Hiding behind the proxy with squid
In this recipe, we will install and configure the squid proxy and caching server. The term proxy is generally combined with two different terms: one is forward proxy and the other is reverse proxy.
When we say proxy, it generally refers to forward proxy. A forward proxy acts as a gateway between a client's browser and the Internet, requesting the content on behalf of the client. This protects intranet clients by exposing the proxy as the only requester. A proxy can also be used as a filtering agent, imposing organizational policies. As all Internet requests go through the proxy server, the proxy can cache the response and return cached content when a similar request is found, thus saving bandwidth and time.
A reverse proxy is the exact opposite of a forward proxy. It protects internal servers from the outside world. A reverse proxy accepts requests from external clients and routes them to servers behind the proxy. External clients can see a single entity serving requests, but internally, it can be multiple servers working behind the proxy and sharing the load. More details about reverse proxies are covered in Chapter 3, Working with Web Servers.
In this recipe, we will discuss how to install a squid server. Squid is a well-known application in the forward proxy world and works well as a caching proxy. It supports HTTP, HTTPS, FTP, and other popular network protocols.
Getting ready
As always, you will need access to a root account or an account with sudo
privileges.
How to do it…
Following are the steps to setup and configure Squid proxy:
- Squid is quite an old, mature, and commonly used piece of software. It is generally shipped as a default package with various Linux distributions. The Ubuntu package repository contains the necessary pre-compiled binaries, so the installation is as easy as two commands.
- First, update the
apt
cache and then install squid as follows:$ sudo apt-get update $ sudo apt-get install squid3
- Edit the
/etc/squid3/squid.conf
file:$ sudo nano /etc/squid3/squid.conf
- Ensure that the
cache_dir
directive is not commented out:cache_dir ufs /var/spool/squid3 100 16 256
- Optionally, change the
http_port
directive to your desired TCP port:http_port 8080
- Optionally, change the squid hostname:
visible_hostname proxy1
- Save changes with Ctrl + O and exit with Ctrl + X.
- Restart the squid server:
$ sudo service squid3 restart
- Make sure that you have allowed the selected
http_port
on firewall. - Next, configure your browser using the squid server as the
http
/https
proxy.
How it works…
Squid is available as a package in the Ubuntu repository, so you can directly install it with the apt-get install squid
command. After installing squid, we need to edit the squid.conf
file for some basic settings. The squid.conf
file is quite a big file and you can find a large number of directives listed with their explanation. It is recommended to create a copy of the original configuration file as a reference before you do any modifications.
In our example, we are changing the port squid listens on. The default port is 3128
. This is just a security precaution and it's fine if you want to run squid on the default port. Secondly, we have changed the hostname for squid.
Other important directive to look at is cache_dir
. Make sure that this directive is enabled, and also set the cache size. The following example sets cache_dir
to /var/spool/suid3
with the size set to 100MB
:
cache_dir ufs /var/spool/squid3 100 16 256
To check the cache utilization, use the following command:
$ sudo du /var/spool/squid3
There's more…
Squid provides lot more features than a simple proxy server. Following is a quick list of some important features:
Access control list
With squid ACLs, you can set the list of IP addresses allowed to use squid. Add the following line at the bottom of the acl
section of /etc/squid3/squid.conf
:
acl developers src 192.168.2.0/24
Then, add the following line at the top of the http_access
section in the same file:
http_access allow developers
Set cache refresh rules
You can change squid's caching behavior depending on the file types. Add the following line to cache all image files to be cached—the minimum time is an hour and the maximum is a day:
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600 90% 86400
This line uses a regular expression to find the file names that end with any of the listed file extensions (gif
, png
, and etc
)
Sarg – tool to analyze squid logs
Squid Analysis Report Generator is an open source tool to monitor the squid server usages. It parses the logs generated by Squid and converts them to easy-to-digest HTML-based reports. You can track various metrics such as bandwidth used per user, top sites, downloads, and so on. Sarg can be quickly installed with the following command:
$ sudo apt-get install sarg
The configuration file for Sarg is located at /etc/squid/sarg.conf
. Once installed, set the output_dir
path and run sarg
. You can also set cron jobs to execute sarg
periodically. The generated reports are stored in output_dir
and can be accessed with the help of a web server.
Squid guard
Squid guard is another useful plugin for squid server. It is generally used to block a list of websites so that these sites are inaccessible from the internal network. As always, it can also be installed with a single command, as follows:
$ sudo apt-get install squidguard
The configuration file is located at /etc/squid/squidGuard.conf
.
See also
- Check out the squid manual pages with the
man squid
command - Check out the Ubuntu community page for squid guard at https://help.ubuntu.com/community/SquidGuard