You are here: Home / Debian GNU/Linux / Servers / HTTP / Setup a Squid proxy server on Debian

Setup a Squid proxy server on Debian

by Pierre-Yves Landuré last modified Nov 11, 2017 09:42

The use of a Squid proxy server can solve many problems: reduce bandwith usage, filter visited Internet pages (anti-virus, parental control, ...), overide a IP based access control, ... This howto describe some Squid configurations for a better protected surf.

This howto is tested on:

  • Debian 5.0 Lenny
  • Debian 6.0 Squeeze

Installation

Install the server software:

command apt-get install squid3

By default, Squid listen for connection on port 3128.

Setup the proxy server host name. This name is display in error messages:

command sed -i -e "/TAG: visible_hostname/,/^#[ ]*visible_hostname/{/#[ ]*visible_hostname/a\\
visible_hostname ${HOSTNAME}
;}" "/etc/squid3/squid.conf"

Allow proxy server usage by local network

By default, only the local host can use the proxy server. Provide the local network IP range:

LAN_RANGE="192.168.1.0/24"

Provide an alias for the local network IP range (it must be a "word" without spaces):

LAN_ALIAS="my-local-network"

Allow connexions from the local network:

command sed -i -e "0,/INSERT YOUR OWN RULE(S) HERE/{//a\\
\\
# Allowing Local network allowed-lan-${LAN_ALIAS}.\\
acl allowed-lan-${LAN_ALIAS} src ${LAN_RANGE}\\
http_access allow allowed-lan-${LAN_ALIAS}
;}" '/etc/squid3/squid.conf'

To allow everybody to use Squid (unsafe):

command sed -i -e 's/^http_access deny all/http_access allow all/' \
'/etc/squid3/squid.conf'

Reload the configuration:

/etc/init.d/squid3 reload

Specific configurations

Disable completly the proxy server cache

Disable completly the cache of visited pages:

command sed -i -e '/TAG: cache$/,/^[\t ]*$/{/^[\t ]*$/i\
\
# Disabling cache for all sites\
cache deny all
;}' '/etc/squid3/squid.conf'

Reload the configuration:

/etc/init.d/squid3 reload

Disable partialy the cache

In order to disable the cache for a given site, provide the domain name to ignore:

NOCACHE_DOMAIN="www.my-cms.org"

Compute the rule Id number:

NOCACHE_ID=$(command grep -e "acl.*nocache-" '/etc/squid3/squid.conf' \
| command wc --lines)

Setup Squid not to cache the pages for this domain:

command sed -i -e "/TAG: cache\$/,/^[\\t ]*\$/{/^[\\t ]*\$/i\\
\\
# Disable caching for domain ${NOCACHE_DOMAIN}\\
acl nocache-${NOCACHE_ID} dstdomain ${NOCACHE_DOMAIN}\\
cache deny nocache-${NOCACHE_ID}
;}" '/etc/squid3/squid.conf'

Reload the configuration:

/etc/init.d/squid3 reload

Setup the parental control with SquidGuard

Even if it is less complex than DansGuardian, SquidGuard has a light print. Where DansGuardian check the visited pages contents, SquidGuard check the URl against a black list.

Install SquidGuard :

command apt-get install squidguard

Setup Squid to filter URLs with SquidGuard:

command sed -i -e '/TAG: url_rewrite_program/,/^#[ ]*none/{/#[ ]*none/a\
url_rewrite_program /usr/bin/squidGuard
;}' '/etc/squid3/squid.conf'

Update the SquidGuard logs path to fit Squid 3 configuration:

command sed -i -e 's|^logdir .*$|logdir /var/log/squid3|' \
'/etc/squid/squidGuard.conf'

Choose the site displayed instead of blacklisted sites. For example, Wikipedia:

SQUIDGUARD_DESTINATION="http://www.wikipedia.org/"

Setup SquidGuard to redirect blacklisted sites to the safe URL:

command sed -i -e 's/^[# ]*\(dest adult.*\)$/\1/' \
-e '/^dest adult/,/}/{ s/^#// ;}' \
-e "/^dest adult/,/}/{ s|^\(.*redirect[\t ]*\).*\$|\1${SQUIDGUARD_DESTINATION}| ;}" \
'/etc/squid/squidGuard.conf'

Enable the configuration for all users:

command sed -i -e '/^[\t ]*default/,/}/{ s/^\(.*pass[\t ]*\).*$/\1!adult/ ;}' \
'/etc/squid/squidGuard.conf'

Add the cron script updating daily the SquidGuard blacklist:

command echo '#!/bin/bash

# Downloading the adult site blacklist update
/usr/bin/wget -q ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/adult.tar.gz \
--output-document=/tmp/adult.tar.gz

/bin/tar --directory /var/lib/squidguard/db -xzf /tmp/adult.tar.gz

# SquidGuard must be able to update db files.
/bin/chown -R proxy:proxy /var/lib/squidguard/db

# We update the SquidGuard database with the downloaded data :
if [ -x /usr/bin/squidGuard ]; then
/bin/su proxy -c "/usr/bin/squidGuard -C all > /dev/null 2>&1"
fi' \
> '/etc/cron.daily/update-squidguard-blacklist'
command chmod +x '/etc/cron.daily/update-squidguard-blacklist'

Initialize the blacklist:

/etc/cron.daily/update-squidguard-blacklist

Restart Squid:

/etc/init.d/squid3 restart

Allow SSL access on a non standard port for a given server

It is mandatory to explicitly configure Squid to allow HTTPS connexions to ports other than 443.

Provide the domain name of the server using a non standard HTTPS port:

WEIRD_HTTPS_SERVER="www.some-server.org"

Provide the non standard HTTPS port:

WEIRD_HTTPS_PORT="8080"

Compute the rule Id:

WEIRD_HTTPS_ID=$(command grep -e "weird-ssl.*domain dst" '/etc/squid3/squid.conf' \
| command wc --lines)

Allow the CONNECT method for the server:

command sed -i -e "0,/Deny CONNECT to other than SSL ports/{//i\\
\\
# Allowing non-standard SSL port declaration : ${WEIRD_HTTPS_SERVER} : ${WEIRD_HTTPS_PORT}.\\
acl weird-ssl-${WEIRD_HTTPS_ID}-domain dst ${WEIRD_HTTPS_SERVER}\\
acl weird-ssl-${WEIRD_HTTPS_ID}-port port ${WEIRD_HTTPS_PORT}\\
http_access allow CONNECT weird-ssl-${WEIRD_HTTPS_ID}-domain weird-ssl-${WEIRD_HTTPS_ID}-port\\

;}" '/etc/squid3/squid.conf'

Reload Squid configuration:

/etc/init.d/squid3 reload

References

These books can help you:

Thanks