Installing Setup Squid Proxy on Debian 11\/10<\/h2>\n\n\n\nRun system update<\/h3>\n\n\n\n
To begin with, ensure that your system repos are up-to-date.<\/p>\n\n\n\n
apt update<\/code><\/pre>\n\n\n\nInstall Squid Proxy on Debian<\/h3>\n\n\n\n
Squid proxy is available on the default Debian 11\/Debian 10 repositories.<\/p>\n\n\n\n
apt-cache policy squid<\/code><\/pre>\n\n\n\nSample output on Debian 11<\/p>\n\n\n\n
squid:\n Installed: (none)\n Candidate: 4.13-10\n Version table:\n 4.13-10 500\n 500 http:\/\/deb.debian.org\/debian bullseye\/main amd64 Packages<\/code><\/pre>\n\n\n\nTherefore, you can install it by running the command and can be installed by running the command;<\/p>\n\n\n\n
apt install squid -y<\/code><\/pre>\n\n\n\nRunning Squid on Debian 11\/Debian 10<\/h3>\n\n\n\n
When installed, Squid is started and enabled to run on system boot;<\/p>\n\n\n\n
systemctl status squid<\/code><\/pre>\n\n\n\n\n\u25cf squid.service - Squid Web Proxy Server\n Loaded: loaded (\/lib\/systemd\/system\/squid.service; enabled; vendor preset: enabled)\n Active: active (running) since Wed 2021-10-20 09:01:18 EAT; 38s ago\n Docs: man:squid(8)\n Process: 1718 ExecStartPre=\/usr\/sbin\/squid --foreground -z (code=exited, status=0\/SUCCESS)\n Main PID: 1721 (squid)\n Tasks: 4 (limit: 1133)\n Memory: 15.6M\n CPU: 156ms\n CGroup: \/system.slice\/squid.service\n \u251c\u25001721 \/usr\/sbin\/squid --foreground -sYC\n \u251c\u25001723 (squid-1) --kid squid-1 --foreground -sYC\n \u251c\u25001724 (logfile-daemon) \/var\/log\/squid\/access.log\n \u2514\u25001725 (pinger)\n\nOct 20 09:01:18 bullseye.kifarunix-demo.com squid[1723]: Using Least Load store dir selection\nOct 20 09:01:18 bullseye.kifarunix-demo.com squid[1723]: Set Current Directory to \/var\/spool\/squid\nOct 20 09:01:18 bullseye.kifarunix-demo.com squid[1723]: Finished loading MIME types and icons.\nOct 20 09:01:18 bullseye.kifarunix-demo.com squid[1723]: HTCP Disabled.\nOct 20 09:01:18 bullseye.kifarunix-demo.com squid[1723]: Pinger socket opened on FD 14\nOct 20 09:01:18 bullseye.kifarunix-demo.com systemd[1]: Started Squid Web Proxy Server.\nOct 20 09:01:18 bullseye.kifarunix-demo.com squid[1723]: Squid plugin modules loaded: 0\nOct 20 09:01:18 bullseye.kifarunix-demo.com squid[1723]: Adaptation support is off.\nOct 20 09:01:18 bullseye.kifarunix-demo.com squid[1723]: Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 12 flags=9\nOct 20 09:01:19 bullseye.kifarunix-demo.com squid[1723]: storeLateRelease: released 0 objects\n<\/code><\/pre>\n\n\n\nTo check if enabled to run on system boot;<\/p>\n\n\n\n
systemctl is-enabled squid<\/code><\/pre>\n\n\n\nIf the output of the command is not, enabled<\/strong>, then enable it by running;<\/p>\n\n\n\nsystemctl enable squid<\/code><\/pre>\n\n\n\nConfiguring Squid Proxy Server on Debian 11\/Debian 10<\/h3>\n\n\n\n
\/etc\/squid\/squid.conf<\/code> is the default Squid Proxy configuration.<\/p>\n\n\n\nThe configuration has the recommended minimum settings. However, we will modify this configuration to make a few changes.<\/p>\n\n\n\n
You can also have other configurations under \/etc\/squid\/conf.d\/<\/strong><\/code> directory.<\/p>\n\n\n\nBefore you can proceed, create a backup of the default configuration file.<\/p>\n\n\n\n
cp \/etc\/squid\/squid.conf{,.old}<\/code><\/pre>\n\n\n\nBy default, the Squid configuration file looks like as shown below (with comment lines removed);<\/p>\n\n\n\n
