Introduction
Squid is a caching proxy that supports various network protocols such as HTTP, HTTPS and FTP.
This proxy can improve the performance and security of your web server by saving requests already made in a cache memory, filtering web traffic and restricting access based on geolocation.
In this tutorial you will see how to set up Squid Proxy on a Debian Buster server and how to configure some web browsers to be able to use this proxy.
Installing Squid on Debian
The Squid package is included in the standard Debian 10 repositories. Just run the standard commands to proceed with its installation:
$ sudo apt update
$ sudo apt install squid
Once the installation is completed, the proxy will start automatically. To verify its correct functioning, simply type:
$ sudo systemctl status squid
The resulting output should look like this:
squid.service - LSB: Squid HTTP Proxy version 3.x
Loaded: loaded (/etc/init.d/squid; generated)
Active: active (running) since Wed 2020-05-26 18:48:47 PDT; 3s ago
...
Configuring Squid Proxy
To configure Squid Proxy, edit the squid.conf file in the Squid directory with a text editor .
$ sudo nano /etc/squid/squid.conf
N.B. Before applying any changes, it is advisable to create a copy of the original configuration to have as a backup.
One of the first configurations that can be changed is the one concerning the port on which the proxy is listening, which by default is port 3128.
To apply this change, locate the following line in the text file:
# Squid normally listens to port 3128
http_port IP_ADDR:PORT
By modifying the two highlighted elements the IP address of the interface and the port on which Squid is listening are changed, respectively.
A second configuration to interact with is the one concerning access control. In Squid, by default, access is only allowed to the localhost but a list of IP addresses to allow access to can also be specified.
To do so, simply create a file containing all the addresses and include it within the Squid configuration.
sudo nano /etc/squid/IPallowed.txt
With this command, a text file where to add the authorized IP addresses in your proxy for each line will have been created.
After doing so, open the configuration file and enter a new ACL called IPallowed and include the newly created text file.
To decide the access protocol to assign to these IP addresses, enter the http_access entry followed by the name of the ACL defined above.
Normally, the strings should be similar to as follows :
# ...
acl IPallowed src "/etc/squid/IPallowed.txt"
# ...
#http_access allow localnet
http_access allow localhost
http_access allow IPallowed
# And finally deny all other access to this proxy
http_access deny all
It is important that the deny all rule is always specified at the end of the other declarations. To deny all requests except those of the previously declared addresses. Squid, like firewalls, reads the rules from top to bottom.
Once the configuration file has been saved, the proxy will have to be restarted to apply the changes:
$ sudo systemctl restart squid
Configuring Firewall
In case of using UFW, port 3128 (or the port you have modified) can be opened by enabling the "Squid" profile:
$ sudo ufw allow 'Squid'
In case of using nftables instead, use a slightly more complex command to open the ports:
$ sudo nft add rule inet filter input tcp dport 3128 ct state new,established counter accept
Configuring your browsers to use the proxy
In this section, you will learn more about how to allow your browsers to use the Squid proxy.
Firefox
These steps are valid for any operating system:
- In Firefox, click on the ☰ icon at the top right
- Select the Preferences option
- Scroll in the section dedicated to the network settings and click on the item I ettings
- In the new window that opens:
- Click Manual Proxy Configuration
- Enter the IP address of your squid Server in the HTTP Host field and enter the port 3128 in the Port field
- Select the Use this proxy server for all protocols item
- Confirm the new settings by clicking OK.
Now that your browser should be browsing the internet via the Squid proxy, verify this change by verifying that the IP you are recognized with on the network is the same as the Squid server.
N.B. To return to the default settings simply go back to that section of the Firefox network settings and select the item Use system proxy settings .
Google Chrome
In Chrome, the most direct way to launch the browser with Squid's profile settings is to use the command line in the terminals.
The commands, of course, change from system to system.
Linux:
/usr/bin/google-chrome \
--user-data-dir="$HOME/proxy-profile" \
--proxy-server="http://SQUID_IP:3128"
MacOS:
"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" \
--user-data-dir="$HOME/proxy-profile" \
--proxy-server="http://SQUID_IP:3128"
Windows:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" ^
--user-data-dir="%USERPROFILE%\proxy-profile" ^
--proxy-server="http://SQUID_IP:3128"
If the profile does not exist, it will be created automatically. Once again, to check if the proxy server is correctly working, verify that your IP address is the same as Squid's.
Conclusions
By following the steps in this tutorial, you have learned how to properly install and configure Squid Proxy on your Linux server with Debian 10 and to allow your browsers to use it.
Thanks to the proxy, you can improve the speed of your web server and increase security by restricting users' access to the network.