Squid Proxy Server Installation and Configuration on Ubuntu

Squid package is freely available under the GNU General Public License and has the following functions:

• Internet access control that includes access limitations for groups and single users, scheduled access, creation of ‘white’ or ‘black’ lists of resources – to control the access to entertaining web-sites and avoid undesirable penetrations into the network;
• Traffic control implies broad opportunities for individual settings including individual configurations for different types of traffic. As a result, server provides access to more clients without hardware overload. Also, it is possible to install an open wi-fi point that won’t affect network stability. In addition, it allows limiting the amount of traffic that single users or groups are given for work;
• Network resources usage monitoring. Squid and its plug-ins collect statistics that are helpful for local network optimization, load analysis, possible errors investigation and detection of attacks on company’s local network;
• Reverse caching provides opportunity to work in ‘reverse proxy’ or ‘accelerator’ mode which helps to decrease the server load by caching the most popular search queries.

Squid can operate as a transparent proxy which means that users will have no clue that their queries have been processed by the proxy server. Due to this, there is no need to adjust each client machine for work in the network.

Local Network Configuration

Before you start Squid proxy server installation and configuration, take your time configuring the local network. The proxying server should be equipped with at least two network interfaces: one for Internet access and one for linking computers within the network. Note that all the settings and commands below exemplify the process on Ubuntu distribution.

In order to change local network configuration or activate the settings from your provider that gives your server Internet access, you need to edit only one configuration file:

nano /etc/network/interfaces 

You should make the following changes:

auto eth0
    iface eth0 inet dhcp  #to automatically get settings from your provider via dhcp
auto eth1
    iface eth1 inet static
        address 192.168.0.1 #ip
        netmask 255.255.255.0 #subnet mask 

To apply the changes you should restart the net with the command:

service networking restart

After you finish the setting, it is important to make sure that the interfaces are configured properly. To display data about network connections enter the command:

ifconfig

The data will be displayed as follows:

eth0      Link encap:Ethernet  HWaddr 00:16:3c:fc:93:a6
          inet addr:185.22.174.75  Bcast:185.22.174.255  Mask:255.255.255.0
          inet6 addr: 2a00:1838:36:1c3::7385/64 Scope:Global
          inet6 addr: fe80::216:3cff:fefc:93a6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7576291 errors:0 dropped:0 overruns:0 frame:0
          TX packets:65851 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:628650171 (628.6 MB)  TX bytes:10778431 (10.7 MB)

eth1      Link encap:Ethernet  HWaddr 0a:19:bc:0d:00:9d
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::819:bcff:fe0d:9d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12581 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8484 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1884987 (1.8 MB)  TX bytes:1123251 (1.1 MB) 

From what we can see above, server has two network interfaces: eth0 and eth1, IPs are 185.22.174.75 and 192.168.0.1 respectively. Internet cable is connected to the eth0 adaptor and the local network computers are connected to the eth1 adaptor.

DHCP Configuration

At this stage you can specify the static IP from the local subnetwork on the local machine, for instance 192.168.0.2, specify our server (192.168.0.1) as the gateway and specify the DNS. After that your computer will connect to the local network.

It is noteworthy that static IP system has several weak spots: each machine has to be configured before connecting to the local network, the same-IP conflict is possible, etc.

To avoid such problems you need to set the automatic IP translation via the DHCP. With this technology all new computers in the network will get the necessary configurations automatically.

To install the DHCP server enter the command:

sudo apt-get install isc-dhcp-server

By default a configuration file is located in /etc/dhcp/dhcpd.conf. Open the file in editing mode by entering the command:

nano /etc/dhcp/dhcpd.conf

In the most cases the following block of commands is enough for the minimal settings:

subnet 192.168.0.0 netmask 255.255.255.0 {#subnet 192.168.0.0/24
  range 192.168.0.2 192.168.0.254; #given addresses range
  option domain-name-servers 8.8.8.8;#dns
  option domain-name "test.loc"; #domain name
  option routers 192.168.0.1; #’recommended’ gateway
  default-lease-time 604800; #standard period of IP leasing
  max-lease-time 604800; #maximum period of IP leasing
}

After you change the configuration file, it is necessary to restart the DHCP server to activate the new settings:

/etc/init.d/isc-dhcp-server restart

Now all the local network clients will receive the settings automatically as they connect to the network.