grep -vE \"^#|^$\" \/etc\/squid\/squid.conf<\/code><\/pre>\n\n\n\n\nacl localnet src 0.0.0.1-0.255.255.255\t# RFC 1122 \"this\" network (LAN)\nacl localnet src 10.0.0.0\/8\t\t# RFC 1918 local private network (LAN)\nacl localnet src 100.64.0.0\/10\t\t# RFC 6598 shared address space (CGN)\nacl localnet src 169.254.0.0\/16 \t# RFC 3927 link-local (directly plugged) machines\nacl localnet src 172.16.0.0\/12\t\t# RFC 1918 local private network (LAN)\nacl localnet src 192.168.0.0\/16\t\t# RFC 1918 local private network (LAN)\nacl localnet src fc00::\/7 \t# RFC 4193 local private network range\nacl localnet src fe80::\/10 \t# RFC 4291 link-local (directly plugged) machines\nacl SSL_ports port 443\nacl Safe_ports port 80\t\t# http\nacl Safe_ports port 21\t\t# ftp\nacl Safe_ports port 443\t\t# https\nacl Safe_ports port 70\t\t# gopher\nacl Safe_ports port 210\t\t# wais\nacl Safe_ports port 1025-65535\t# unregistered ports\nacl Safe_ports port 280\t\t# http-mgmt\nacl Safe_ports port 488\t\t# gss-http\nacl Safe_ports port 591\t\t# filemaker\nacl Safe_ports port 777\t\t# multiling http\nacl CONNECT method CONNECT\nhttp_access deny !Safe_ports\nhttp_access deny CONNECT !SSL_ports\nhttp_access allow localhost manager\nhttp_access deny manager\ninclude \/etc\/squid\/conf.d\/*\nhttp_access allow localhost\nhttp_access deny all\nhttp_port 3128\ncoredump_dir \/var\/spool\/squid\nrefresh_pattern ^ftp:\t\t1440\t20%\t10080\nrefresh_pattern ^gopher:\t1440\t0%\t1440\nrefresh_pattern -i (\/cgi-bin\/|\\?) 0\t0%\t0\nrefresh_pattern .\t\t0\t20%\t4320\n<\/code><\/pre>\n\n\n\nConfigure Squid Access Control Policies<\/h4>\n\n\n\n
If you already noticed, the above configuration file has ACLs for specific networks and safe ports. You can modify them to include your safe ports as well as the your local networks whose Squid should proxy for.<\/p>\n\n\n\n
When defining an ACL, each and every one of them must begin with an acl name<\/code> and acl type<\/code> followed by either type-specific arguments or a quoted filename that they are read from;<\/p>\n\n\n\nacl aclname acltype argument ...<\/code><\/pre>\n\n\n\nacl aclname acltype \"file\" ...<\/code><\/pre>\n\n\n\nWhen using \u201cfile<\/strong><\/code>\u201c, the file should contain one item per line.<\/p>\n\n\n\nvim \/etc\/squid\/squid.conf<\/code><\/pre>\n\n\n\nIn this tutorial, we will create an ACL for our LAN network, 192.168.58.0\/24<\/strong><\/code>.<\/p>\n\n\n\nWe append this line just above the SSL ports ACL.<\/p>\n\n\n\n
Replace the name of the ACL and the source network appropriately.<\/strong><\/p>\n\n\n\n...\nacl localnet src fe80::\/10 # RFC 4291 link-local (directly plugged) machines\nacl kifarunix-demo-net src 192.168.58.0\/24 # My LAN network ACL<\/strong>\nacl SSL_ports port 443\n...<\/code><\/pre>\n\n\n\nRead more about ACL configuration directives on Squid Wiki page<\/a>.<\/p>\n\n\n\nYou can comment out (adding # at the beginning of the lines) the default ACLs.<\/strong><\/p>\n\n\n\n\n#acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 \"this\" network (LAN)\n#acl localnet src 10.0.0.0\/8 # RFC 1918 local private network (LAN)\n#acl localnet src 100.64.0.0\/10 # RFC 6598 shared address space (CGN)\n#acl localnet src 169.254.0.0\/16 # RFC 3927 link-local (directly plugged) machines\n#acl localnet src 172.16.0.0\/12 # RFC 1918 local private network (LAN)\n#acl localnet src 192.168.0.0\/16 # RFC 1918 local private network (LAN)\n#acl localnet src fc00::\/7 # RFC 4193 local private network range\n#acl localnet src fe80::\/10 # RFC 4291 link-local (directly plugged) machines\nacl kifarunix-demo-net src 192.168.58.0\/24 # My LAN network ACL<\/strong>\n...\n<\/code><\/pre>\n\n\n\nAllow or Deny Access Based on defined ACL<\/h4>\n\n\n\n
Once you have the ACL in place, you can then use the http_access<\/strong><\/code> directive to define the ACL allowed or denied to use the proxy to access external network.<\/p>\n\n\n\nTherefore, to allow our network, defined by our ACL, kifarunix-demo-net<\/strong>, external access, add the line below;<\/p>\n\n\n\n...\n#http_access allow localnet\nhttp_access allow localhost\nhttp_access allow kifarunix-demo-net # Allow kifarunix-demo-net<\/strong><\/strong>\n# And finally deny all other access to this proxy\nhttp_access deny all<\/code><\/pre>\n\n\n\nThe last entry should always be http_access deny all<\/strong><\/code>.<\/p>\n\n\n\nDeny Access to Specific Websites<\/h3>\n\n\n\n
Access to specific websites can be restricted using Squid Proxy. For example to block access to youtube, facebook, netflix;<\/p>\n\n\n\n
\n- you would have to create a file that defines the domains of these websites as shown below. Exit the squid.conf and create the file.<\/li>\n<\/ul>\n\n\n\n
vim \/etc\/squid\/denied-sites.squid<\/code><\/pre>\n\n\n\n.youtube.com\n.facebook.com\n.netflix.com<\/code><\/pre>\n\n\n\nNext, create an ACL for the restricted sites above in the squid configuration file and set the deny<\/strong> rule for the defined ACL.<\/p>\n\n\n\nacl deniedsites dstdomain \"\/etc\/squid\/denied-sites.squid\"<\/strong><\/code><\/pre>\n\n\n\n\n- or you would list the domain names, space separated on the ACL statement.<\/li>\n<\/ul>\n\n\n\n
acl deniedsites dstdomain<\/strong> youtube.com facebook.com netflix.com<\/strong><\/code><\/pre>\n\n\n\nUpdate squid configuration file.<\/p>\n\n\n\n
\n...\n#acl localnet src fe80::\/10 # RFC 4291 link-local (directly plugged) machines\nacl kifarunix-demo-net src 192.168.58.0\/24 # My LAN network ACL\nacl deniedsites dstdomain \"\/etc\/squid\/denied-sites.squid\" ## Sites to Block access to ###<\/strong>\n...\nhttp_access allow localhost\nhttp_access deny deniedsites # Deny access to facebook, youtube, netflix<\/strong>\nhttp_access allow kifarunix-demo-net # Allow kifarunix-demo-net\n\n# And finally deny all other access to this proxy\nhttp_access deny all\n...\n<\/code><\/pre>\n\n\n\nBlock Sites based on Specific Keywords<\/h3>\n\n\n\n
You can also restrict access to a website by the use of a keyword. Create a file with specific keywords as shown below;<\/p>\n\n\n\n
vim \/etc\/squid\/banned-keywords.squid<\/code><\/pre>\n\n\n\nporn\nads\nmovie\ngamble<\/code><\/pre>\n\n\n\nMake the necessary changes on squid configuration file by adding the ACL for above keywords;<\/p>\n\n\n\n
acl keyword-ban url_regex -i \"\/etc\/squid\/keyword-ban.squid\"<\/strong><\/code><\/pre>\n\n\n\n\n...\nacl kifarunix-demo-net src 192.168.58.0\/24 # My LAN network ACL\nacl deniedsites dstdomain \"\/etc\/squid\/denied-sites.squid\" ## Sites to Block access to ###\nacl keyword-ban url_regex -i \"\/etc\/squid\/keyword-ban.squid\" ## Banned Keywords<\/strong>\n...\nhttp_access allow localhost\nhttp_access deny deniedsites # Deny access to facebook, youtube, netflix\nhttp_access deny keyword-ban # Deny access based on keywords \nhttp_access allow kifarunix-demo-net # Allow kifarunix-demo-net<\/strong>\nhttp_access deny all\n...\n<\/code><\/pre>\n\n\n\nNOTE<\/strong>: http_access<\/code> entries are processed from top to bottom and depending on which occurs first, access is allowed or denied.<\/p>\n\n\n\nMasking Outgoing Traffic<\/h3>\n\n\n\n
As much as you use proxy server to anonymize your IP addresses by presenting the IP address of the proxy to other web servers, proxy servers may expose your IP addresses on the outgoing HTTP requests. You can however disable this by including the following directives at the end of your squid configuration file.<\/p>\n\n\n\n
Disable Via headers in requests and replies using the directive, via off.<\/p>\n\n\n\n
via off<\/strong><\/code><\/pre>\n\n\n\nConfigure Squid not to append your client\u2019s IP address in the HTTP requests it forwards;<\/p>\n\n\n\n
forwarded_for off<\/strong><\/code><\/pre>\n\n\n\nRemove Squid proxy headers to avoid revealing identity of Squid proxy server.<\/p>\n\n\n\n
\nrequest_header_access From deny all\nrequest_header_access Server deny all\nrequest_header_access WWW-Authenticate deny all\nrequest_header_access Link deny all\nrequest_header_access Cache-Control deny all\nrequest_header_access Proxy-Connection deny all\nrequest_header_access X-Cache deny all\nrequest_header_access X-Cache-Lookup deny all\nrequest_header_access Via deny all\nrequest_header_access X-Forwarded-For deny all\nrequest_header_access Pragma deny all\nrequest_header_access Keep-Alive deny all\n<\/code><\/pre>\n\n\n\nChange Squid Default Port<\/h3>\n\n\n\n
Squid proxy listens on TCP port 3128<\/code> by default.<\/p>\n\n\n\nTo change this port, open the \/etc\/squid\/squid.conf<\/code> configuration file and replace the value of the http_port<\/code> with your desired port number.<\/p>\n\n\n\nFor example, to change the default port to 8888, as long as no other application is listening on the same port;<\/p>\n\n\n\n
...\n# Squid normally listens to port 3128\n# http_port 3128 << Comment the line by adding #<\/strong>\nhttp_port 8888<\/strong>\n...<\/code><\/pre>\n\n\n\nYou can also set it to listen on a specific IP (Replace the IP address accordingly<\/strong>)<\/p>\n\n\n\nhttp_port 192.168.58.26:<\/strong>3128<\/code><\/pre>\n\n\n\nSave and exit the configuration file once you are done with the configuration.<\/p>\n\n\n\n
Our final squid.conf file now looks like;<\/p>\n\n\n\n
cat \/etc\/squid\/squid.conf<\/code><\/pre>\n\n\n\n\n#acl localnet src 0.0.0.1-0.255.255.255\t# RFC 1122 \"this\" network (LAN)\n#acl localnet src 10.0.0.0\/8\t\t# RFC 1918 local private network (LAN)\n#acl localnet src 100.64.0.0\/10\t\t# RFC 6598 shared address space (CGN)\n#acl localnet src 169.254.0.0\/16 \t# RFC 3927 link-local (directly plugged) machines\n#acl localnet src 172.16.0.0\/12\t\t# RFC 1918 local private network (LAN)\n#acl localnet src 192.168.0.0\/16\t\t# RFC 1918 local private network (LAN)\n#acl localnet src fc00::\/7 \t# RFC 4193 local private network range\n#acl localnet src fe80::\/10 \t# RFC 4291 link-local (directly plugged) machines\nacl kifarunix-demo-net src 192.168.58.0\/24\t# My LAN network ACL\nacl deniedsites dstdomain \"\/etc\/squid\/denied-sites.squid\"\t## Sites to Block access to ###\nacl keyword-ban url_regex -i \"\/etc\/squid\/keyword-ban.squid\"\t## Banned Keywords\nacl SSL_ports port 443\nacl Safe_ports port 80\t\t# http\nacl Safe_ports port 21\t\t# ftp\nacl Safe_ports port 443\t\t# https\nacl