How to Build a Proxy Server with Squid3

Tadashi Shigeoka ·  Thu, February 23, 2017

I’ll introduce how to build a proxy server using Squid 3.x.

Squid

Installing Squid

First, install squid.

sudo apt-get update
sudo apt-get install squid

Check the squid version to confirm it’s installed.

$ squid -v
Squid Cache: Version 3.5.12
Service Name: squid
Ubuntu linux
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-build-info=Ubuntu linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security'

After installing squid, when I checked the status, it was already running. As expected of squid, fast.

$ service squid status
● squid.service - LSB: Squid HTTP Proxy version 3.x
   Loaded: loaded (/etc/init.d/squid; bad; vendor preset: enabled)
   Active: active (running) since Sat 2017-02-18 13:39:01 UTC; 28min ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 4
   Memory: 18.3M
      CPU: 461ms
   CGroup: /system.slice/squid.service
           ├─2831 /usr/sbin/squid -YC -f /etc/squid/squid.conf
           ├─2838 (squid-1) -YC -f /etc/squid/squid.conf
           ├─2841 (logfile-daemon) /var/log/squid/access.log
           └─2866 (pinger)

Feb 18 13:39:01 proxy1 systemd[1]: Starting LSB: Squid HTTP Proxy version 3.x...
Feb 18 13:39:01 proxy1 squid[2788]:  * Starting Squid HTTP Proxy squid
Feb 18 13:39:01 proxy1 squid[2788]:    ...done.
Feb 18 13:39:01 proxy1 systemd[1]: Started LSB: Squid HTTP Proxy version 3.x.
Feb 18 13:39:01 proxy1 squid[2831]: Squid Parent: will start 1 kids
Feb 18 13:39:01 proxy1 squid[2831]: Squid Parent: (squid-1) process 2838 started

Edit squid.conf to Build Proxy Server

First, backup the default squid.conf file.

sudo cp /etc/squid/squid.conf /etc/squid/squid-origin.conf

Next, edit and add to the configuration file squid.conf as follows:

#http_access deny all

forwarded_for off

request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all

reply_header_access X-Forwarded-For deny all
reply_header_access Via deny all
reply_header_access Cache-Control deny all

The diff is as follows:

$ diff /etc/squid/squid-origin.conf /etc/squid/squid.conf
1188a1189,1192
> # Alow my server's host
> acl myhost src xxx.xxx.xxx.xxx/255.255.255.255
> http_access allow myhost
> 
1599c1603
< http_port 3128
---
> http_port 13128
5156a5161,5163
> request_header_access X-Forwarded-For deny all
> request_header_access Via deny all
> request_header_access Cache-Control deny all
5507a5515
> visible_hostname myhostname.com
7621a7630
> forwarded_for off

After completing the squid.conf file editing, reload squid to apply the settings and you’re done.

service squid reload

Then, confirm that you can access through the proxy server by some method.

That’s all from the Gemba on building a proxy server with Squid 3.

Reference Information

That’s all from the Gemba.