Sponsored Link
This is a short guide on how to set up a transparent squid proxy server. Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
Install Squid
Install squid and squid-common
sudo aptitude install squid squid-common
Edit the squid config file.
sudo vi /etc/squid/squid.conf
Set the allowed hosts.
acl internal_network src 192.168.0.0/24 (192.168.0.0/24 is your IP range.)
http_access allow internal_network
Set the correct permissions.
sudo chown -R proxy:proxy /var/log/squid/
sudo chown proxy:proxy /etc/squid/squid.conf
You will need to restart squid for the changes to take affect.
sudo /etc/init.d/squid restart
Now open up your browser and set your proxy to point to your new squid server on port 3128
Authentication
If you wish to use authentication with your proxy you will need to install apache2 utilities
sudo aptitude install squid squid-common apache2-utils
To add your first user you will need to specify -c
sudo htpasswd -c /etc/squid.passwd first_user
Thereafter you add new users with
sudo htpasswd /etc/squid.passwd another_user
Edit the squid config file
sudo vi /etc/squid/squid.conf
Set the the authentication parameters and the acl
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid.passwd
auth_param basic children 5
auth_param basic realm NFYE Squid proxy-caching web server
auth_param basic credentialsttl 3 hours
auth_param basic casesensitive off
acl users proxy_auth REQUIRED
acl sectionx proxy_auth REQUIRED
http_access allow users
So this is what your squid.conf should look like.
acl all src 0.0.0.0/0.0.0.0
acl internal_network src 192.168.0.0/24
acl users proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl sectionx proxy_auth REQUIRED
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow users
http_access allow internal_network
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
Redirect the all HTTP traffic.
If you would like to redirect the all HTTP traffic through the proxy without needing to set up a proxy manually in all your applications you will need to add some rules
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
Where eth1,eth0 are the LAN, WAN devices and 192.168.0.1 is the IP address of your LAN device.
If you wish to monitor the performance of your proxy you can look as some log parser's (sarg, calamaris, ect.)
Source from here
‘ass new users’ not the best typo…
Nice article, however.
Daniel
Hi Daniel,
Thanks for pointing this out, its meant to read ‘add new users’ 🙂 I cannot edit existing articles however which sucks as I cannot see how people that contribute can keep the work updated.
Admin, could you look into this please?
Thanks,
–me
I’ve tried so, but when using
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.0.1:3128
connection was not working.
I had to use
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128
to make it work.
Any ideas what did I do wrong?
i have updated the article with correct word
@Nitr8
you can manage your own posts now
@admin
That’s perfect, thanks a mill for this.
@vesela
You did nothing wrong, it depends on your setup. I have two nic’s (WAN & LAN)
–me
How about HTTPS traffic?
Would you know any link about that?
“Now open up your browser and set your proxy to point to your new squid server on port 3218”
The correct port is 3128, small typo but you should correct this (if you can)
@feaks
Thanks for your help.Now i have updated the article with correct port number
I couldn’t get my proxy to work transparently after upgrading dapper (squid 2.5) to hardy (squid 2.6). I had the following commands in squid.conf, that were needed to get it working (apart from redirecting traffic with the firewall/iptables):
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
But Squid 2.6, included in Hardy no longer supports these. After some searching the answer came in the shorewall site: simply add “transparent” to the http_port command:
http_port 3128 transparent
Just in case this helps others.
how about a proxy with a single Lan card example eth0=192.168.0.254
great article, Thanks
Thanks for this good article.
I can’t get log ssl connections.
Excellent article. Used the proxy with authentication on my test server and worked like a charm. Now my msn connects through proxy server (as well as IE). Using firefox along side IE but without the proxy.
Thanks . after i figure the proxy was at 100 and not at 200 it all worked perfectly
Redirect the all HTTP traffic Not working
My Network
eth0 Ip 192.168.1.1
eth1 Ip 192.168.0.1
Just wanted to thank you for a really good post. I found it quite useful and will check your site often.