Safe_ports port 70\t\t# gopher\nacl Safe_ports port 210\t\t# wais\nacl Safe_ports port 1025-65535\t# unregistered ports\nacl Safe_ports port 280\t\t# http-mgmt\nacl Safe_ports port 488\t\t# gss-http\nacl Safe_ports port 591\t\t# filemaker\nacl Safe_ports port 777\t\t# multiling http\nacl CONNECT method CONNECT\nhttp_access deny !Safe_ports\nhttp_access deny CONNECT !SSL_ports\nhttp_access allow localhost manager\nhttp_access deny manager\ninclude \/etc\/squid\/conf.d\/*\nhttp_access allow localhost\nhttp_access deny deniedsites\t# Deny access to facebook, youtube, netflix\nhttp_access deny keyword-ban\t# Deny access based on keywords \nhttp_access allow kifarunix-demo-net\t# Allow kifarunix-demo-net\nhttp_access deny all\n#http_port 3128\nhttp_port 192.168.58.26:3128\ncoredump_dir \/var\/spool\/squid\nrefresh_pattern ^ftp:\t\t1440\t20%\t10080\nrefresh_pattern ^gopher:\t1440\t0%\t1440\nrefresh_pattern -i (\/cgi-bin\/|\\?) 0\t0%\t0\nrefresh_pattern .\t\t0\t20%\t4320\nvia off\nforwarded_for off\nrequest_header_access From deny all\nrequest_header_access Server deny all\nrequest_header_access WWW-Authenticate deny all\nrequest_header_access Link deny all\nrequest_header_access Cache-Control deny all\nrequest_header_access Proxy-Connection deny all\nrequest_header_access X-Cache deny all\nrequest_header_access X-Cache-Lookup deny all\nrequest_header_access Via deny all\nrequest_header_access X-Forwarded-For deny all\nrequest_header_access Pragma deny all\nrequest_header_access Keep-Alive deny all\n<\/code><\/pre>\n\n\n\n Check Squid Configuration File for Errors<\/h3>\n\n\n\nsquid -k parse<\/code><\/pre>\n\n\n\nIf there is any syntax error, the erroneous lines will be displayed. Be sure to run this command every time you modify your configuration.<\/p>\n\n\n\n
Sample config check output;<\/p>\n\n\n\n
\n2021\/10\/20 09:40:17| Startup: Initializing Authentication Schemes ...\n2021\/10\/20 09:40:17| Startup: Initialized Authentication Scheme 'basic'\n2021\/10\/20 09:40:17| Startup: Initialized Authentication Scheme 'digest'\n2021\/10\/20 09:40:17| Startup: Initialized Authentication Scheme 'negotiate'\n2021\/10\/20 09:40:17| Startup: Initialized Authentication Scheme 'ntlm'\n2021\/10\/20 09:40:17| Startup: Initialized Authentication.\n2021\/10\/20 09:40:17| Processing Configuration File: \/etc\/squid\/squid.conf (depth 0)\n2021\/10\/20 09:40:17| Processing: acl kifarunix-demo-net src 192.168.58.0\/24\t# My LAN network ACL\n2021\/10\/20 09:40:17| Processing: acl deniedsites dstdomain \"\/etc\/squid\/denied-sites.squid\"\t## Sites to Block access to ###\n2021\/10\/20 09:40:17| Processing: acl keyword-ban url_regex -i \"\/etc\/squid\/keyword-ban.squid\"\t## Banned Keywords\n2021\/10\/20 09:40:17| Processing: acl SSL_ports port 443\n2021\/10\/20 09:40:17| Processing: acl Safe_ports port 80\t\t# http\n2021\/10\/20 09:40:17| Processing: acl Safe_ports port 21\t\t# ftp\n2021\/10\/20 09:40:17| Processing: acl Safe_ports port 443\t\t# https\n2021\/10\/20 09:40:17| Processing: acl Safe_ports port 70\t\t# gopher\n2021\/10\/20 09:40:17| Processing: acl Safe_ports port 210\t\t# wais\n2021\/10\/20 09:40:17| Processing: acl Safe_ports port 1025-65535\t# unregistered ports\n2021\/10\/20 09:40:17| Processing: acl Safe_ports port 280\t\t# http-mgmt\n2021\/10\/20 09:40:17| Processing: acl Safe_ports port 488\t\t# gss-http\n2021\/10\/20 09:40:17| Processing: acl Safe_ports port 591\t\t# filemaker\n2021\/10\/20 