How to Install and Configure Squid Proxy on Ubuntu

How to Install and Configure Squid Proxy on Ubuntu

Though Squid Proxy isn’t particularly difficult to install and get up and running, I hit a few snags during my configuration that I felt would prove useful for someone attempting to do the same thing.

First, let’s get Squid installed:

apt-get install squid

Once Squid is installed, let’s make a copy of the squid.conf file before we get started, so we can revert if needed.

cp /etc/squid/squid.conf /etc/squid/squid.conf.bak

Next, open the squid.conf file in your favorite text editor. For me, on Linux, that’s vi. Next, un-comment the following line in the configuration file. For me, this was on line 3473, but yours may be different.

cache_dir ufs /var/spool/squid 100 16 256

Once you’ve made the change, let’s save the file, and then restart the Squid service:

sudo service squid restart

Next, we need to initialize Squid, but running the following:

squid -f /etc/squid/squid.conf

Essentially, this goes out and create and configures all the directories that Squid will need in order to run properly. It will set the appropriate permissions, etc. During this step, I found myself waiting a long time for the command to finish. I had to press Enter after a second for the command to complete, and return me to a prompt. You should see something like this:

reconfiguration output

Now, if you run sudo systemctl status squid, you should hopefully see a green message saying “active (running)”. If everything looks good, continue with the next steps.

active running squid

Configure ACLs

Now, let’s get to the part you really care about, which is configuring which sites are allowed and not allowed.

Edit the /etc/squid/squid.conf file again, and navigate to somewhere around line 975.

In this example, I’ll be adding an “allow” for weather.gov, allowing my end-users to check the weather, but deny all other websites.

#Weather
acl weather dstdomain .weather.gov
http_access allow weather

The blue default vi color scheme makes the below difficult to read, but you get the idea.

squid acl add

These two lines of code don’t block all other traffic. Down around line ~1215, you’ll find a few pieces of code that have a “deny all” listed. Essentially anything other than what’s explicitly enabled in your ACLs above will be denied.

squid acl deny all

Other things you can do

The syntax for adding new ACLs looks like:

acl aclname acltype argument

You can pick and choose how you want to allow or deny traffic based on the following rules. You can approve or deny an entire domain (as demonstrated above), limit certain domains to specific IP ranges, etc.

acl   aclname   src         ip-address/netmask                # clients IP address
acl   aclname   src         addr1-addr2/netmask            # range of addresses
acl   aclname   dst         ip-address/netmask             # URL host's IP address
acl   aclname   myip        ip-address/netmask                # local socket IP address
acl   aclname   srcdomain   .foo.com                          # reverse lookup, from client IP
acl   aclname   dstdomain   .foo.com                       # Destination server from URL
acl   aclname   dstdomain   "/etc/squid/allow/safe-sites"  # file must exist
acl   aclname   srcdom_regex [-i] .foo.com ...           # regex matching client name
acl   aclname   dstdom_regex [-i] .foo.com ...           # regex matching server

http_access allow aclname  # allow access 
http_access deny aclname   # deny access

Reconfigure Squid and Test

Once you make a change to the ACLs, you’ll need to reconfigure Squid to notify it of the new changes and to load the new rules into memory:

squid -k reconfigure

Set your browser to use a proxy, setting the IP address to that of the server on which you installed Squid. Be sure to use port 3128 unless you’ve changed the default.

browser proxy

Try to browse to a few different URLs to test.

One more thing

I’ve noticed that over time, the list of “approved” sites becomes very long and somewhat difficult to manage. I recommend configuring a separate file, for your approved sites, and then simply referencing that file from within the squid.conf. You can do that like so:

acl approved dstdomain "/etc/squid/approved"
http_access allow approved

Then, you’ll edit the approved file, and not the squid.conf file for future entries. Then, you can simply add new domains, creating a new line for each entry:

...
.cnn.com
.microsoft.com
.espn.com
...

And of course, be sure to reconfigure after making any changes to those lists/config files: squid -k reconfigure

Leave a Reply

Your email address will not be published. Required fields are marked *