Though Squid Proxy isn’t particularly difficult to install and get up and running, I hit a few snags during my configuration that I felt would prove useful for someone attempting to do the same thing.
First, let’s get Squid installed:
apt-get install squid
Once Squid is installed, let’s make a copy of the squid.conf
file before we get started, so we can revert if needed.
cp /etc/squid/squid.conf /etc/squid/squid.conf.bak
Next, open the squid.conf
file in your favorite text editor. For me, on Linux, that’s vi
. Next, un-comment the following line in the configuration file. For me, this was on line 3473, but yours may be different.
cache_dir ufs /var/spool/squid 100 16 256
Once you’ve made the change, let’s save the file, and then restart the Squid service:
sudo service squid restart
Next, we need to initialize Squid, but running the following:
squid -f /etc/squid/squid.conf
Essentially, this goes out and create and configures all the directories that Squid will need in order to run properly. It will set the appropriate permissions, etc. During this step, I found myself waiting a long time for the command to finish. I had to press Enter
after a second for the command to complete, and return me to a prompt. You should see something like this:
Now, if you run sudo systemctl status squid
, you should hopefully see a green message saying “active (running)”. If everything looks good, continue with the next steps.
Configure ACLs
Now, let’s get to the part you really care about, which is configuring which sites are allowed and not allowed.
Edit the /etc/squid/squid.conf
file again, and navigate to somewhere around line 975.
In this example, I’ll be adding an “allow” for weather.gov, allowing my end-users to check the weather, but deny all other websites.
#Weather
acl weather dstdomain .weather.gov
http_access allow weather
The blue default vi color scheme makes the below difficult to read, but you get the idea.
These two lines of code don’t block all other traffic. Down around line ~1215, you’ll find a few pieces of code that have a “deny all” listed. Essentially anything other than what’s explicitly enabled in your ACLs above will be denied.
Other things you can do
The syntax for adding new ACLs looks like:
acl aclname acltype argument
You can pick and choose how you want to allow or deny traffic based on the following rules. You can approve or deny an entire domain (as demonstrated above), limit certain domains to specific IP ranges, etc.
acl aclname src ip-address/netmask # clients IP address
acl aclname src addr1-addr2/netmask # range of addresses
acl aclname dst ip-address/netmask # URL host's IP address
acl aclname myip ip-address/netmask # local socket IP address
acl aclname srcdomain .foo.com # reverse lookup, from client IP
acl aclname dstdomain .foo.com # Destination server from URL
acl aclname dstdomain "/etc/squid/allow/safe-sites" # file must exist
acl aclname srcdom_regex [-i] .foo.com ... # regex matching client name
acl aclname dstdom_regex [-i] .foo.com ... # regex matching server
http_access allow aclname # allow access
http_access deny aclname # deny access
Reconfigure Squid and Test
Once you make a change to the ACLs, you’ll need to reconfigure Squid to notify it of the new changes and to load the new rules into memory:
squid -k reconfigure
Set your browser to use a proxy, setting the IP address to that of the server on which you installed Squid. Be sure to use port 3128 unless you’ve changed the default.
Try to browse to a few different URLs to test.
One more thing
I’ve noticed that over time, the list of “approved” sites becomes very long and somewhat difficult to manage. I recommend configuring a separate file, for your approved sites, and then simply referencing that file from within the squid.conf
. You can do that like so:
acl approved dstdomain "/etc/squid/approved"
http_access allow approved
Then, you’ll edit the approved
file, and not the squid.conf
file for future entries. Then, you can simply add new domains, creating a new line for each entry:
...
.cnn.com
.microsoft.com
.espn.com
...
And of course, be sure to reconfigure after making any changes to those lists/config files: squid -k reconfigure