Setting up Explicit Squid Proxy

From Alpine Linux

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It is licensed under the GNU GPL.

If you are looking to setup a transparent squid proxy, see this page

Terminology

client

A client is often considered a user of a PC or similar system, but more accurately a client is the applications a person uses to access web pages and other resources, and the OS they are running on.

proxy

A proxy is a device which makes connections on behalf of clients. That is to say, there is one TCP connection between the client (source) and the proxy, and a separate TCP connection between the proxy and the server (destination). Consider this beautiful diagram:

Client<---------->|PROXY|<------------>Server
	   A			B

Point A is the client-side connection and point B is the server-side connection.

explicit proxy

An explicit proxy is one in which the client is explicitly configured to use the proxy, and as such are aware of the existence of the proxy on the network. When the client sends packets to an explicit proxy, they are addressed to the proxy server listening address and port. Squid usually listens for explicit traffic on TCP port 3128 but TCP port 8080 is a common explicit proxy listening port.

transparent proxy

A transparent proxy does not require any configuration changes on the client, since traffic is transparently sent to the proxy, usually through traffic redirection by a router. When the client sends packets, they are addressed to the destination server.

Installation

Install the squid package:

apk add squid

If you wish to use the Alpine Configuration Framework (ACF) front-end for squid, install the acf-squid package:

apk add acf-squid

You can then logon to the device over https://x.x.x.x (replace x.x.x.x with the IP of your server of course) and manage the squid configuration files and stop/start/restart the daemon etc.

Configuration

Config file

The main configuration file is /etc/squid/squid.conf. Lines beginning with a '#' are comments. An example configuration file is shown below, which will get you up and running quickly and is well commented but please change the localnet definition for a more restrictive one:

## Tested and working on squid 3.3
## Example rule allowing access from your local networks.
## Adapt to list your (internal) IP networks from where browsing
## should be allowed
#acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
#acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
#acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
## Allow anyone to use the proxy (you should lock this down to client networks only!):
acl localnet src all
## IPv6 local addresses:
#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# waiss
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp

## Prevent caching jsp, cgi-bin etc
cache deny QUERY

## Only allow access to the defined safe ports whitelist
http_access deny !Safe_ports

## Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

## Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

## We strongly recommend the following be uncommented to protect innocent
## web applications running on the proxy server who think the only
## one who can access services on "localhost" is a local user
http_access deny to_localhost

##
## INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
##

## Example rule allowing access from your local networks.
## Adapt localnet in the ACL section to list your (internal) IP networks
## from where browsing should be allowed
http_access allow localnet
http_access allow localhost

## And finally deny all other access to this proxy
http_access deny all

## Squid normally listens to port 3128
http_port 3128

## Uncomment and adjust the following to add a disk cache directory.
## 4096 is the disk space to use for cache in MB, adjust as you see fit!
## Default is no disk cache
#cache_dir ufs /var/cache/squid 4096 16 256

## Leave coredumps in the first cache dir
#coredump_dir /var/cache/squid

## Where does Squid log to?
access_log /var/log/squid/access.log
## Use the below instead to turn off access logging
#access_log none

## Keep 7 days of logs
#logfile_rotate 7

## How much RAM, in MB, to use for cache? Default since squid 3.1 is 256 MB
cache_mem 64 MB

## Maximum size of individual objects to store in cache
maximum_object_size 4 MB

## Amount of data to buffer from server to client 
read_ahead_gap 64 KB

## Use X-Forwarded-For header?
## Some consider this a privacy/security risk so it is often disabled
#forwarded_for on 
forwarded_for delete 

## Suppress sending squid version information
httpd_suppress_version_string on

## How long to wait when shutting down squid
shutdown_lifetime 30 seconds

## Below two lines replaces the User Agent header.  Be sure to deny the header first, then replace it :)
#request_header_access User-Agent deny all
#request_header_replace User-Agent Mozilla/5.0 (Windows; MSIE 9.0; Windows NT 9.0; en-US)

## What hostname to display? (defaults to system hostname)
#visible_hostname a_proxy

## Use a different hosts file?
#hosts_file /path/to/file

## When logging, web auditors want to see the full uri, even with the query terms
strip_query_terms off

## Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

Note:If you change the squid configuration file, you do not need to restart squid in order to load the changes, just use this command instead:

squid -k reconfigure

Testing

Start and check squid

Start the squid service:

rc-service squid start

To start squid automatically at boot:

rc-update add squid

Check the squid configuration for errors:

squid -k check

If there is no feedback, everything is gravy! (that's a good thing).

Check that squid is listening for traffic, using netstat for example:

netstat -tl

You should see a line showing a Local Address and the listening port (in our example config above it is set to 3128). If you don't see this, check the "http_port" directive is set in the config file and has a value. Ensure this port isn't being used by something else on the system.

Remember to ensure the squid proxy has valid IP configuration including default gateway etc.

Configure the client

Each application using the proxy will have to be configured to send traffic via the proxy. If we assume that our squid proxy is running on IP address 10.0.0.1, port 3128, we would configure the Firefox browser in the following manner:

  • Tools>Options>Network>Settings...
  • Select Manual proxy configuration and tick the 'use this proxy server for all protocols' box
  • Under HTTP Proxy: add the squid listening IP address, 10.0.0.1. In the Port: section add the squid listening port 3128
  • Click OK to save the changes.

Now browse, you should have internet access, via the proxy!

Logs

If you've set the proxy to take access logs, you can view these to see client requests coming in:

tail -f /var/log/squid/access.log

Use Ctrl-C to exit back to the prompt.

SSL interception

I need to add some notes about ssl interception

More information

[squid configuration]

[squid man page]

[squid Arch linux wiki page]