.conf. Ok, once the filtering policies are created, and starting it, we must also configure the browser, for example, if you use Mozilla Firefox or derivatives, you can go to the configuration menu (you know, the three bars), and then to Preferences, Advanced , and in the Network tab, click on Configuration in the Connection section. There, we select Manual proxy configuration and put our IP and the port Squid is using, in this case 3128. Also select "Use the same proxy for everything" and exit saving the changes.

Please Do not forget to leave your comments, doubts or whatever you want ... Although it is a tutorial far above Squid, I hope it helps you.


17 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Nicolas said

    thank you!, helpful.

  2.   Jimmy olano said

    AGAIN very well condensed for a somewhat complex subject, I keep saying "user level: medium", you should know some notions about "networks".

    I HUMBLY consider that the option to configure our browser to use the "proxy" should be added, but as this entry is an "INTRODUCTION to Squid" we will be very aware of the next one? delivery (finally, and at the risk of annoying me, REMEMBER not to "proxy" the banking web pages and / or financial institutions that you use in your home or company).

    1.    Isaac PE said

      Hi, thanks for the comments. Yes, IPTABLES and Squid are too thick to make an article that explains them in depth and you have to limit yourself to everyday examples ...

      But you are absolutely right, I have added it now to configure the proxy, I had planned it and I forgot. My fault.

      Greetings and thank you!!

      1.    Jimmy olano said

        Uffff "trunk" sorry for not realizing the main thing:
        START THE SERVICE :-( without that «there is no your aunt» -forgive me for the colloquial speech- VERY SUCCESSFUL EXTENSION! 8-)

        {making it fixed at each boot happens by modifying the «/ sbin / init»:
        http: // www. ubuntu-es.org/node/ 13012 # .Vsr_SUJVIWw}

        {another easier way is using "update-rc.d":
        https: // parbaedlo. wordpress.com/201 3/03/07 / setting-start-and-stop-of-services-linux-update-rc-d /}

        I have added spaces to the links, remove them and you will navigate ;-)

        THANK YOU VERY MUCH FOR YOUR ATTENTION.

  3.   ALBERT said

    LINUX NEWS: Attack on Linux Mint: infect installers and compromise user credentials

    http://www.muylinux.com/2016/02/21/ataque-a-linux-mint

    1.    azpe said

      I already published it, but don't spam other pages here please

  4.   ALBERT said

    ANDROID NEWS: GM Bot, the Android Trojan from which Mazar is derived

    http://www.redeszone.net/2016/02/21/gm-bot-el-troyano-para-android-del-que-deriva-mazar/

  5.   Hernan said

    Hello Jimmy, How do you do so that squid does not search those pages for you? It would be nice if you comment on the transparent option, which avoids the tedium of configuring proxy to each computer

    1.    Jimmy olano said

      Good question, I have installed a CAPTCHA in free software on my clients' web pages:
      (http: // www. ks7000. net. ve / 2015/04/03 / un-captcha-easy-and-simple-to-implement /
      -Humly, it is NOT "spam" or self-promotion, it is appropriate-)
      and I imagine that when using Squid these images are NOT reloaded because I put the same name on them -ea, I can also generate random names, I had not thought about that, until now- and by having the same name, Squid returns what it has in the "cache."

      Obviously the main function of the «proxy» is to save bandwidth with the images -the heaviest of a web page- [i] in the assumption that these images are static, they do not change over time, which is true in 99 % of cases [/ i].

      But in CAPTCHA, since "there is no running", we must eliminate its previous storage and always return a new image.

      AS FOR THE BANKS, I understand the largest in Spain is «Caixa» because we will create an EXAMPLE rule:

      acl caixa dstdomain .lacaixa.es

      where:
      acl -> command to create rule (reread Mr. Isaac's article, paragraphs above).

      caixa -> rule name.

      dtsdomain -> "type" option to indicate that we refer to a domain, IMPORTANT the dot at the beginning ( http://ww w.visolve. com / squid / squid24s1 / access_controls.php)

      domain (s) -> I imagine that we can add the domains we need, separated by a space; speaking of spaces I have inserted them in the indicated web links, remove them and you will navigate (pages in English).

      I hope the knowledge presented here is useful to you! Thanks to LinuxAdictos!

    2.    Jimmy olano said

      WELL, to answer the question of TRANSPARENCY in Squid AGAIN I insist that you must have intermediate level knowledge and for didactic reasons I am going to summarize as much as possible the following article (in English) that I consider speaks very well of the subject:

      http: // ww w.deckle.co. uk / squid-users-guide /transparent-caching-proxy.html

      Notes:
      -I have added spaces to the links to avoid pingback from me (I have absolutely nothing to do with the team). Linux Adictos, therefore I am not authorized to carry out said action).
      - THIS ABOUT TRANSPARENCY I DIDN'T KNOW! (they didn't teach me, I say).
      -Helping you guys I help myself too, this is cool in quantity! ?

      Well, with that said, let's get down to business:

      I JUST suggested to Mr. Isaac to expand on configuring our browsers with the proxy installed and he very kindly did (wow, where does this man find time to do so many things?).

