Alexander Mylnikov

21Jul/120

How to Install a SQUID Proxy Server with SSL / User Authentication Tutorial

Today we will be installing the Squid proxy server, with a few modifications, including SSL support, as well as user / http authentication.

Now lets start of by installing the squid package:

apt-get install squid

Now the squid server should have automatically started, although if it hasn’t use:

/etc/init.d/squid start

The next step is to start the configuration, so we will start by editing Squid’s config file:

nano /etc/squid/squid.conf

Now we need to define both the port and the IP address our server will be listening on, so locate the following line (and change as needed)

http_port 127.0.0.1:3128

and / or

http_port XX.XX.XX.XX:3128

Bare in mind if your server is connected to the net, their are gonig to be two interfaces, both your external IP and internal, hence 127.0.0.1 and XX.XX.XX.XX

Port 3128 is the default port for Squid, although you might want to change this for security reasons.. ^_^

Now the last step is to define which IP’s / ranges are proxy server will accept connection from.

An example has been provide below, these values can be added in the “http_access allow” section of the configuration file:

nano /etc/squid/squiod.conf

An example has been provided below:

acl our_networks src 192.168.1.0/24
http_access allow our_networks
http_access allow 127.0.0.1
http_access allow all

This lets all devices on the main interface 192.168.1.0 / 24 range connect, as well as localhost and you can define any other range.

If you would like to deny any other connections from other nodes originating from different IP ranges add the following underneath:

http_access deny all

That’s the core of the config completed, now its time to restart the server and check out the server!

/etc/init.d/squid restart

Now we have a proxy server – which you is listening on XX.XX.XX.XX:3128.

Enter this information into your browser’s proxy config and test it out! Hopefully everything should go smoothley :)

Anonymous Server
—————-

Now if you would like an anonymous proxy server, please see the section below, if not, just skip the next session…

For anonymous server search for “header_access Authorization allow all” line in Squid’s config file and uncomment it and all “header_access” below it or use this config:

header_access Accept allow all
header_access Accept-Encoding allow all
header_access Accept-Language allow all
header_access Authorization allow all
header_access Cache-Control allow all
header_access Content-Disposition allow all
header_access Content-Encoding allow all
header_access Content-Length allow all
header_access Content-Location allow all
header_access Content-Range allow all
header_access Content-Type allow all
header_access Cookie allow all
header_access Expires allow all
header_access Host allow all
header_access If-Modified-Since allow all
header_access Location allow all
header_access Range allow all
header_access Referer allow all
header_access Set-Cookie allow all
header_access WWW-Authenticate allow all
header_access All deny all

All done :)

Caching Data
————

Now if we want squid to cache data we need to go into the configuration file again and uncomment this line:

cache_dir /var/squid/cache 100 16 256

 

This specifies where the cached data will be placed, how many MB’s of storage available (100), number of directories for data (16)
and number of subdirectories for data (256). You can specify this yourself, although I reccomend leaving them as they are unless you know what your doing.

User Authentication
——————-

we will make use of htpasswd / NCSA.
If you use lighttpd (like myself) please read the following:, although if you use apache please proceed to Step 2

As you might be aware lighttpd does not support .htpasswd functionality

apt-get install apache
etc/init.d/apache stop

This install htpasswd, you can get the binary from somewhere if you would like :/

STEP 2
——

Now we need to enter the following so htpasswd will create a password file for our proxy:

htpasswd -c /etc/squid/passwd proxyuser

Make sure Squid can read the file correctly:

chmod o+r /etc/squid/passwd

Now we need to access the NCSA helper, which I beleive is in “/usr/lib/squid/ncsa_auth” if memory serves me correctly.

If in doubt just type the following in the console:

dpkg -L squid | grep ncsa_auth

Now we need to edit Squid’s config again and set a few variables:

nano /etc/squid/squid.conf

So locate the following lines

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

and uncomment them, with the above values ^^^

Now locate your ACL’s in the squid config and add the following lines:

acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users

Now save / close the file and then we restart Squid!

/etc/init.d/squid restart

And test it out in your browser!

Setup the proxy XX.XX.XX.XX:3128

and when browsing yuo should be prompted for a username / password, enter it and your away!

SSL Encryption
————–

You now have an anonymous proxy that cache’s data :) Now I will be explaining how to encrypt all data from our server to our machine via the proxy.
In simple terms: The proxy (server) will fetch unencrypted data from a website, and then encrypt it and send it to us.
This is usefull if you don’t trust your ISP, or you are using a shared network etc.

Type:

ssh -L 3128:67.215.238.7:3128 [email protected]

type pass and conect via 3128

so ssh is making a tunell through ssh from the proxy, so its all encrypted!

Tip:
To actively monitor your squid server you can use the following command:
tail -f /var/log/squid/access.log
This is very usefull if your testing configurations :)