NAT Configuration

After the local network is configured, you need to establish the Internet access. For this purpose you should realize the Network Address Translation (NAT), due to which several computers can go on the Internet using one and the same IP.

NAT is realized on the Ubuntu via network filter iptables that performs as a firewall at the same time.

You should create a new empty configuration file for automatic iptables configurations loading:

sudo touch /etc/nat

And open it to edit:

nano /etc/nat

Configuration versions for firewall depend on network security policy in the company. These are the minimal configurations:

 #!/bin/sh
#sending packets on
echo 1 > /proc/sys/net/ipv4/ip_forward
#open access for internal network 
iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT
#start NAT
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.1/24 -j MASQUERADE
#allow receiving answers from the external network
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#limit access to internal network
iptables -A FORWARD -i eth0 -o tap0 -j REJECT

After saving the changes you should allow the execution to the file:

chmod +x /etc/nat

To set the automatic loading of the file when the server starts, open the interfaces file:

nano /etc/network/interfaces 

and add a line at the bottom:

post-up /etc/nat

Then restart the server so that it automatically activates the settings:

reboot

Squid Installation and Configuration

To install Squid enter the following command:

apt-get install squid3

The service starts automatically after installation.

Moving to the configuration process, a configuration file is located in /etc/squid3/squid.conf. For a beginner user the file may seem enormous – it contains more than 700 lines, which is quite a number. The most part of them are commented out and describe different Squid operating modes.

To make work more convenient you may copy the configuration file into the same folder and rename it so that you could easily find the standard settings at any time:

cp /etc/squid3/squid.conf /etc/squid3/backup-squid.conf

If necessary you may check the official documentation of the project.

Now you can delete all the commented out lines and notes and keep only active directives. There are not many by default:

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320

The main configuration tool of Squid is Access Control List (ACL). ACLs are the directives with the following syntax:

acl name parameter list_items

Parameter denotes the list items’ type that server reads. An ACL with port parameter contains port numbers, and the one with scr parameter – IPs that send queries to the server. The full list is quite long, so we won’t cover all the points here. You may find it in the official documentation.

Thus, the line:

acl Safe_ports port 80

adds a new value 80 to the Safe_ports list, containing port-type items.

Another directive - http_access, has the following syntax:

http_access directive name_acl

and determines the rules for work with the acl’s items. For instance, the line:

http_access deny !Safe_ports

blocks all the ports not listed in Safe_ports.

By default only server has access to Squid:

http_access allow localhost
http_access deny all

If you would like to open access to local network clients, you should create a new access list with scr parameter:

acl localnet src 192.168.0.0/24

To allow access enter:

http_access allow localnet

Then specify the port where Squid works and enable the transparent mode:

http_port 192.168.0.1:3128 intercept  #parameter intercept enables the transparent mode

Now minimal setting for Squid configuration file is done and we can move to the next point – information security policy.

You may use src parameter to control access of the users with static IPs:

acl  UserGroup   src    192.168.0.2-192.168.0.9 #group of users
acl  SingleUser  src    192.168.0.10 #single user
        http_access  allow  UserGrour  #allow access for a group
        http_access  allow  SingleUser #allow access for an single user
        http_access  deny   all  #deny access for all

To create a list of destination IPs that user needs to access you may use dst parameter:

acl  Net194   dst    194.67.0.0/16  #describe a subnet  194.67.0.0/16
        http_access   deny   SingleUser   Net194 #deny access to it for a user 

To specify the destination domain of a query you may use dstdomain parameter:

acl  SitesBlocked  dstdomain  .example.ru  .sample.ru #list the domains
        http_access   deny   UserGroup  SitesBlocked #deny access to them for a group of users

To specify the source domain you may use srcdomainparameter.

If you need to use regular expressions in ACL, use srcdom_regex and dstdom_regex parameters:

acl  SitesRegexFree     dstdom_regex    free #sites with ‘free’ in domain
acl  SitesRegexComOrg  dstdom_regex  \.com$ \.org $ #sites of .com and .org domain zones 
        http_access   deny   SingleUser   SitesRegexFree
        http_access   deny   SingleUser  SitesRegexComOrg

You need -i key to ignore symbol register in regular expressions:

acl name [-i] url_regex list_items

And url_regex parameter allows specifying a regular expression pattern for URL:

 acl  MusicMP3  url_regex  -i  \.mp3$  #includes.mp3 music files

Another important parameter is port which is used to specify port lists. It is useful if you need to deny access for an individual port that is applied by a program on your client’s machine, for example an online messenger.