09:40:17| Processing: acl Safe_ports port 777\t\t# multiling http\n2021\/10\/20 09:40:17| Processing: acl CONNECT method CONNECT\n2021\/10\/20 09:40:17| Processing: http_access deny !Safe_ports\n2021\/10\/20 09:40:17| Processing: http_access deny CONNECT !SSL_ports\n2021\/10\/20 09:40:17| Processing: http_access allow localhost manager\n2021\/10\/20 09:40:17| Processing: http_access deny manager\n2021\/10\/20 09:40:17| Processing: include \/etc\/squid\/conf.d\/*\n2021\/10\/20 09:40:17| Processing Configuration File: \/etc\/squid\/conf.d\/debian.conf (depth 1)\n2021\/10\/20 09:40:17| Processing: logfile_rotate 0\n2021\/10\/20 09:40:17| Processing: http_access allow localhost\n2021\/10\/20 09:40:17| Processing: http_access deny deniedsites\t# Deny access to facebook, youtube, netflix\n2021\/10\/20 09:40:17| Processing: http_access deny keyword-ban\t# Deny access based on keywords\n2021\/10\/20 09:40:17| Processing: http_access allow kifarunix-demo-net\t# Allow kifarunix-demo-net\n2021\/10\/20 09:40:17| Processing: http_access deny all\n2021\/10\/20 09:40:17| Processing: http_port 192.168.58.26:3128\n2021\/10\/20 09:40:17| Processing: coredump_dir \/var\/spool\/squid\n2021\/10\/20 09:40:17| Processing: refresh_pattern ^ftp:\t\t1440\t20%\t10080\n2021\/10\/20 09:40:17| Processing: refresh_pattern ^gopher:\t1440\t0%\t1440\n2021\/10\/20 09:40:17| Processing: refresh_pattern -i (\/cgi-bin\/|\\?) 0\t0%\t0\n2021\/10\/20 09:40:17| Processing: refresh_pattern .\t\t0\t20%\t4320\n2021\/10\/20 09:40:17| Processing: via off\n2021\/10\/20 09:40:17| Processing: forwarded_for off\n2021\/10\/20 09:40:17| Processing: request_header_access From deny all\n2021\/10\/20 09:40:17| Processing: request_header_access Server deny all\n2021\/10\/20 09:40:17| Processing: request_header_access WWW-Authenticate deny all\n2021\/10\/20 09:40:17| Processing: request_header_access Link deny all\n2021\/10\/20 09:40:17| Processing: request_header_access Cache-Control deny all\n2021\/10\/20 09:40:17| Processing: request_header_access Proxy-Connection deny all\n2021\/10\/20 09:40:17| Processing: request_header_access X-Cache deny all\n2021\/10\/20 09:40:17| Processing: request_header_access X-Cache-Lookup deny all\n2021\/10\/20 09:40:17| Processing: request_header_access Via deny all\n2021\/10\/20 09:40:17| Processing: request_header_access X-Forwarded-For deny all\n2021\/10\/20 09:40:17| Processing: request_header_access Pragma deny all\n2021\/10\/20 09:40:17| Processing: request_header_access Keep-Alive deny all\n2021\/10\/20 09:40:17| WARNING: HTTP requires the use of Via\n2021\/10\/20 09:40:17| Initializing https:\/\/ proxy context\n\n<\/code><\/pre>\n\n\n\nRestart Squid<\/h3>\n\n\n\n
Once you are done with the configuration, save the file and restart squid.<\/p>\n\n\n\n
You can reload Squid configuration without actually restarting it using the command;<\/p>\n\n\n\n
squid -k reconfigure<\/code><\/pre>\n\n\n\nIf you want to restart the service, then;<\/p>\n\n\n\n
systemctl restart squid<\/code><\/pre>\n\n\n\nCheck that Squid is listening on defined port. In this case, we didn\u2019t change the default.<\/p>\n\n\n\n
ss -altnp | grep 3128<\/code><\/pre>\n\n\n\nLISTEN 0 256 192.168.58.26:3128 0.0.0.0:* users:((\"squid\",pid=1948,fd=12))<\/code><\/pre>\n\n\n\nAllow Squid Port on Firewall<\/h3>\n\n\n\n
If UFW is running, allow open squid proxy port;<\/p>\n\n\n\n
