Skip to content

Instantly share code, notes, and snippets.

@faisalfs10x

faisalfs10x/squid_proxy_tutorial.md

Forked from jackblk/squid_proxy_tutorial.md
Last active October 21, 2021 14:44
Show Gist options
  • Save faisalfs10x/f19be15c50bad5a77af252123137922d to your computer and use it in GitHub Desktop.
Save faisalfs10x/f19be15c50bad5a77af252123137922d to your computer and use it in GitHub Desktop.
Download ZIP
Tutorial on how to setup a squid proxy with authentication.
Raw
squid_proxy_tutorial.md

Note

This tutorial is for Ubuntu & Squid3. Use AWS, Google cloud, Digital Ocean or any services with Ubuntu to follow this tutorial.

Install squid & update

sudo apt-get update -y
sudo apt-get install squid3 -y
sudo apt-get install apache2-utils -y

Setup the password store

Choose a username/password. Example:

username: abc
password: 123

Type in console:

sudo touch /etc/squid/passwords
sudo chmod 777 /etc/squid/passwords
sudo htpasswd -c /etc/squid/passwords [USERNAME]

Replace [USERNAME] with your username, in this example: abc.

You will be prompted for entering the password. Enter and confirm it. This example password: 123.

[Optional] Test the password store

/usr/lib/squid3/basic_ncsa_auth /etc/squid/passwords

After executing this line the console will look like its hung, there is a prompt without any text in it. Enter USERNAME PASSWORD (replacing these with your specific username and password) and hit return. You should receive the response "OK".

If not, review the error message, your username/password might be incorrect. Its also possible basic_ncsa_auth is located on a different path (e.g. lib64).

Config squid proxy

Backup default config file:

sudo mv /etc/squid/squid.conf /etc/squid/squid.conf.original

Make a new configuration files

sudo nano /etc/squid/squid.conf

Enter this in the config file

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 24 hours
auth_param basic casesensitive off
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all
dns_v4_first on
forwarded_for delete
via off
http_port 8888
visible_hostname foxy

#------------------------------------------------------------------------------------------------------------------

# ACL list allow myisp range
acl myisp src 90.89.0.0/17 
http_access allow myisp # only allow myisp range to use proxy

# operating between 9:00AM and 5:00PM, Monday through Friday, and which uses the 10.1.42.0/24 subnetwork
acl biz_network src 10.1.42.0/24
acl biz_hours time M T W T F 9:00-17:00
http_access allow biz_network biz_hours

#------------------------------------------------------------------------------------------------------------------

# Block domains #
http_access deny facebook.com

# Block domains
acl socialsite dstdomain .twitter.com
acl socialsite dstdomain .facebook.com
http_access deny socialsite

# Block URLs using keywords
# Say if any url contains keyword such as "foo" or "browse.php?u=" block it using the url_regex acl
# nano /etc/squid/blocked-urls-keyword.conf
#  foo
#  browse.php?u=

acl urlkeywordsblocks url_regex -i "/etc/squid/blocked-urls-keyword.conf"
http_access deny urlkeywordsblocks

# Block file extensions
# Append the following in /etc/squid/blocked-file-externsions.conf
# .exec, .mp4, .mp3, .zip, .pdf

acl blockedextension urlpath_regex -i "/etc/squid/blocked-file-extension.conf"    
http_access deny blockedextension

#------------------------------------------------------------------------------------------------------------------

# Say if you have multiple IP addresses assigned to your server we can change proxy server outgoing IP address as follows:
# You can forward clients request based on IPs for certain users:
# define acl
acl admin 192.168.1.100
acl private 192.168.1.101
acl public 192.168.1.102
 
# set up outgoing rule
tcp_outgoing_address 202.234.45.87 admin
tcp_outgoing_address 202.234.45.89 private
tcp_outgoing_address 202.234.45.81 public

## full filtering enabled using iptables on 10.0.0.0/24 and routed via squid##
acl throttle_service_net src 10.0.0.0/24
 
## admins are skip from this limits ##
acl admins_service_net src 192.168.1.0/24
 
## Set rules ##
tcp_outgoing_address 10.1.0.2 throttle_service_net
tcp_outgoing_address 192.168.1.254 admins_service_net

#------------------------------------------------------------------------------------------------------------------

# Specify a list of DNS name servers to use
dns_nameservers 8.8.8.8 1.1.1.1

#------------------------------------------------------------------------------------------------------------------
  • auth_param basic credentialsttl 24 hours: after 24 hours, user/pass will be asked again.
  • auth_param basic casesensitive off: case sensitive for user is off.
  • dns_v4_first on: use only IPv4 to speed up the proxy.
  • forwarded_for delete: remove the forwarded_for http header which would expose your source to the destination
  • via off: remove more headers to avoid exposing the source.
  • http_port 8888: port 8888 is used for proxy. You can choose any port.

Save the file in vi with [esc]:wq

Start the squid service

Start squid: sudo service squid start

To check service status: service squid status

Restart the squid service and try proxy

Restart squid service sudo service squid restart or sudo systemctl restart squid.service.

Use your proxy with your ip:port. Example: 111.111.222.333:8888 and login with your user/pass.

Caution

You might need to create inbound firewall rule first before using the proxy.

For Google cloud: Firewall. Create an Ingress rule, Target Apply to all, IP range of 0.0.0.0/0, allow TCP:8888, UDP:8888 for all traffic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment