Install and Configure Squid Proxy Server on

Ubuntu 22.04|20.04
By
Lorna Chepkoech
-
35075
0
Squid is a proxy and cache server. It acts as a proxy by forwarding requests to the required
destination but also saves the requested content. If another server ask for the same information
before it it has not expired in the squid server, it serves the same content to the requester, therefore,
improving download speeds and saves on bandwidth.

Squid proxy server supports caching of content requested through different protocols such as http,
SSL requests, DNS lookups and FTP. This guides explains how to install and configure Squid proxy
on Ubuntu 22.04|20.04

Object 1

Install Squid Proxy Server on Ubuntu 22.04|20.04

First, update your system packages. Note that for all the commands, I will be running them as root
user
sudo apt update && sudo apt upgrade -y

Check if a system needs to be rebooted after successful upgrade.

Object 2
[ -e /var/run/reboot-required ] && sudo reboot

Next, install squid proxy on Ubuntu. Installing Squid proxy in Ubuntu is easy because it is already
available in Ubuntu 20 repositories. Confirm this with the below command.
sudo apt-cache policy squid

Output

Object 3

To install Squid proxy, run the below commands. Also enable to start on system boot then check
status
sudo apt install -y squid
sudo systemctl start squid
sudo systemctl enable squid
sudo systemctl status squid

If squid is properly installed and running, you should an output as shown:

Configure Squid proxy server on Ubuntu 22.04|20.04
The default Squid proxy configuration file is found in /etc/squid/squid.conf. The file already has a
number of setting that work at the minimum but we can modify to suit our preference. First, create a
backup of the original file.
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.orig

Now, do your custom settings in /etc/squid/squid.conf. Open the file with your preferred file editor

sudo vim /etc/squid/squid.conf

1. Change squid default port

The default Squid tcp port is 3128.To alter this, open squid.conf file and look for http_port line.
Change to your desired port number and save the file.
#http_port 3128
http_port 8080

Make sure to allow the port though the firewall

sudo ufw allow 8080/tcp
sudo ufw enable

2. Set Squid cache memory size

To set your desired cache memory, use the settings below. For my case, I am using 256 MB

cache_mem 256 MB

3. Specify DNS name-servers to use

To define your own DNS servers, use the command as shown
dns_nameservers 8.8.8.8 8.8.4.4

4. Squid ACL and http_access

Now, edit squid.conf to add rules of your choice. A proxy server is selective of what goes through it.
We can allow access from specific networks/ IP addresses and deny others. It can also be used to
filter traffic by restricting access to certain sites or by blocking content based on certain keywords.
This is achieved by use of ACLs (Access Control Lists), which define what is allowed and what is
denied. Http_access define the allow or deny based on an ACL.
How to define ACLs for Squid proxy server
ACLs (Access control lists) are statements that define what is allowed to pass through the proxy
server and what is denied. Every statement must begin with acl followed by the name of the rule.
After the name is the acltype and finally the argument or file. Where files are used, each line in the
file must contain only one item.

acl aclname acltype argument..

acl aclname acltpe “file”…

The default defined ACL rules are as shown. Tou can choose to disable the by adding # at the
beginning of each line. To create new rules, follow the examples below:
Examples1: Allow LAN network through Squid proxy server
Create the acl rule
acl my_lan src 192.168.100.0/24

Now either allow or deny based on the defined rule, with the use of http_access directive. In our
case, we need to allow
http_access allow my_lan

Note that the last rule every time you create ACL access rules should be the deny all. This should
be done when you have allowed all the required sites otherwise you might block yourselves from
accessing some needed sites.