      Under this scheme, the use of Squid IS OPTIONAL: each user of our local area network will be in charge of doing their job, but you can bet «silver hard against paper pesetas» that there is some «bash script» that can be installed. via SSH to various computers running GNU / Linux.

      PREREQUISITE: that our Squid server is working as Mr. Isaac teaches in this post, if we have already tested it and put a "workload" on it and it performs well, we can proceed to go further.

      UNDER THE TRANSPARENCY SCHEME:

      FIRST.- Our Squid must be the default route "gateway" in our "eth0" or "wlan0" -do you remember the medium level knowledge? -, well we establish it there (it is done by default with DHCP THEREFORE we must also configure a server of such a service:
      http: // en.wikipe dia.org/wiki/ Dynamic_Host_Configuration_Protocol).

      We must plan to configure, in case of failure, redirect all traffic to our modem (s) directly if Squid - the computer where it runs - is overloaded with its workload - and use the modem (s) ) type "bridge" so that they go outside, this is achieved by making a "script" that is triggered in said event and configures our DHCP server -which should be installed on a different computer than our Squid-.

      NOTE: our computer with Squid will always depend on its IP address from DHCP BUT at the same time it will have some "control" with said DHCP server. If you want to work with fixed IP addresses, of power, you can, but when you add more computers OR REPLACE some you will have to configure again and it is not the idea (read with delight:
      ht tps: // pheno barbital. wordpress.com/2012/07/23/the-12-reasons-for-who-a-administrator-of-systems-lazy-is-a-good-administrator/)
      ANOTHER NOTE (see second point): our modem (s) and / or router devices must deactivate the DHCP function and that they are governed by our DCHP server (-which I assure you that another entry comes out of this to show us how mount said service-)

      SECOND.- We must filter the traffic towards our Squid server, this if we have several dispersed routers that cover a wireless network area "wifi", it is still a local area network but of medium size. Essentially it is the same as the first point BUT if we have different devices OR EVEN subnets, we must configure them as well, so be careful with those of us who work "crushing the irons" in large companies.

      THIRD.- In our GNU / Linux that hosts Squid we must redirect the ports and configure the «firewall» (read the previous article IPTables
      http://www.linuxadictos.com/introduccion-a-iptables-configura-un-firewall-en-linux.html )

      iptables -t nat -A PREROUTING -p TCP –dport 80 -j REDIRECT –to-port 3128

      and to the IPFW:

      / sbin / ipfw add 3 fwd 127.0.0.1,3128 tcp from any to any 80

      Needless to say, we CANNOT run an Apache or Ngix server on that port 80 -default port of web pages- COMMON SENSE INDICATES not to put more load on our computer with Squid -dependent on disk space for «cache» - .

      FOURTH.- We must configure our Squid server and tell it that it is working in that mode by modifying "/etc/squid/squid.conf" with nano or the editor that you like the most:

      http_port 3128 transparent

      We must also enable packet forwarding in "/etc/sysctl.conf":

      net.ipv4.ip_forward = 1
      net.ipv6.conf.all.forwarding = 1

      This last line if we have IPv6, it is good to configure it once in the future.

      Finally restart the Squid service as recommended by Mr. Isaac above and also restart the network service:

      /etc/init.d/procps.sh restart

      SOME FAITH OF ERRATA (or some nonsense on my part) let me know by this same route, your criticisms and comments are welcome;
      MR. ISAAC IS THE MODERATOR who will have the last word in this "fight."

  6.   Jimmy olano said

    In this short video we can see how to configure Mozilla to use a proxy server, with the exception that it uses a virtual machine with ReactOS, but it is short and I think it ILLUSTRAtes what you want to configure here (link disabled with spaces, remove them and browse):

    ht tps: / / www. Youtube. com / watch? v = st47K5t7s-Q

  7.   Teacher said

    I have just started to follow your radio station, I have been 2 days .. and very good content ..
    Greetings from Mexico .. (I am a teacher and my grain of sand is to use opensource)

  8.   Aries said

    I would like you to help me I want to give the privilege to a user to see Facebook and that the others are with the restrictions already configured and how to enable Internet users at certain times I would like you to advise me, thank you

  9.   Belkis said

    Ari, what they explained to me about it is that the machine you want is not restricted, it has to be left out, but until then I have the explanation, I am also inexperienced on the subject

  10.   Victor said

    Good night, excuse me, maybe my question is a bit basic but hey, I have installed squid and configured on a centos 5.4, installed wine and ultrasurf, what I intend to do is share the internet from ultrasurf with squid, I do the same on a windows machine XP with FreeProxy and ultrasurf and I can share it without problem but I don't know how to do it in linux

  11.   daniel andrada said

    I consult you, I have a configuration like yours, in my case I redirect port 80 to 8080 where the squid runs. The problem is that some users leave that configuration on their computers, and access through port 80, although not all services. This with iptables. Do you have any idea where the problem would be?

  12.   Wen said

    Very useful and well explained. Thanks!

    I have a question, when I want to create an acl, where do I do it, that is, in what line of the configuration file? And should I immediately put 2 lines below the http_access command as you show in your post? Or where?

    Thanks again!! Greetings!