How to Setup Transparent Squid Proxy Server in Ubuntu
Posted by nitr8 on March 31st, 2008 
Email This Post
This is a short guide on how to set up a transparent squid proxy server. Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
Install Squid
Install squid and squid-common
sudo aptitude install squid squid-common
Edit the squid config file.
sudo vi /etc/squid/squid.conf
Set the allowed hosts.
acl internal_network src 192.168.0.0/24 (192.168.0.0/24 is your IP range.)
http_access allow internal_network
Set the correct permissions.
sudo chown -R proxy:proxy /var/log/squid/
sudo chown proxy:proxy /etc/squid/squid.conf
You will need to restart squid for the changes to take affect.
sudo /etc/init.d/squid restart
Now open up your browser and set your proxy to point to your new squid server on port 3128
Authentication
If you wish to use authentication with your proxy you will need to install apache2 utilities
sudo aptitude install squid squid-common apache2-utils
To add your first user you will need to specify -c
sudo htpasswd -c /etc/squid.passwd first_user
Thereafter you add new users with
sudo htpasswd /etc/squid.passwd another_user
Edit the squid config file
sudo vi /etc/squid/squid.conf
Set the the authentication parameters and the acl
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid.passwd
auth_param basic children 5
auth_param basic realm NFYE Squid proxy-caching web server
auth_param basic credentialsttl 3 hours
auth_param basic casesensitive off
acl users proxy_auth REQUIRED
acl sectionx proxy_auth REQUIRED
http_access allow users
So this is what your squid.conf should look like.
acl all src 0.0.0.0/0.0.0.0
acl internal_network src 192.168.0.0/24
acl users proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl sectionx proxy_auth REQUIRED
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow users
http_access allow internal_network
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
Redirect the all HTTP traffic.
If you would like to redirect the all HTTP traffic through the proxy without needing to set up a proxy manually in all your applications you will need to add some rules
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp –dport 80 -j REDIRECT --to-ports 3128
Where eth1,eth0 are the LAN, WAN devices and 192.168.0.1 is the IP address of your LAN device.
If you wish to monitor the performance of your proxy you can look as some log parser’s (sarg, calamaris, ect.)
Source from here
If you want to be notified the next time we write something please subscribe to our RSS feed.Thanks for Visiting!
March 31st, 2008 at 3:55 am
‘ass new users’ not the best typo…
Nice article, however.
Daniel
March 31st, 2008 at 8:57 am
Hi Daniel,
Thanks for pointing this out, its meant to read ‘add new users’
I cannot edit existing articles however which sucks as I cannot see how people that contribute can keep the work updated.
Admin, could you look into this please?
Thanks,
–me
March 31st, 2008 at 11:05 am
I’ve tried so, but when using
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.0.1:3128
connection was not working.
I had to use
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128
to make it work.
Any ideas what did I do wrong?
March 31st, 2008 at 5:34 pm
i have updated the article with correct word
@Nitr8
you can manage your own posts now
March 31st, 2008 at 8:00 pm
@admin
That’s perfect, thanks a mill for this.
@vesela
You did nothing wrong, it depends on your setup. I have two nic’s (WAN & LAN)
–me
April 27th, 2008 at 8:00 pm
How about HTTPS traffic?
Would you know any link about that?
May 15th, 2008 at 10:16 pm
“Now open up your browser and set your proxy to point to your new squid server on port 3218″
The correct port is 3128, small typo but you should correct this (if you can)
May 16th, 2008 at 6:07 am
@feaks
Thanks for your help.Now i have updated the article with correct port number
June 1st, 2008 at 12:11 am
I couldn’t get my proxy to work transparently after upgrading dapper (squid 2.5) to hardy (squid 2.6). I had the following commands in squid.conf, that were needed to get it working (apart from redirecting traffic with the firewall/iptables):
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
But Squid 2.6, included in Hardy no longer supports these. After some searching the answer came in the shorewall site: simply add “transparent” to the http_port command:
http_port 3128 transparent
Just in case this helps others.
June 29th, 2008 at 7:22 am
how about a proxy with a single Lan card example eth0=192.168.0.254
July 31st, 2008 at 5:34 am
great article, Thanks
August 21st, 2008 at 8:16 am
Thanks for this good article.
I can’t get log ssl connections.