Web proxies have been around for quite some time now and have been used by millions of users around the globe. They have a wide range of purposes, most popular being online anonymity, but there are other ways you can take advantage of web proxies. Here are some ideas:
- Online anonymity
- Improve online security
- Improve loading times
- Block malicious traffic
- Log your online activity
- To circumvent regional restrictions
- In some cases can reduce bandwidth usage
How Proxy Server Works
The proxy server is a computer that is used as an intermediary between the client and other servers from which the client may request resources. A simple example of this is when a client makes online requests (for example want to open a web page), he connects first to the proxy server.
The proxy server then checks its local disk cache and if the data can be found in there, it will return the data to the client, if not cached, it will make the request in the client’s behalf using the proxy IP address (different from the clients) and then return the data to the client. The proxy server will try to cache the new data and will use it for future requests made to the same server.
What is Squid Proxy
Squid is a web proxy that used my wide range of organizations. It is often used as a caching proxy and improving response times and reducing bandwidth usage.
For the purpose of this article, I will be installing Squid on a Linode CentOS 7 VPS and use it as an HTTP proxy server.
How to Install Squid on CentOS 7/8
Before we start, you should know that Squid, does not have any minimum requirements, but the amount of RAM usage may vary depending on the clients browsing the internet through the proxy server.
Squid is included in the base repository and thus the installation is simple and straightforward. Before installing it, however, make sure your packages are up to date by running.
# yum -y update
Proceed by installing squid, start and enable it on system startup using following commands.
# yum -y install squid # systemctl start squid # systemctl enable squid
At this point, your Squid web proxy should already be running and you can verify the status of the service with.
# systemctl status squid
Sample Output
● squid.service - Squid caching proxy Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2018-09-20 10:07:23 UTC; 5min ago Main PID: 2005 (squid) CGroup: /system.slice/squid.service ├─2005 /usr/sbin/squid -f /etc/squid/squid.conf ├─2007 (squid-1) -f /etc/squid/squid.conf └─2008 (logfile-daemon) /var/log/squid/access.log Sep 20 10:07:23 tecmint systemd[1]: Starting Squid caching proxy... Sep 20 10:07:23 tecmint squid[2005]: Squid Parent: will start 1 kids Sep 20 10:07:23 tecmint squid[2005]: Squid Parent: (squid-1) process 2007 started Sep 20 10:07:23 tecmint systemd[1]: Started Squid caching proxy.
Here are some important file locations you should be aware of:
- Squid configuration file: /etc/squid/squid.conf
- Squid Access log: /var/log/squid/access.log
- Squid Cache log: /var/log/squid/cache.log
A minimum squid.conf
configuration file (without comments in it) looks like this:
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all http_port 3128 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
Configuring Squid as an HTTP Proxy
Here, we will show you how to configure squid as an HTTP proxy using only the client IP address for authentication.
Add Squid ACLs
If you wish to allow the IP address to access the web through your new proxy server, you will need to add a new ACL (access control list) line in the configuration file.
# vim /etc/squid/squid.conf
The line you should add is:
acl localnet src XX.XX.XX.XX
Where XX.XX.XX.XX is the actual client IP address you wish to add. The line should be added at the beginning of the file where the ACLs are defined. It is a good practice to add a comment next to ACL which will describe who uses this IP address.
It is important to note that if Squid is located outside your local network, you should add the public IP address of the client.
You will need to restart Squid so the new changes can take effect.
# systemctl restart squid
Open Squid Proxy Ports
As you may have seen in the configuration file, only certain ports are allowed for connecting. You can add more by editing the configuration file.
acl Safe_ports port XXX
Where XXX is the actual port you wish to load. Again it is a good idea to leave a comment next to that will describe what the port is going to be used for.
For the changes to take effect, you will need to restart squid once more.
# systemctl restart squid
Squid Proxy Client Authentication
You will most probably want your users to authenticate before using the proxy. For that purpose, you can enable basic HTTP authentication. It is easy and fast to configure.
First, you will need httpd-tools installed.
# yum -y install httpd-tools
Now let’s create a file that will later store the username for the authentication. Squid runs with user “squid” so the file should be owned by that user.
# touch /etc/squid/passwd # chown squid: /etc/squid/passwd
Now we will create a new user called “proxyclient” and setup its password.
# htpasswd /etc/squid/passwd proxyclient New password: Re-type new password: Adding password for user proxyclient
Now to configure the authentication open the configuration file.
# vim /etc/squid/squid.conf
After the ports ACLs add the following lines:
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd auth_param basic children 5 auth_param basic realm Squid Basic Authentication auth_param basic credentialsttl 2 hours acl auth_users proxy_auth REQUIRED http_access allow auth_users
Save the file and restart squid so that the new changes can take effect:
# systemctl restart squid
Block Websites on Squid Proxy
Finally, we will create one last ACL that will help us block unwanted websites. First, create the file that will store the blacklisted sites.
