March 31, 2008 · Networking, Server · Email This Post

Sponsored Link
Squid is a fully-featured HTTP/1.0 proxy which is almost (but not quite -- we're getting there!) HTTP/1.1 compliant. Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications.

This is a short guide on how to set up a transparent squid proxy server. Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.

Install Squid

Install squid and squid-common

sudo aptitude install squid squid-common

Edit the squid config file.

sudo vi /etc/squid/squid.conf

Set the allowed hosts.

acl internal_network src 192.168.0.0/24 (
Where 192.168.0.0/24 is your IP range.)
http_access allow internal_network

Set the correct permissions.

sudo chown -R proxy:proxy /var/log/squid/
sudo chown proxy:proxy /etc/squid/squid.conf

You will need to restart squid for the changes to take affect.

sudo /etc/init.d/squid restart

Now open up your browser and set your proxy to point to your new squid server on port 3128

Authentication

If you wish to use authentication with your proxy you will need to install apache2 utilities

sudo aptitude install squid squid-common apache2-utils

To add your first user you will need to specify -c

sudo htpasswd -c /etc/squid.passwd first_user

Thereafter you add new users with

sudo htpasswd /etc/squid.passwd another_user

Edit the squid config file

sudo vi /etc/squid/squid.conf

Set the the authentication parameters and the acl

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid.passwd
auth_param basic children 5
auth_param basic realm NFYE Squid proxy-caching web server
auth_param basic credentialsttl 3 hours
auth_param basic casesensitive off

acl users proxy_auth REQUIRED

acl sectionx proxy_auth REQUIRED

http_access allow users

So this is what your squid.conf should look like.

acl all src 0.0.0.0/0.0.0.0
acl
internal_network src 192.168.0.0/24
acl users proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl sectionx proxy_auth REQUIRED
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access allow users
http_access allow internal_network
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all

Redirect the all HTTP traffic.

If you would like to redirect the all HTTP traffic through the proxy without needing to set up a proxy manually in all your applications you will need to add some rules

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

Where eth1,eth0 are the LAN, WAN devices and 192.168.0.1 is the IP address of your LAN device.

If you wish to monitor the performance of your proxy you can look as some log parser's (sarg, calamaris, ect.)

Source from here

Sponsored Link

Incoming search terms:

Related posts

40 Comments to “How to Setup Transparent Squid Proxy Server in Ubuntu”

  1. Daniel says:

    ‘ass new users’ not the best typo…

    Nice article, however.

    Daniel

    [Reply]

  2. nitr8 says:

    Hi Daniel,

    Thanks for pointing this out, its meant to read ‘add new users’ :) I cannot edit existing articles however which sucks as I cannot see how people that contribute can keep the work updated.

    Admin, could you look into this please?

    Thanks,

    –me

    [Reply]

  3. Vesela Houba says:

    I’ve tried so, but when using
    iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.0.1:3128
    connection was not working.
    I had to use
    iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128
    to make it work.
    Any ideas what did I do wrong?

    [Reply]

  4. admin says:

    i have updated the article with correct word

    @Nitr8

    you can manage your own posts now

    [Reply]

  5. nitr8 says:

    @admin

    That’s perfect, thanks a mill for this.

    @vesela

    You did nothing wrong, it depends on your setup. I have two nic’s (WAN & LAN)

    –me

    [Reply]

  6. Infogerance says:

    How about HTTPS traffic?
    Would you know any link about that?

    [Reply]

  7. feaks says:

    “Now open up your browser and set your proxy to point to your new squid server on port 3218″
    The correct port is 3128, small typo but you should correct this (if you can)

    [Reply]

  8. admin says:

    @feaks
    Thanks for your help.Now i have updated the article with correct port number

    [Reply]

  9. Gonzalo says:

    I couldn’t get my proxy to work transparently after upgrading dapper (squid 2.5) to hardy (squid 2.6). I had the following commands in squid.conf, that were needed to get it working (apart from redirecting traffic with the firewall/iptables):

    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on

    But Squid 2.6, included in Hardy no longer supports these. After some searching the answer came in the shorewall site: simply add “transparent” to the http_port command:

    http_port 3128 transparent

    Just in case this helps others.

    [Reply]

  10. Lapu_Lapu says:

    how about a proxy with a single Lan card example eth0=192.168.0.254

    [Reply]

  11. Amjad says:

    great article, Thanks

    [Reply]

  12. Ali Akgun says:

    Thanks for this good article.
    I can’t get log ssl connections.

    [Reply]

  13. garfunkle says:

    Excellent article. Used the proxy with authentication on my test server and worked like a charm. Now my msn connects through proxy server (as well as IE). Using firefox along side IE but without the proxy.