HI
I am from Pakistan….Doing BS(CS) in final semester….I wana to command on linix base server…Have u any link or any practical work….Plz help me…
I have want to install PPPoE dialer setup….How i can do this….
Thanks, this really helped me a lot. I was wondering how you could decide which users in the squid.passwd have access to what IP range. For example how could I allow user1 to access the local network 192.168.0.0/24 and deny user2? Also, is there a way of only using the proxy for authentication but not for passing traffic through (kinda defeats the purpose of it though). Example: if user1 authenticates, he/she can browse the web without passing through the proxy. Like this you could use the proxy to regulate who is allowed to surf, without taking up bandwidth/resources of the server.
Thank you
i have gone through all the comments here and I have done everything – configuring the squid 2.7 stable 13 and iptables in ubuntu 8.10. my problem is that i only browse when i fix the proxy in the explorer, the transparency does not work. when i add this line of code, i have errors:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on.
I am really at a loss on what to do.
This what my squid conf looks like
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl ECONOMICS src 10.0.0.0/24
http_access allow ECONOMICS
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow ECONOMICS
icp_access deny all
http_port 80
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
visible_hostname EconnetServer
hosts_file /etc/hosts
coredump_dir /var/spool/squid
Please can someone help me.
Thanks.
to–>>>@iniabasi
if.you.really.use.squid.version.2,6.x.above
try.this one…add.——–>>”transparent” beside your http_port
##########################################
# Squid normally listens to port 3128
http_port 3128 transparent
##########################################
and.dont.use.this.script
##########################################
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
##########################################
coz.i.knew.that.work.only.on.squid.ver.2.5.x.x
HI
i want to configure the squid proxy server.
now i tried to install the squid in my server. its installed. i have made the changes but its not working properly.below i have mentioned the error message. help me
[email protected]:~# /etc/init.d/squid restart
* Restarting Squid HTTP proxy squid * Waiting… * … * … * … * … * … * … [ OK ]
2009/07/11 13:28:03| decode_addr: Invalid IP address ’80’
2009/07/11 13:28:03| squid.conf line 18: acl www_ports src 80 443
2009/07/11 13:28:03| aclParseIpData: Ignoring invalid IP acl entry: unknown first address ’80’
2009/07/11 13:28:03| decode_addr: Invalid IP address ‘443’
2009/07/11 13:28:03| squid.conf line 18: acl www_ports src 80 443
2009/07/11 13:28:03| aclParseIpData: Ignoring invalid IP acl entry: unknown first address ‘443’
2009/07/11 13:28:03| aclParseAclLine: WARNING: empty ACL: acl www_ports src 80 443
2009/07/11 13:28:03| aclParseIpData: WARNING: Netmask masks away part of the specified IP in ‘192.168.1.2/192.168.1.253’
2009/07/11 13:28:03| parseConfigFile: squid.conf:33 unrecognized: ‘HTTP’
2009/07/11 13:28:03| aclParseIpData: WARNING: Netmask masks away part of the specified IP in ‘192.168.1.2/192.168.1.253’
2009/07/11 13:28:03| parseConfigFile: squid.conf:38 unrecognized: ‘FTP’
2009/07/11 13:28:03| aclParseIpData: WARNING: Netmask masks away part of the specified IP in ‘192.168.1.2/192.168.1.25’
2009/07/11 13:28:03| WARNING: ‘192.168.1.0/192.168.1.253’ is a subnetwork of ‘0.0.0.0/0.0.0.0’
2009/07/11 13:28:03| WARNING: because of this ‘0.0.0.0/0.0.0.0’ is ignored to keep splay tree searching predictable
2009/07/11 13:28:03| WARNING: You should probably remove ‘192.168.1.0/192.168.1.253’ from the ACL named ‘all’
2009/07/11 13:28:03| WARNING: ‘192.168.1.0/255.255.255.0’ is a subnetwork of ‘192.168.1.0/255.255.255.0’
2009/07/11 13:28:03| WARNING: because of this ‘192.168.1.0/255.255.255.0’ is ignored to keep splay tree searching predictable
2009/07/11 13:28:03| WARNING: You should probably remove ‘192.168.1.0/255.255.255.0’ from the ACL named ‘internal_network’
2009/07/11 13:28:03| WARNING: ‘127.0.0.1’ is a subnetwork of ‘127.0.0.1’
2009/07/11 13:28:03| WARNING: because of this ‘127.0.0.1’ is ignored to keep splay tree searching predictable
2009/07/11 13:28:03| WARNING: You should probably remove ‘127.0.0.1’ from the ACL named ‘localhost’
[ OK ]