Object 4

http_access deny all

Deny access to specific websites in Squid proxy server
When dealing with a number of websites, it is easier and more organized to put all the sites in a file
then call it, otherwise you would list the cites in the acl rule. In our example, I will create a file
called deniedsites.squid in the squid directory.
sudo vim /etc/squid/deniedsites.squid

Add the sites that you wish to deny access. For my case, I am using facebook and youtube. Save the
file after.
.facebook.com
.youtube.com

Now open squid.conf and create an acl rule for the denied sites and add a deny rule then save the
file.
acl deniedsites dstdomain “/etc/squid/deniedsites.squid”
http_access deny deniedsites

If you were to list the sites in the acl rule:

acl deniedsites dstdomain facebook.com youtube.com
http_access deny deniedsites

Note that everytime you make changes, you must restart squid server

Object 5

sudo systemctl restart squid

How to block traffic basing on some keywords in Squid proxy
server
Create a file containing the key words. Use the file name to create an acl rule the deny traffic.
sudo vim /etc/squid/keywords.squid.

Add you keywords and save.

gamble
nudes
xxx

Edit squid.conf to create acl and deny rule the save and remember to restart squid.
acl keywords url_regex -i "/etc/squid/keywords.squid"
http_access deny keywords

Your file finally appear with the added as below.

For ACLs

For http_access
 Object 6

To open ports in Squid proxy server, use the command syntax as shown below
acl Safe_ports port <port-number>

How to mask outgoing traffic on Squid proxy server

A proxy server is suppose to hide our identity by exposing the proxy IP address instead of our own.
However, the proxy can let our IP get known via http outgoing traffic. To disable this, edit
squid.conf file and disable via headers. To do this, check for the line with #via on. Uncomment and
change from on to off.
# via on
via off

Also Proxy server should not append clients IP address in the http requests which it forwards.
Disable this by modifying the following lines in squid.conf file.
To avoid revealing your Squid proxy server, you can remove Squid proxy header. Add the line
below in TAG; request_header_access.
request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all

Save squid.conf file and remember to restart squid

systemctl restart squid

How to check Squid configuration errors

The command below will point out where there could be errors in your configuration file
sudo squid -k parse

Configure clients to connect through Squid proxy server

Configure user authentication
First, let us create and allow users to authenticate through Squid proxy. We need to enable http
authentication in squid.conf file. Install apache2-utils.
sudo apt update
sudo apt install -y apache2-utils

Create a file that will be used to store users. Mine is called ‘passwd’. The file should be owned by
proxy which is the default Squid user.
sudo touch /etc/squid/passwd
sudo chown proxy: /etc/squid/passwd

Let’s add a user called lorna

$ sudo htpasswd /etc/squid/passwd lorna
New password:
Re-type new password:
Adding password for user lorna

Now add the following lines in squid.conf file. After adding, save and restart squid.
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow auth_users

It is important to check the location of basic_ncsa_auth to be sure that you are using the right path
and that you do not get errrors. Use the command below:
dpkg -L squid | grep ncsa_auth
Your Squid file should look as below:

To test that your Squid proxy server is working, go to your client web browser, such as Firefox, and
configure manual proxy authentication. Open Firefox, click on the three bars on the far right.
Under Edit, click on preference. Click on settings under network settings. On the page that
appears, clock on manual proxy configuration radio button and fill in your proxy server details.
You can exclude proxy for other IP addresses if you wish under ‘No proxy for‘
Now confirm your Squid proxy set up is working. Open the Firefox browser and try to search a
restricted site such as youtube.com for my case. You should see a page saying ‘proxy server refuse
connections’
Now open another site that is not restricted. You should be prompted for authentication which after
entering your username and password, you should be able to access the site.
This has been a step-by-step guide on how to install and configure Squid proxy server in Ubuntu
22.04|20.04. I hope you have enjoyed. Below are more elaborate guides for for your daily Linux
installations
• How to install and configure HAProxy on Debian
• How to configure Nginx Proxy for Semaphore Ansible Wed UI
• How to install Envoy Proxy on Ubuntu/Debian Linux
• How to manage HAProxy servers from a Web Interface

YOU CAN SUPPORT OUR WORK WITH A CUP OF COFFEE

As we continue to grow, we would wish to reach and impact more people who visit and take
advantage of the guides we have on our blog. This is a big task for us and we are so far extremely
grateful for the kind people who have shown amazing support for our work over the time we have
been online.
Thank You for your support as we work to give you the best of guides and articles. Click below to
buy us a coffee.