If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
This is a short guide on how to set up a transparent squid proxy server. Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
Install Squid
Install squid and squid-common
sudo aptitude install squid squid-common
Edit the squid config file.
sudo vi /etc/squid/squid.conf
Set the allowed hosts.
acl internal_network src 192.168.0.0/24 (192.168.0.0/24 is your IP range.)
http_access allow internal_network
Set the correct permissions.
sudo chown -R proxy:proxy /var/log/squid/
sudo chown proxy:proxy /etc/squid/squid.conf
You will need to restart squid for the changes to take affect.
sudo /etc/init.d/squid restart
Now open up your browser and set your proxy to point to your new squid server on port 3128
Authentication
If you wish to use authentication with your proxy you will need to install apache2 utilities
sudo aptitude install squid squid-common apache2-utils
To add your first user you will need to specify -c
sudo htpasswd -c /etc/squid.passwd first_user
Thereafter you add new users with
sudo htpasswd /etc/squid.passwd another_user
Edit the squid config file
sudo vi /etc/squid/squid.conf
Set the the authentication parameters and the acl
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid.passwd
auth_param basic children 5
auth_param basic realm NFYE Squid proxy-caching web server
auth_param basic credentialsttl 3 hours
auth_param basic casesensitive off
acl users proxy_auth REQUIRED
acl sectionx proxy_auth REQUIRED
http_access allow users
So this is what your squid.conf should look like.
acl all src 0.0.0.0/0.0.0.0
acl internal_network src 192.168.0.0/24
acl users proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl sectionx proxy_auth REQUIRED
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow users
http_access allow internal_network
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
Redirect the all HTTP traffic.
If you would like to redirect the all HTTP traffic through the proxy without needing to set up a proxy manually in all your applications you will need to add some rules
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
Where eth1,eth0 are the LAN, WAN devices and 192.168.0.1 is the IP address of your LAN device.
If you wish to monitor the performance of your proxy you can look as some log parser’s (sarg, calamaris, ect.)
Source from here
‘ass new users’ not the best typo…
Nice article, however.
Daniel
Hi Daniel,
Thanks for pointing this out, its meant to read ‘add new users’
I cannot edit existing articles however which sucks as I cannot see how people that contribute can keep the work updated.
Admin, could you look into this please?
Thanks,
–me
I’ve tried so, but when using
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.0.1:3128
connection was not working.
I had to use
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128
to make it work.
Any ideas what did I do wrong?
i have updated the article with correct word
@Nitr8
you can manage your own posts now
@admin
That’s perfect, thanks a mill for this.
@vesela
You did nothing wrong, it depends on your setup. I have two nic’s (WAN & LAN)
–me
How about HTTPS traffic?
Would you know any link about that?
“Now open up your browser and set your proxy to point to your new squid server on port 3218″
The correct port is 3128, small typo but you should correct this (if you can)
@feaks
Thanks for your help.Now i have updated the article with correct port number
I couldn’t get my proxy to work transparently after upgrading dapper (squid 2.5) to hardy (squid 2.6). I had the following commands in squid.conf, that were needed to get it working (apart from redirecting traffic with the firewall/iptables):
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
But Squid 2.6, included in Hardy no longer supports these. After some searching the answer came in the shorewall site: simply add “transparent” to the http_port command:
http_port 3128 transparent
Just in case this helps others.
how about a proxy with a single Lan card example eth0=192.168.0.254
great article, Thanks
Thanks for this good article.
I can’t get log ssl connections.
Excellent article. Used the proxy with authentication on my test server and worked like a charm. Now my msn connects through proxy server (as well as IE). Using firefox along side IE but without the proxy.
Thanks . after i figure the proxy was at 100 and not at 200 it all worked perfectly
Redirect the all HTTP traffic Not working
My Network
eth0 Ip 192.168.1.1
eth1 Ip 192.168.0.1
Just wanted to thank you for a really good post. I found it quite useful and will check your site often.
HI
I am from Pakistan….Doing BS(CS) in final semester….I wana to command on linix base server…Have u any link or any practical work….Plz help me…
I have want to install PPPoE dialer setup….How i can do this….
Thanks, this really helped me a lot. I was wondering how you could decide which users in the squid.passwd have access to what IP range. For example how could I allow user1 to access the local network 192.168.0.0/24 and deny user2? Also, is there a way of only using the proxy for authentication but not for passing traffic through (kinda defeats the purpose of it though). Example: if user1 authenticates, he/she can browse the web without passing through the proxy. Like this you could use the proxy to regulate who is allowed to surf, without taking up bandwidth/resources of the server.
Thank you
i have gone through all the comments here and I have done everything – configuring the squid 2.7 stable 13 and iptables in ubuntu 8.10. my problem is that i only browse when i fix the proxy in the explorer, the transparency does not work. when i add this line of code, i have errors:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on.
I am really at a loss on what to do.
This what my squid conf looks like
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl ECONOMICS src 10.0.0.0/24
http_access allow ECONOMICS
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow ECONOMICS
icp_access deny all
http_port 80
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
visible_hostname EconnetServer
hosts_file /etc/hosts
coredump_dir /var/spool/squid
Please can someone help me.
Thanks.
to–>>>@iniabasi
if.you.really.use.squid.version.2,6.x.above
try.this one…add.——–>>”transparent” beside your http_port
##########################################
# Squid normally listens to port 3128
http_port 3128 transparent
##########################################
and.dont.use.this.script
##########################################
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
##########################################
coz.i.knew.that.work.only.on.squid.ver.2.5.x.x