Thank you
# so good even I could {eventually} follow the instructions.
Pity I can’t get it to NAT all protocols and log them.
Can Squid be used as a cahing proxy (or similar)on a Ubuntu machine with only one Network card? In other words simply sitting in amongst all the other clients on the LAN side of the Router? If so, can some one point me to any info on this please. Ta, Boomer.
Yes, squid can be a caching proxy for clients on a LAN, using a single NIC. We’ve used this setup for over 10 years for our 600 users, and it works very well. It authenticates to AD for each request, provides all http/https traffic to our 1Gb internet link. With more wireless devices coming online, we are looking to replace it with a transparent proxy to avoid the need for client setup, although we will lose the auth capability.
Thanks for the comment Shawn, I have tried a few things since posting my query including installing a Windows Server 2003 version but I couldn’t make it work. I am very interested in getting more info from you on this subject as I have not had any replies or found a solution to my problem. Could I contact you through another way eg email direct? I will post my email up if you would like me to. I look forward to your reply. Boomer
this following command are not working in my PC. so please give me some commmand
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.10.1:5050
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 5050
Hi,
I have about three websites on one machine,
I am using a router, all my local network is behind a router, but because 3 websites on one machine I realised that it was a bit too much for the machine.
I then decided to use a proxy server on one machine, and use three other machine each will hold it’s own website, domain name, and database.
meaning serving three different websites from three different machines on the same network.
My confusion is this:
I hear that the proxy server listens on port 3128
Now let’s say I have websites A, B, C on M1, M2, M3
How can serve these three websites with the proxy server??
people can’t type http://mydomain-name.com:3128 every-time, I am sure we can configure it so people will access the website by simply typing http://www.mysite.com etc… any ideas please?
Thank you guys
I have 2 interfaces:
eth0 = connected to WAN (with internet connection)
eth1 = LAN (192.168.0.1)
Setting up proxy server. All windows box in LAN have proxy settings to 192.168.0.1:3128
My iptables rule to share internet connection is:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
if i want to do transparent proxy? do i have to edit that rule? or add a new rule(without touching my current iptables rule)?
All you need for transparent:
iptables -t nat -I PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to 10.0.0.3:3128
Remember to change the interface & IP/port.
with squid v2.7 you just need to add “transparent” to http_port.
squid.conf:
# Squid normally listens to port 3128
http_port 3128 transparent
Working on lucid.
Hello all,
I am using squid3.0 on Ubuntu server
I am having one particular problem, if anyone here can help me with please. here it is:
I can ssh the machine on which the proxy runs, but I cannot access the backend servers(machines) via ssh.
Let’s say the proxy machine itself has the ssh 22xx
and the other three machines in the back end have each a different SSH port number example.
Proxy machine SSH 2222 works
Machine1 SSH 2223 doesn’t work
Machine2 SSH 2224 doesn’t work
Machine3 SSH 2225 doesn’t work
I mean the access is refused
Even though through my router Cisco/Linksys I have forwarded SSH requests to each of these machines
I even added the above ports as Safe_ports in my squid config but still can’t access them.
Any suggestions or ideas would be very much appreciated.
I have posted on the userssquid mailing list but nobody replied or even tried to help me with it.
Thank you all