Squid Proxy Server Configuration Guide: Boost Web Performance & Control Access

Configuring Squid Proxy Server: A Comprehensive Tutorial

Introduction

Squid is a widely used open-source proxy server that provides web content caching, improves web performance, and helps with web access control. This tutorial will guide you through configuring a Squid proxy server. We will cover installation, basic configuration, access control, authentication, SSL bumping, and troubleshooting.

Prerequisites

Before starting, ensure you have the following:

A server running a Linux-based operating system (e.g., Ubuntu, CentOS).
Root or sudo access to the server.
Basic understanding of Linux command-line operations.

1. Installing Squid

On Ubuntu/Debian

bashCopy codesudo apt update
sudo apt install squid

On CentOS/RHEL

bashCopy codesudo yum install squid

2. Basic Configuration

The main configuration file for Squid is squid.conf, typically located in /etc/squid/ or /etc/squid3/.

Basic Settings

Open the configuration file for editing:

sudo nano /etc/squid/squid.conf

Setting Up Access Control

Configure the allowed IP ranges. Add the following lines to specify who can use the proxy:

bashCopy codeacl localnet src 192.168.1.0/24
http_access allow localnet

This configuration allows only the specified IP range (192.168.1.0/24) to access the proxy.

Setting Up a Proxy Port

The default port for Squid is 3128. To change the port, locate the http_port directive and modify it:

http_port 3128

Configuring DNS

Ensure Squid can resolve DNS queries. Add the following line if not present:

dns_nameservers 8.8.8.8 8.8.4.4

3. Access Control Lists (ACLs)

Squid uses ACLs to control access. Common ACL configurations include restricting access based on time, IP address, and domain.

Blocking Specific Sites

To block specific sites like example.com, add the following:

acl blocked_sites dstdomain .example.com
http_access deny blocked_sites

Allowing Specific Sites

To allow only specific sites like buyproxies.org, add:

acl allowed_sites dstdomain .buyproxies.org
http_access allow allowed_sites
http_access deny all

4. Configuring Authentication

Squid supports several authentication methods, such as basic HTTP authentication.

Basic HTTP Authentication

First, install the apache2-utils package to use htpasswd:

sudo apt install apache2-utils

Create a password file and add a user:

sudo htpasswd -c /etc/squid/passwd username

Configure Squid to use the password file:

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl auth_users proxy_auth REQUIRED
http_access allow auth_users
http_access deny all

5. SSL Bumping

SSL bumping allows Squid to intercept and decrypt HTTPS traffic. This can be useful for filtering and logging HTTPS traffic.

Generate SSL Certificates

Install OpenSSL if not already installed:

bashCopy codesudo apt install openssl

Create a directory for SSL certificates:

sudo mkdir /etc/squid/ssl_cert
cd /etc/squid/ssl_cert

Generate a self-signed certificate:

sudo openssl genrsa -out squid.key 2048
sudo openssl req -new -key squid.key -out squid.csr
sudo openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out squid.crt
cat squid.key squid.crt >> squid.pem

Configure Squid for SSL Bumping

Edit squid.conf to enable SSL bumping:

http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/squid.pem key=/etc/squid/ssl_cert/squid.key
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

6. Performance Tuning

To optimize Squid’s performance, adjust the cache settings:

cache_mem 256 MB
maximum_object_size_in_memory 512 KB
cache_dir ufs /var/spool/squid 10000 16 256
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log

7. Logging and Monitoring

Squid logs can be found in /var/log/squid/. To monitor Squid in real-time, use:

tail -f /var/log/squid/access.log

8. Troubleshooting

Common issues and solutions:

Squid Not Starting: Check the configuration file syntax:bashCopy codesudo squid -k parse
Access Denied: Ensure ACLs are correctly configured and not overly restrictive.
Slow Performance: Adjust cache settings and check for network issues.

Conclusion

Configuring Squid as a proxy server can significantly enhance your network’s performance and security. This tutorial covered the basics of installation, configuration, access control, authentication, SSL bumping, performance tuning, and troubleshooting. With these steps, you should be able to set up and maintain a Squid proxy server that meets your needs.

For further customization and advanced features, refer to the official Squid documentation.