How to Create an HTTP Proxy Using Squid on Debian 10
Updated
Tuesday, December 1, 2020, by LinodeThis guide was written for Debian 10. Other distributions are available:Select distribution:Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en guide will show you how to create your own HTTP proxy using Squid, a highly customizable proxy/cache application, on Debian 10. An HTTP proxy acts as an intermediary between you and the internet. While connected to your Squid HTTP proxy, you will be able to:Anonymously access internet certain regional and local network teThe traffic passed from your client to your Squid HTTP proxy will not be encrypted and will still be visible on your local network. If you are looking for a solution that offers greater security, you may want to look at our guides on
Setting up an SSH Tunnel or
Deploy OpenVPN Access Server with Marketplace stall SquidSecure your Linode by completing the instructions in our guide on
Securing Your Server, including adding a limited user account and configuring a teThis guide is written for a limited, non-root user. Commands that require elevated privileges are prefixed with sudo. If you are not familiar with the sudo command, you can check our
Users and Groups that your system is up-to-date:sudo apt-get update && sudo apt-get upgrade
Install Squid using the apt software package manager:sudo apt-get install squid
Copy the original configuration file to keep as a backup:sudo cp /etc/squid/ /etc/squid/
NoteThe Squid configuration file includes comprehensive documentation in its commented lines, along with several uncommented rules that will remain active. These default rules should not be modified while you are following this guide. To gain a deeper understanding of Squid’s options and default settings, you can review the full configuration nfigure Client AccessNow that you have Squid installed on your Linode, you can configure ways for it to accept connections and serve as an HTTP proxy. The following sections provide different ways for your Squid HTTP proxy to authenticate client connections. You can configure Squid to use either or both authentication Address AuthenticationA simple way to use Squid as an HTTP proxy is to use a client’s IP address for the Squid configuration file and add the following lines at the beginning of the file:File: /etc/squid/nf1
2
acl client src 192. 0. 2. 0 # Home IP
_access allow clientReplace client with a name that identifies the client computer that will connect to your Squid HTTP proxy, then replace 192. 0 with the client computer’s IP address. You can also update the optional comment # Home IP to further describe the ternatively, you can configure multiple clients by adding new acl lines to /etc/squid/ and including them in the _access allow line as follows:File: /etc/squid/nf1
3
acl client1 src 192. 0 # Home IP
acl client2 src 192. 1 # Work IP
_access allow client1 client2Replace client1 and client2 with names that identify the client computers, then replace 192. 0 and 192. 1 with their corresponding IP addresses. Update the optional comments # Home IP and # Work IP with accurate descriptions to help keep track of multiple clients. Access to the proxy is granted by adding the names defined by each acl to the _access allow AuthenticationYou can also configure your Squid HTTP proxy to accept authentication with usernames and stall htpasswd by installing the Apache utility programs. If you have installed Apache on your Linode, you will already have it and can skip this apt-get install apache2-utils
Create a file to store Squid users and passwords:sudo touch /etc/squid/squid_passwd
Change ownership of the password file:sudo chown proxy /etc/squid/squid_passwd
Create a username password pair, replacing user1 with the name of the user you’d like to add:sudo htpasswd /etc/squid/squid_passwd user1
You will be prompted to create a password for this user:New password:
Re-type new password:
Adding password for user user1You can repeat this step at any time to create new the location of the nsca_auth file:sudo dpkg -L squid | grep ncsa_auth
Edit the Squid configuration file and add the following lines at the beginning of the file:NoteEnsure that you update /usr/lib/squid/basic_ncsa_auth below with the location of the nsca_auth file that you checked in the previous /etc/squid/nf1
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
acl ncsa_users proxy_auth REQUIRED
_access allow ncsa_usersTo remove a user’s access to the proxy, you must delete the corresponding entry in the squid_passwd file. Each user is represented in the file on a single line in the format of user:passwordhash:File: /etc/squid/squid_passwd1
user1:\$p948w3nvq3489v6npq396g user2:\$q3cn478554387cq34n57vnIf you are using Nano, the command Control+k will remove the entire line where the cursor you’ve saved and exited the file, complete user removal by restarting Squid:sudo systemctl restart squid
Combined AuthenticationYou can combine authentication methods using the same acl definitions that you have added in the previous two sections by using a single _access any previous _access lines you have the Squid configuration file so that the lines you have added at the beginning of the file follow this form:File: /etc/squid/nf1
4
5
_access allow client1 client2 ncsa_usersNoteTake care to avoid using multiple _access rules when combining authentication methods, as Squid will follow the rules in the order that they appear. By using a single _access rule for your acl definitions, you will ensure that several authentication methods will apply to each client that attempts to connect to your Squid HTTP proxy. Anonymize TrafficHere, you will add rules to mask client IP addresses from the servers that receive traffic from you Squid HTTP proxy. Without these rules, the originating client IP addresses may be passed on through the X-Forwarded For HTTP the following lines at the beginning of the Squid configuration file:File: /etc/squid/ 1
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny allEnable ConnectionsNext, you will enable clients to connect to your Squid HTTP and exit the Squid configuration start Squid to enable the rules you have added:sudo systemctl restart squid
Implement firewall rules to enable port 3128, which is the default service port used by Squid:sudo ufw allow 3128/tcp
You can find more information on configuring firewall rules for Debian in our guide on
How to Configure a Firewall with nnect to your Squid HTTP ProxyYour Squid HTTP proxy is now ready to accept client connections and anonymously handle internet this point, you can configure your local browser or operating system’s network settings to use your Linode as an HTTP proxy. The settings to do this will vary depending on your OS and browser. Instructions for certain OS and browser settings are located in the
More Information section nerally, connecting to your Squid HTTP proxy requires the following information:The IP address or domain name associated with your port that is being used by Squid. The default port is 3128. A username and password if you have configured them for you have established your OS or browser settings, test the connection by pointing your browser at a website that tells you your IP address, such mGoogling “what is my ip”The result should display your Linode’s IP address instead of the IP address of your client InformationYou may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted Official SiteConfigure Proxy on WindowsProxy Server Settings on macOSConnection Settings in FirefoxThis page was originally published on
Tuesday, April 14, a Linode account
to try this guide with a $100 credit will be applied to any valid services used during your first 60 Feedback Is ImportantLet us know if this guide made it easy to get the answer you the other comments or post your own below. Comments must be respectful, constructive, and relevant to the topic of the guide. Do not post external links or advertisements. Before posting, consider if your comment would be better addressed by contacting our Support team or asking on our Community Site.