ufw allow 3128\/tcp<\/code><\/pre>\n\n\n\nConfigure Clients to Connect Through Proxy server<\/h3>\n\n\n\n
To configure end points to connect to internet via Squid proxy server, you can either set system wide proxy configurations, configure client to use the Squid proxy as the gateway or set the proxy settings on the browser.<\/p>\n\n\n\n
System Wide proxy configuration on Debian 11\/Debian 10<\/a><\/h4>\n\n\n\nTo set system wide proxy configurations, create a configuration file under \/etc\/profile.d<\/code> with environment variables defining squid proxy server details as follows;<\/p>\n\n\n\nvim \/etc\/profile.d\/squid.sh<\/code><\/pre>\n\n\n\nReplace the IP address of the Squid server accordingly.<\/p>\n\n\n\n
\nPROXY_URL=\"192.168.58.26:3128\"\nHTTP_PROXY=$PROXY_URL\nHTTPS_PROXY=$PROXY_URL\nFTP_PROXY=$PROXY_URL\nhttp_proxy=$PROXY_URL\nhttps_proxy=$PROXY_URL\nftp_proxy=$PROXY_URL\nexport HTTP_PROXY HTTPS_PROXY FTP_PROXY http_proxy https_proxy ftp_proxy\n<\/code><\/pre>\n\n\n\nAfter that, source the new configuration file.<\/p>\n\n\n\n
source \/etc\/profile.d\/squid.sh<\/code><\/pre>\n\n\n\nTo test this, try to download anything from the clients terminal while tailing access logs on squid proxy server.<\/p>\n\n\n\n
On the client\u2019s terminal, run;<\/p>\n\n\n\n
wget google.com<\/code><\/pre>\n\n\n\n\n--2021-10-20 02:46:02-- http:\/\/google.com\/\nConnecting to 192.168.58.26:3128... connected.\nProxy request sent, awaiting response... 301 Moved Permanently\nLocation: http:\/\/www.google.com\/ [following]\n--2021-10-20 02:46:02-- http:\/\/www.google.com\/\nReusing existing connection to 192.168.58.26:3128.\nProxy request sent, awaiting response... 200 OK\nLength: unspecified [text\/html]\nSaving to: \u2018index.html\u2019\n\nindex.html [ <=> ] 14.54K --.-KB\/s in 0s \n\n2021-10-20 02:46:03 (29.4 MB\/s) - \u2018index.html\u2019 saved [14894]\n<\/code><\/pre>\n\n\n\nOn the Squid proxy server;<\/p>\n\n\n\n
tail -f \/var\/log\/squid\/access.log<\/code><\/pre>\n\n\n\n1634712362.509 467 192.168.58.1 TCP_MISS\/301 656 GET http:\/\/google.com\/ - HIER_DIRECT\/216.58.223.110 text\/html\n1634712363.038 526 192.168.58.1 TCP_MISS\/200 15816 GET http:\/\/www.google.com\/ - HIER_DIRECT\/216.58.223.68 text\/html<\/code><\/pre>\n\n\n\nConfigure Proxy settings on Firefox browser.<\/h4>\n\n\n\n
On your Firefox, configure it to connect external network via your Squid server. Preferences<\/strong> > Genera<\/strong>l > Network Settings > Manual Proxy Configuration<\/strong>. Check Use this proxy server for all protocols.<\/strong><\/p>\n\n\n\n![\"\"](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/10\/proxy-firefox-settings.png\" "\\"\\"")
<\/figure>\n\n\n\n<\/a><\/p>\n\n\n\nTry to access blocked sites on your browser;<\/p>\n\n\n\n![\"\"](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/10\/proxy-denied-sites.png\" "\\"\\"")
<\/figure>\n\n\n\nCheck the logs on the Squid server.<\/p>\n\n\n\n
tail -f \/var\/log\/squid\/access.log<\/code><\/pre>\n\n\n\n1634717782.953 0 192.168.58.12 TCP_DENIED\/403 4007 CONNECT youtube.com:443 - HIER_NONE\/- text\/html<\/code><\/pre>\n\n\n\nAnd that how to basically configure squid proxy to block or deny access to external resources.<\/p>\n\n\n\n
Related Tutorials<\/h3>\n\n\n\nOther Tutorials<\/h3>\n\n\n\n
How to Set System Wide Proxy in Ubuntu 18.04<\/a><\/p>\n\n\n\nMonitor Squid logs with Grafana and Graylog<\/a><\/p>\n\n\n\nCreate Squid Logs Extractors on Graylog Server<\/a><\/p>\n\n\n\n