In case you need to set a time limit for your clients, use time parameter:

acl name time days hh:mm-HH:MM

Where days are: M – Monday, T – Tuesday, W – Wednesday, H – Thursday, F – Friday, A – Saturday, S – Sunday.

It is noteworthy that the value of time interval beginning should always be smaller than the value of time interval end. For instance, it is possible to set 00:00-23:59, while the interval 20:00-09:00 has to be separated into 20:00-23:59 and 00:00-09:00.

Time limits may be combined with other functions. It is possible to allow or deny access to particular websites, open and close ports, control access to IPs on schedule. For instance:

acl  WeekendTime  time  AS 10:00-15:00 #determine a time interval for weekend:
http_access  allow  SingleUser  WeekendTime  MusicMP3 #allow access to mp3 files in a particular time interval for a single user 
http_access  deny   SingleUser  MusicMP3 #deny access at any other time 

To specify the information transfer protocol use proto parameter:

acl name_proto list

You may use it to deny file transfer by ftp protocol:

acl   proto_ftp   proto   ftp
http_access   deny   SingleUser  proto_ftp

Speed Limit

Nowadays channels with throughput of 256 kbit/s and less are the thing of the past and one may mistakenly resume that it is useless to set speed limit for a network with a few users. Nevertheless, it is advisable to set the minimal rules for connection speed control for single users to avoid network overload and lack of resources for single users that appreciate good speed value. The following operations may cause sticking points:

• automatic backup of data from company’s server and other large-volume transfer processes that server carries out on schedule;
• transfer operations of files for private and professional needs, for instance, BitTorrent protocol is able to drain available network resources;
• technical errors in computers and programs and malicious software activity;
• network attacks on single computers within the net.

Squid proxy server allows introducing speed limit policy with the help of pooling mechanisms. Pool may be represented as a container permanently filling with water to the brim and clients pour this water to their glasses through the individual taps.

Pools are regulated by three directives: delay_class, delay_parameters, delay_access.

The amount of pools is set by delay_pools:

delay_pools amount_of_declared_pools

You need to create several pools:

delay_pools 2 #2 pools in total with numbers 1 and 2 respectively

There are three categories of pools:

• Single tap limits water flow for the whole network;
• The flow is limited by one tap that branches into single user taps (for each IP in the net);
• • The flow is limited by one tap that branches into group taps (subnet) and further into single user taps (for single IPs).

Pool’s class is determined by delay_class directive:

delay_class pool_number pool_class

To specify pool’s class enter:

delay_class  1  1 #pool ¹1 limits speed for all users in its scope

Pool’s parameters are determined by delay_parameters directive:

delay_parameters pool_number parameters

Parameters’ recording format depends on the chosen pool class:

delay_parameters 1  byte_for_whole_network #for class 1
delay_parameters 1  for_whole_network_and_a_client  #for class 2
delay_parameters 1  for_whole_network_a_subnetwork_and_a_client   #for class 3

Pool ¹1 is attributed to class 1, we set its data transfer rate at 512 kbit/s:

delay_parameters 1 64000/64000  #512 kbit = 64 kbyte = 64000 byte

Parameter is recorded according to the following rules: firstly, speed limit is specified, secondly - the ultimate value that activates the limit. Thus, 64000/64000 in the example below means that after client spends first 64 kbit for the query, speed is limited to 512 kbit/s. It is better, though, to set the second value bigger than the first one, for example, the configuration:

delay_parameters 1 64000/256000  

allows user to get the first 256 kbyte at maximum rate and then limits the bandwidth to 512 kbit/s.

To cancel speed limit put -1, like in the example:

delay_parameters 1 -1 #unlimited access rate for pool ¹1 

Now you are able to extend the pool to other network clients using delay_access directive:

delay_access pool_number action name_acl

‘Action’ parameter has two options: allow and deny. It means that you may specify which clients are allowed to use the pool and which are not.

For example, the configuration:

delay_access      1  deny    UserGroup
delay_access      1  allow   SingleUser

allows SingleUser use the pool and denies access to it for UserGroup.

Then we use pool ¹2 for the group of users:

delay_class  2  2 #pool ¹2 allows tuning bandwidth for the whole group of users and set limits for each single user 

Now we describe the limits:

delay_parameters 2 512000/512000 64000/128000  #8 Mbit/s is the bandwidth limit for the group, the first 128 Kbyte are downloaded at this speed, then speed is limited to 512 Kbit/s

And finally, we apply the limits for pool ¹2:

delay_access      1  allow  UserGroup #extends to the group of users UserGroup
delay_access      1  deny   SingleUser  #but doesn’t affect SingleUser

Caching Configuration

Squid proxy server supports two types of caching – RAM caching and hardware caching. While configuring you should keep in mind that caching may either accelerate query processing or slow it down, in case configuration parameters are wrong. Another important point is that caching results in additional load on server, e.g. excessive cache in RAM is able to paralyze sever causing lack of RAM.

Squid standard configuration provides RAM cache only with memory usage of 256 Mbyte. You may increase cache volume and set maximum volume of a cached object using the following directives:

cache_mem 1024 MB #volume of the memory available for casing
maximum_object_size_in_memory 512 KB #maximum volume of a cached object 

Also, one should take into account that cache is reset every time sever restarts or turns off, so the results of configuration change will be perceptible only over time.

HDD cache usage is controlled by cache_dirdirective:

cache_dir storage_type path_to_storage volume L1 L2

cache_dir ufs /var/squid_cache 1024 16 256 

Cache volume on hardware is counted in Mbytes. In the example below cache with maximum volume of 1 Gbyte is stored in /var/squid_cache. ufs storage type is standard. Parameters 16 and 256 denote the number of first and second level directories, these volumes are standard, too.

You may also specify the cached object maximum volume:

maximum_object_size 2 MB

Logging Configuration

Squid has a powerful detailed logging system to control traffic processed by proxy server. There are three logs:

• access.log for clients’ queries;
• store.log for actions with cache;
• cache.log for error messages connected to Squid.

The most frequently used one is access.log. We will change its path in configuration:

access_log daemon:/etc/squid3/logs/access.log squid

In the example below you may find ‘squid’ parameter – it determines log-file format. It can be changed for ‘common’ if you need to process a log with third party programs, however this format doesn’t display all information that log contains by default. Apart from the standard formats, it is possible to create a new one using logformat directive. The information about the directive is available in product’s documentation.

cache_log and cache_store_log directives allow specifying paths to cache.log and store.log respectively. It isn’t necessary to specify the format:

cache_log daemon:/etc/squid3/logs/cache.log 
cache_store_log daemon:/etc/squid3/logs/store.log 

Moreover, it is possible to configure different levels of logging, the depth of debugging is controlled by debug_optionsdirective. It has two main parameters: section and debugging depth:

debug_options ALL,1 #’ALL’ section, debugging depth 1

It is advisable not to change ALL for other options (or to choose a specific option carefully). The level of logging may vary between 1 and 9, where the higher level is, the more detailed logging becomes and the more logs appear. As a rule, levels higher than the 5th are used rarely as they record too much unnecessary information.

In order to make creation of log files and their put them in order easily, you may use a rotation number parameter:

logfile_rotate 31

In the example below 31 denotes that when a new log file is created, the previous one is given an extension from 0 to 30 and is closed for recording. To create a new log file use the command:

squid -k rotate

Thus, if you add a log file generation task into cron, you will have an ordered report about the traffic that was processed by your proxy server in the previous month.

In case log volume increases even with the lowest logging level, one should use other methods like automatic log compressing or transferring them to the separate storage. Also, one may vary rotation number and frequency depending on the situation. Another solutions imply storing less logs or creating new logs more frequently and keeping the previous logs in archive. There are dozens of superstructures and third party programs that simplify operating log files on Squid proxy server.

We leave other parameters unchanged and check configuration file with the command:

squid3 -k check

This command checks configuration file for errors. If it doesn’t display any errors – there is none.

Now we apply the new parameters:

service squid3 reload

After the proxy server configuration is done, we can redirect the network’s traffic to it by opening /etc/nat file:

nano /etc/nat

and adding the following line at the bottom:

#redirect http-traffic to the proxy server
iptables -t nat -A PREROUTING -i eth1 ! -d 192.168.0.0/24 -p tcp -m multiport --dport 80,8080 -j DNAT --to 192.168.0.1:3128

After that we restart the server to apply the new configurations automatically:

reboot

Thus, despite the long list of configuration parameters for Squid, the minimal set is enough to begin. Using Squid proxy server you will fast and easily implement group and single user access to the Internet, monitor their activity and collect statistics on channel usage.