    [Reply]

  14. Kastr0 says:

    Thanks . after i figure the proxy was at 100 and not at 200 it all worked perfectly

    [Reply]

  15. Love-Ubuntu says:

    Redirect the all HTTP traffic Not working

    My Network

    eth0 Ip 192.168.1.1

    eth1 Ip 192.168.0.1

    [Reply]

  16. Unblock Me says:

    Just wanted to thank you for a really good post. I found it quite useful and will check your site often.

    [Reply]

  17. Faisal Sardar says:

    HI
    I am from Pakistan….Doing BS(CS) in final semester….I wana to command on linix base server…Have u any link or any practical work….Plz help me…
    I have want to install PPPoE dialer setup….How i can do this….

    [Reply]

  18. theo says:

    Thanks, this really helped me a lot. I was wondering how you could decide which users in the squid.passwd have access to what IP range. For example how could I allow user1 to access the local network 192.168.0.0/24 and deny user2? Also, is there a way of only using the proxy for authentication but not for passing traffic through (kinda defeats the purpose of it though). Example: if user1 authenticates, he/she can browse the web without passing through the proxy. Like this you could use the proxy to regulate who is allowed to surf, without taking up bandwidth/resources of the server.

    Thank you

    [Reply]

  19. iniabasi says:

    i have gone through all the comments here and I have done everything – configuring the squid 2.7 stable 13 and iptables in ubuntu 8.10. my problem is that i only browse when i fix the proxy in the explorer, the transparency does not work. when i add this line of code, i have errors:
    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on.

    I am really at a loss on what to do.
    This what my squid conf looks like

    acl all src all
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32
    acl to_localhost dst 127.0.0.0/8
    acl ECONOMICS src 10.0.0.0/24
    http_access allow ECONOMICS
    acl SSL_ports port 443 # https
    acl SSL_ports port 563 # snews
    acl SSL_ports port 873 # rsync
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl Safe_ports port 631 # cups
    acl Safe_ports port 873 # rsync
    acl Safe_ports port 901 # SWAT
    acl purge method PURGE
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localhost
    http_access deny all
    icp_access allow ECONOMICS
    icp_access deny all
    http_port 80
    http_port 3128 transparent
    hierarchy_stoplist cgi-bin ?
    access_log /var/log/squid/access.log squid
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
    refresh_pattern . 0 20% 4320
    acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
    upgrade_http0.9 deny shoutcast
    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache
    extension_methods REPORT MERGE MKACTIVITY CHECKOUT
    visible_hostname EconnetServer
    hosts_file /etc/hosts
    coredump_dir /var/spool/squid

    Please can someone help me.
    Thanks.

    [Reply]

  20. achulxp says:

    to–>>>@iniabasi

    if.you.really.use.squid.version.2,6.x.above
    try.this one…add.——–>>”transparent” beside your http_port
    ##########################################
    # Squid normally listens to port 3128
    http_port 3128 transparent
    ##########################################

    and.dont.use.this.script
    ##########################################
    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on
    ##########################################

    coz.i.knew.that.work.only.on.squid.ver.2.5.x.x

    [Reply]

  21. Baghathsingh says:

    HI

    i want to configure the squid proxy server.
    now i tried to install the squid in my server. its installed. i have made the changes but its not working properly.below i have mentioned the error message. help me

    root@srv1:~# /etc/init.d/squid restart
    * Restarting Squid HTTP proxy squid * Waiting… * … * … * … * … * … * … [ OK ]
    2009/07/11 13:28:03| decode_addr: Invalid IP address ’80’
    2009/07/11 13:28:03| squid.conf line 18: acl www_ports src 80 443
    2009/07/11 13:28:03| aclParseIpData: Ignoring invalid IP acl entry: unknown first address ’80’
    2009/07/11 13:28:03| decode_addr: Invalid IP address ‘443’
    2009/07/11 13:28:03| squid.conf line 18: acl www_ports src 80 443
    2009/07/11 13:28:03| aclParseIpData: Ignoring invalid IP acl entry: unknown first address ‘443’
    2009/07/11 13:28:03| aclParseAclLine: WARNING: empty ACL: acl www_ports src 80 443
    2009/07/11 13:28:03| aclParseIpData: WARNING: Netmask masks away part of the specified IP in ‘192.168.1.2/192.168.1.253′
    2009/07/11 13:28:03| parseConfigFile: squid.conf:33 unrecognized: ‘HTTP’
    2009/07/11 13:28:03| aclParseIpData: WARNING: Netmask masks away part of the specified IP in ‘192.168.1.2/192.168.1.253′
    2009/07/11 13:28:03| parseConfigFile: squid.conf:38 unrecognized: ‘FTP’
    2009/07/11 13:28:03| aclParseIpData: WARNING: Netmask masks away part of the specified IP in ‘192.168.1.2/192.168.1.25′
    2009/07/11 13:28:03| WARNING: ‘192.168.1.0/192.168.1.253′ is a subnetwork of ‘0.0.0.0/0.0.0.0′
    2009/07/11 13:28:03| WARNING: because of this ‘0.0.0.0/0.0.0.0′ is ignored to keep splay tree searching predictable
    2009/07/11 13:28:03| WARNING: You should probably remove ‘192.168.1.0/192.168.1.253′ from the ACL named ‘all’
    2009/07/11 13:28:03| WARNING: ‘192.168.1.0/255.255.255.0′ is a subnetwork of ‘192.168.1.0/255.255.255.0′
    2009/07/11 13:28:03| WARNING: because of this ‘192.168.1.0/255.255.255.0′ is ignored to keep splay tree searching predictable
    2009/07/11 13:28:03| WARNING: You should probably remove ‘192.168.1.0/255.255.255.0′ from the ACL named ‘internal_network’
    2009/07/11 13:28:03| WARNING: ‘127.0.0.1’ is a subnetwork of ‘127.0.0.1’
    2009/07/11 13:28:03| WARNING: because of this ‘127.0.0.1’ is ignored to keep splay tree searching predictable
    2009/07/11 13:28:03| WARNING: You should probably remove ‘127.0.0.1’ from the ACL named ‘localhost’
    [ OK ]