# touch /etc/squid/blacklisted_sites.acl
You can add some domains you wish to block. For example:
.badsite1.com .badsite2.com
The proceeding dot tells squid to block all references to that sites including www.badsite1, subsite.badsite1.com, etc.
Now open Squid’s configuration file.
# vim /etc/squid/squid.conf
Just after the ports ACLs add the following two lines:
acl bad_urls dstdomain "/etc/squid/blacklisted_sites.acl" http_access deny bad_urls
Now save the file and restart squid:
# systemctl restart squid
Once everything configured correctly, now you can configure your local client browser or operating system’s network settings to use your squid HTTP proxy.
Conclusion
In this tutorial, you learned how to install, secure and configure a Squid HTTP Proxy server on your own. With the information you just got, you can now add some basic filtering for incoming and outgoing traffic through Squid.
If you wish to go the extra mile, you can even configure squid to block some websites during working hours to prevent distractions. If you have any questions or comments, please post them in the comment section below.
Hi, I would like to make my ubuntu as the squid proxy server while the client is centOS 7. How to connect them as a server-client relationship. I checked the local internet ip address for both serves is the same. Thank you
How to configure squid-4.4-5.module_el8 in CentOS 8 to handle/forward https traffic? Please update this article for https proxying or just forwarding without proxying through squid? This configuration works great but it is not allowing https websites to open, can you please guide us how to configure squid for https – peek-and-splice?
Thank you!
@Rahul,
Setting Up Squid with HTTPS Proxy on CentOS 8 is a bit longer and complex installation, give us some time to test it and document it on Tecmint.
Hi,
I have configured squid proxy server in centos 7. I have given squid proxy server IP in the client machine. I have a requirement like when client access HTTP websites squid proxy should redirect from HTTP to https. What changes I need to do in the squid config file to work this.
What is the difference between using a blacklist with Squid Proxy vs SquidGuard?
I would like to know more about how to handle https traffic (443 port). Today most of the internet traffic is https, being that redirecting the traffic 443 to squid will not allow many sites to work, but also do not want to leave free traffic on https, as it would lose in security. Any solution?
Hi Sir,
I’m a beginner about proxy server and programming. So i need your some help. I want to create my own proxies list, but i don’t know how. Because on google proxies are expensive and free proxies are died. So i want to create own proxies, so sir please please Help me! Please reply!
I’ve facing a problem from two days ago connecting to telegram via my squid proxy.
There is more explanation in the link below:
https://github.com/telegramdesktop/tdesktop/issues/5437
Hello Sir, your tutorial is very good i have question sir kindly help i want to configure squid with https so kindly help me thanks.
Why is my new installed squid proxy is so slow browsing the internet and I have no idea why? Computer specs (Intel i5 Processor, 8GB Memory, 500GB HDD)
If you put the IP address of the Centos machine in a browser it will show the index.html file, which is fine. I want to change it so that if I type intranet in the browser it shows the index.html file.
Any idea how? Thanks!
You can edit the hosts file of the client and add:
That worked, thanks!
@Admin
But for this configuration use a certificate that you must issue on the server, this does not go against the citations issued by each website?
@Cesar,
I really never tried with HTTPS blocking on squid, so I have no idea about it. But I think there must be a way to block HTTPS website, let me look into this..
@Ravi,
I can’t reply anymore so I’m opening another answer, I had already done that, could you please check my configuration: https://pastebin.com/JUpF73Mb
@Amin,
The squid configuration seems perfect, but it’s all Google’s new features which is blocking Youtube vidoes from caching.
@Admin
It does not block squid https since it does not block anything that passes through port 443, iptables must be used. I tried Facebook with YouTube and it does not filter
@Cesarm
Yes, you correct, you need to enable ICAP inspection of SSL traffic in squid to block HTTP traffic, read more about here : http://wiki.squid-cache.org/Features/SslBump
What if I want to block particular website for particular time duration ?
@Prakash,
Yes, you can block any website for specific time using ACL, for example here I am restricting access to facebook for specific hours of the day with squid i.e. in morning 08:00-09:00.
Excellent post, but how can you block access to https sites with squid.
@Cesar,
Just place the domain names in the /etc/squid/blacklisted_sites.acl file that you want to block whether it HTTP or HTTPS, everything is blocked..
I’ve setup my squid a while ago on ubuntu 16.04 and recently on centos 7 just like this article says.
I have problems with few websites like telegram.org & youtube.com, they’re just these two, although I can curl both websites but I cannot view them via squid.
What am I missing?
@Amin,
I know about this issue since very long time, squid proxy doesn’t play Youtube videos, due to its several ‘features’ that prevent their flash videos being effectively distributed by caches.
You should check this article for solution – http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube
@Ravi,
It didn’t work out for me, also at the top of page is written:
{X} {X} {X} Google\YouTube changed their system to be more secure and due to this the article in it’s current state is not applicable. You will need to use Content Adaptation to achive YT caching and it’s not a beginne’s task.
@Amin,
Try this trick, hope it work..
Open your squid configuration file and search for dns_v4_first off and change it to dns_v4_first on.
Restart squid and it should work now.