Setup a Squid proxy server on Debian
The use of a Squid proxy server can solve many problems: reduce bandwith usage, filter visited Internet pages (anti-virus, parental control, ...), overide a IP based access control, ... This howto describe some Squid configurations for a better protected surf.
This howto is tested on:
- Debian 5.0 Lenny
- Debian 6.0 Squeeze
Installation
Install the server software:
command apt-get install squid3
By default, Squid listen for connection on port 3128.
Setup the proxy server host name. This name is display in error messages:
command sed -i -e "/TAG: visible_hostname/,/^#[ ]*visible_hostname/{/#[ ]*visible_hostname/a\\
visible_hostname ${HOSTNAME}
;}" "/etc/squid3/squid.conf"
Allow proxy server usage by local network
By default, only the local host can use the proxy server. Provide the local network IP range:
LAN_RANGE="192.168.1.0/24"
Provide an alias for the local network IP range (it must be a "word" without spaces):
LAN_ALIAS="my-local-network"
Allow connexions from the local network:
command sed -i -e "0,/INSERT YOUR OWN RULE(S) HERE/{//a\\
\\
# Allowing Local network allowed-lan-${LAN_ALIAS}.\\
acl allowed-lan-${LAN_ALIAS} src ${LAN_RANGE}\\
http_access allow allowed-lan-${LAN_ALIAS}
;}" '/etc/squid3/squid.conf'
To allow everybody to use Squid (unsafe):
command sed -i -e 's/^http_access deny all/http_access allow all/' \
'/etc/squid3/squid.conf'
Reload the configuration:
/etc/init.d/squid3 reload
Specific configurations
Disable completly the proxy server cache
Disable completly the cache of visited pages:
command sed -i -e '/TAG: cache$/,/^[\t ]*$/{/^[\t ]*$/i\
\
# Disabling cache for all sites\
cache deny all
;}' '/etc/squid3/squid.conf'
Reload the configuration:
/etc/init.d/squid3 reload
Disable partialy the cache
In order to disable the cache for a given site, provide the domain name to ignore:
NOCACHE_DOMAIN="www.my-cms.org"
Compute the rule Id number:
NOCACHE_ID=$(command grep -e "acl.*nocache-" '/etc/squid3/squid.conf' \
| command wc --lines)
Setup Squid not to cache the pages for this domain:
command sed -i -e "/TAG: cache\$/,/^[\\t ]*\$/{/^[\\t ]*\$/i\\
\\
# Disable caching for domain ${NOCACHE_DOMAIN}\\
acl nocache-${NOCACHE_ID} dstdomain ${NOCACHE_DOMAIN}\\
cache deny nocache-${NOCACHE_ID}
;}" '/etc/squid3/squid.conf'
Reload the configuration:
/etc/init.d/squid3 reload
Setup the parental control with SquidGuard
Even if it is less complex than DansGuardian, SquidGuard has a light print. Where DansGuardian check the visited pages contents, SquidGuard check the URl against a black list.
Install SquidGuard :
command apt-get install squidguard
Setup Squid to filter URLs with SquidGuard:
command sed -i -e '/TAG: url_rewrite_program/,/^#[ ]*none/{/#[ ]*none/a\
url_rewrite_program /usr/bin/squidGuard
;}' '/etc/squid3/squid.conf'
Update the SquidGuard logs path to fit Squid 3 configuration:
command sed -i -e 's|^logdir .*$|logdir /var/log/squid3|' \
'/etc/squid/squidGuard.conf'
Choose the site displayed instead of blacklisted sites. For example, Wikipedia:
SQUIDGUARD_DESTINATION="http://www.wikipedia.org/"
Setup SquidGuard to redirect blacklisted sites to the safe URL:
command sed -i -e 's/^[# ]*\(dest adult.*\)$/\1/' \
-e '/^dest adult/,/}/{ s/^#// ;}' \
-e "/^dest adult/,/}/{ s|^\(.*redirect[\t ]*\).*\$|\1${SQUIDGUARD_DESTINATION}| ;}" \
'/etc/squid/squidGuard.conf'
Enable the configuration for all users:
command sed -i -e '/^[\t ]*default/,/}/{ s/^\(.*pass[\t ]*\).*$/\1!adult/ ;}' \
'/etc/squid/squidGuard.conf'
Add the cron script updating daily the SquidGuard blacklist:
command echo '#!/bin/bash
# Downloading the adult site blacklist update
/usr/bin/wget -q ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/adult.tar.gz \
--output-document=/tmp/adult.tar.gz
/bin/tar --directory /var/lib/squidguard/db -xzf /tmp/adult.tar.gz
# SquidGuard must be able to update db files.
/bin/chown -R proxy:proxy /var/lib/squidguard/db
# We update the SquidGuard database with the downloaded data :
if [ -x /usr/bin/squidGuard ]; then
/bin/su proxy -c "/usr/bin/squidGuard -C all > /dev/null 2>&1"
fi' \
> '/etc/cron.daily/update-squidguard-blacklist'
command chmod +x '/etc/cron.daily/update-squidguard-blacklist'
Initialize the blacklist:
/etc/cron.daily/update-squidguard-blacklist
Restart Squid:
/etc/init.d/squid3 restart
Allow SSL access on a non standard port for a given server
It is mandatory to explicitly configure Squid to allow HTTPS connexions to ports other than 443.
Provide the domain name of the server using a non standard HTTPS port:
WEIRD_HTTPS_SERVER="www.some-server.org"
Provide the non standard HTTPS port:
WEIRD_HTTPS_PORT="8080"
Compute the rule Id:
WEIRD_HTTPS_ID=$(command grep -e "weird-ssl.*domain dst" '/etc/squid3/squid.conf' \
| command wc --lines)
Allow the CONNECT method for the server:
command sed -i -e "0,/Deny CONNECT to other than SSL ports/{//i\\
\\
# Allowing non-standard SSL port declaration : ${WEIRD_HTTPS_SERVER} : ${WEIRD_HTTPS_PORT}.\\
acl weird-ssl-${WEIRD_HTTPS_ID}-domain dst ${WEIRD_HTTPS_SERVER}\\
acl weird-ssl-${WEIRD_HTTPS_ID}-port port ${WEIRD_HTTPS_PORT}\\
http_access allow CONNECT weird-ssl-${WEIRD_HTTPS_ID}-domain weird-ssl-${WEIRD_HTTPS_ID}-port\\
;}" '/etc/squid3/squid.conf'
Reload Squid configuration:
/etc/init.d/squid3 reload
References
These books can help you:
- Squid Proxy Server 3.1: Beginner's Guide
- Squid: The Definitive Guide
- Web Caching (O'Reilly Internet Series)
Thanks
- Thanks to Squid developers.
- Thanks Steve Kemp for the article Transparent proxies via Squid on Debian Administration.
- Thanks to the writers of Squid Web Cache FAQ.
- Thanks to Disaster on #ubuntu-fr for his help on some regular expressions.