    [Reply]

  22. Peter says:

    Thank you
    # so good even I could {eventually} follow the instructions.
    Pity I can’t get it to NAT all protocols and log them.

    [Reply]

  23. Boomerang says:

    Can Squid be used as a cahing proxy (or similar)on a Ubuntu machine with only one Network card? In other words simply sitting in amongst all the other clients on the LAN side of the Router? If so, can some one point me to any info on this please. Ta, Boomer.

    [Reply]

  24. Shawn says:

    Yes, squid can be a caching proxy for clients on a LAN, using a single NIC. We’ve used this setup for over 10 years for our 600 users, and it works very well. It authenticates to AD for each request, provides all http/https traffic to our 1Gb internet link. With more wireless devices coming online, we are looking to replace it with a transparent proxy to avoid the need for client setup, although we will lose the auth capability.

    [Reply]

  25. Boomerang says:

    Thanks for the comment Shawn, I have tried a few things since posting my query including installing a Windows Server 2003 version but I couldn’t make it work. I am very interested in getting more info from you on this subject as I have not had any replies or found a solution to my problem. Could I contact you through another way eg email direct? I will post my email up if you would like me to. I look forward to your reply. Boomer

    [Reply]

  26. win naing myint says:

    this following command are not working in my PC. so please give me some commmand

    iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.10.1:5050
    iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 5050

    [Reply]

  27. Advanced says:

    Hi,
    I have about three websites on one machine,
    I am using a router, all my local network is behind a router, but because 3 websites on one machine I realised that it was a bit too much for the machine.

    I then decided to use a proxy server on one machine, and use three other machine each will hold it’s own website, domain name, and database.

    meaning serving three different websites from three different machines on the same network.

    My confusion is this:
    I hear that the proxy server listens on port 3128
    Now let’s say I have websites A, B, C on M1, M2, M3

    How can serve these three websites with the proxy server??
    people can’t type http://mydomain-name.com:3128 every-time, I am sure we can configure it so people will access the website by simply typing http://www.mysite.com etc… any ideas please?

    Thank you guys

    [Reply]

  28. KenWeiLL says:

    I have 2 interfaces:
    eth0 = connected to WAN (with internet connection)
    eth1 = LAN (192.168.0.1)

    Setting up proxy server. All windows box in LAN have proxy settings to 192.168.0.1:3128

    My iptables rule to share internet connection is:
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    if i want to do transparent proxy? do i have to edit that rule? or add a new rule(without touching my current iptables rule)?

    [Reply]

  29. TorrentialStorm says:

    All you need for transparent:
    iptables -t nat -I PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to 10.0.0.3:3128
    Remember to change the interface & IP/port.

    with squid v2.7 you just need to add “transparent” to http_port.

    squid.conf:
    # Squid normally listens to port 3128
    http_port 3128 transparent

    Working on lucid.

    [Reply]

  30. Adam says:

    Hello all,
    I am using squid3.0 on Ubuntu server
    I am having one particular problem, if anyone here can help me with please. here it is:

    I can ssh the machine on which the proxy runs, but I cannot access the backend servers(machines) via ssh.

    Let’s say the proxy machine itself has the ssh 22xx
    and the other three machines in the back end have each a different SSH port number example.

    Proxy machine SSH 2222 works
    Machine1 SSH 2223 doesn’t work
    Machine2 SSH 2224 doesn’t work
    Machine3 SSH 2225 doesn’t work

    I mean the access is refused
    Even though through my router Cisco/Linksys I have forwarded SSH requests to each of these machines

    I even added the above ports as Safe_ports in my squid config but still can’t access them.

    Any suggestions or ideas would be very much appreciated.

    I have posted on the userssquid mailing list but nobody replied or even tried to help me with it.

    Thank you all

    [Reply]

Leave a Reply