How to install and configure Squid Proxy on Debian 10
Introduction
Squid is a caching proxy that supports various network protocols such as HTTP, HTTPS and FTP.
This proxy can improve the performance and security of your web server by saving requests already made in a cache memory, filtering web traffic and restricting access based on geolocation.
In this tutorial you will see how to set up Squid Proxy on a Debian Buster server and how to configure some web browsers to be able to use this proxy.
Installing Squid on Debian
The Squid package is included in the standard Debian 10 repositories. Just run the standard commands to proceed with its installation:
$ sudo apt update
$ sudo apt install squid
Once the installation is completed, the proxy will start automatically. To verify its correct functioning, simply type:
$ sudo systemctl status squid
The resulting output should look like this:
rvice – LSB: Squid HTTP Proxy version 3. x
Loaded: loaded (/etc/init. d/squid; generated)
Active: active (running) since Wed 2020-05-26 18:48:47 PDT; 3s ago…
Configuring Squid Proxy
To configure Squid Proxy, edit the file in the Squid directory with a text editor.
$ sudo nano /etc/squid/
N. B. Before applying any changes, it is advisable to create a copy of the original configuration to have as a backup.
One of the first configurations that can be changed is the one concerning the port on which the proxy is listening, which by default is port 3128.
To apply this change, locate the following line in the text file:
# Squid normally listens to port 3128
_port IP_ADDR:PORT
By modifying the two highlighted elements the IP address of the interface and the port on which Squid is listening are changed, respectively.
A second configuration to interact with is the one concerning access control. In Squid, by default, access is only allowed to the localhost but a list of IP addresses to allow access to can also be specified.
To do so, simply create a file containing all the addresses and include it within the Squid configuration.
sudo nano /etc/squid/
With this command, a text file where to add the authorized IP addresses in your proxy for each line will have been created.
After doing so, open the configuration file and enter a new ACL called IPallowed and include the newly created text file.
To decide the access protocol to assign to these IP addresses, enter the _access entry followed by the name of the ACL defined above.
Normally, the strings should be similar to as follows:
#…
acl IPallowed src “/etc/squid/”
#_access allow localnet
_access allow localhost
_access allow IPallowed
# And finally deny all other access to this proxy
_access deny all
It is important that the deny all rule is always specified at the end of the other declarations. To deny all requests except those of the previously declared addresses. Squid, like firewalls, reads the rules from top to bottom.
Once the configuration file has been saved, the proxy will have to be restarted to apply the changes:
$ sudo systemctl restart squid
Configuring Firewall
In case of using UFW, port 3128 (or the port you have modified) can be opened by enabling the “Squid” profile:
$ sudo ufw allow ‘Squid’
In case of using nftables instead, use a slightly more complex command to open the ports:
$ sudo nft add rule inet filter input tcp dport 3128 ct state new, established counter accept
Configuring your browsers to use the proxy
In this section, you will learn more about how to allow your browsers to use the Squid proxy.
Firefox
These steps are valid for any operating system:
In Firefox, click on the ☰ icon at the top right
Select the Preferences option
Scroll in the section dedicated to the network settings and click on the item I ettings
In the new window that opens:
Click Manual Proxy Configuration
Enter the IP address of your squid Server in the HTTP Host field and enter the port 3128 in the Port field
Select the Use this proxy server for all protocols item
Confirm the new settings by clicking OK.
Now that your browser should be browsing the internet via the Squid proxy, verify this change by verifying that the IP you are recognized with on the network is the same as the Squid server.
N. To return to the default settings simply go back to that section of the Firefox network settings and select the item Use system proxy settings.
Google Chrome
In Chrome, the most direct way to launch the browser with Squid’s profile settings is to use the command line in the terminals.
The commands, of course, change from system to system.
Linux:
/usr/bin/google-chrome \
–user-data-dir=”$HOME/proxy-profile” \
–proxy-server=”SQUID_IP:3128″
MacOS:
“/Applications/Google Chrome” \
Windows:
“C:\Program Files (x86)\Google\Chrome\Application\” ^
