Setting up a SQUID Proxy in 21 steps (made easy with Webmin!)

With the aim of managing bitorrenting on my network (i.e. preventing torrents) I opted to install a proxy server on a Ubuntu gateway server to control access to torrent sites for the clients on the network. This was a basic set up with a minimal Squid proxy server config in order to get up and running quickly, and to ultimately start preventing torrent usage. Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. Read on...
This post will walk through setting up Squid using Webmin to configure it. The simple reason for using Webmin to configure Squid is that the Webmin GUI for Squid is pretty good and makes life a lot simpler, however, I won't discuss the installation of Webmin. 


If you don't have Webmin already installed you're best off to install Squid first so that Webmin automatically detects Squid. Otherwise, if you are in the same position as me with Webmin already installed you'll need to add the Squid module to Webmin manually from the Webmin admin area.


Install Squid
1. To install Squid using aptitude type the following command which will download and install the needed dependencies.:
sudo aptitude install squid3


Configure Webmin
2. Log on to Webmin and refresh the modules to pick the Squid server.
https://serveripaddress:10000/webmin/refresh_modules.cgi
3. Once you have logged in, click on "Servers" from the left handside, to expand the servers list.
4. Click on “Squid Proxy Server.” Here you should be able to configure Squid through Webmin.
5. Click on “Ports and Networking” and note what the port is that Squid will be using (default: 3128). This is the port that you will need to enter on your browser in order to use Squid. 


Set up the Access Control Lists
This is where we will set up the access list for clients that will be allowed through the proxy server.
6. Then return to the Squid Module Index and click on the “Access Control” button.
7. At the bottom there is a button called “Create new ACL.” from the drop down box next to the button select "Client Address".  This is drop down is shown below:


8. Click the "Create new ACL" button.
9. On the "Create ACL" page, fill in the following information:
  • ACL Name: internal_network (you can name this whatever you want. no spaces)
  • From IP: the first IP allowed to use Squid. For example, you can type in 192.168.1.0 and that will allow all IP’s that start with 192.168.1.
  • To IP: Enter the last IP allowed, or you can again use 192.168.1.0
  • Netmask: Enter your subnet mask (255.255.255.0)
10. Click Save. The ACL has been created and you will be returned to the Access Control screen. 


Set up the Proxy Restrictions
This is where we will set up the rule to allow local traffic through the proxy server.
11. Click on “Proxy restrictions” tab from the top. 
12. Now click "Add proxy restriction". 
13. Click the allow button next to Action, and highlight “internal_network” or whatever you named your ACL at step 8.
14. Click Save. The proxy restriction is now created.


Prioritise the Proxy Restrictions
This is where the proxy restriction will be appropriately prioritised to make sure traffic is process correctly. 
15. The new proxy restriction will now be visible at the bottom of the proxy restriction list. This means it is the last 'rule' to be processed when traffic reaches the proxy server.
16. On the right hand side click the up arrow next to your new ACL to move the ACL to at least above the line that the action is “Deny” and the ACLs is all. (This should be one move). I actually moved my ACL to the line above Deny !Safe_ports to get HTTPS / SSL fully working through the proxy. See below for an example:


17. At the very top of the screen click on “Apply Changes.” This makes sure your internal network passes through the proxy server before the Deny all restriction is applied. If you're proxy isn't working check here first!
18. Return to the main Squid Proxy Server Page. 
19. Click on Stop Squid, allow it to stop.
20. Click on Start Squid. If Squid fails to start check that the squid access log file is writeable by the user and group proxy:proxy.


You have now completed the setup for Squid on your server. 


Configure the firewall for Squid
21. If you are using iptables, add the following line to your iptables to allow Squid through your firewall:
-A INPUT -p tcp –dport 3128 -j ACCEPT

Your proxy server should now be working with logging!

Monitor your proxy traffic
22. Back in Webmin in the Squid module click the "Logging" button.
23. Here "Access Log Files" should be enabled using the radio button next to the "File path".
24. The default file path for the access log should be /var/log/squid/access.log
25. To read the access log you can use the following command:
sudo cat /var/log/squid/access.log 
Alternatively you can view the log file through the Webmin System Log viewer:
26. Click System from the left hand side Webmin side menu.
27. Click System Logs .
28. Next to "View logs" at the bottom enter /var/log/squid/access.log and click "View".


Configure your clients to use the Squid proxy


Firefox 
1. Open Preferences
2. Click on Advanced
3. Select the Network tab
4. Open Settings.Click the Manual proxy configuration button. 
5. Under HTTP Proxy add the IP address of your Squid Proxy Server, and then add the correct Port number (default: 3128).
6. Click Use this proxy server for all protocols. 
7. In the No Proxy for box, type: localhost, 127.0.0.1


Internet Explorer 
1. Open up your Internet Preferences dialog
2. Select the Connections tab
3. Open LAN settings
4. Click the box next to Use a proxy server for your LAN
5. Enter the correct IP address and port. 
6. Click on Bypass proxy server for local addresses. 
7. Click Ok, and Ok.


Start Squid on start up {untested}

Option 1 - Add the service to the run time control

First ensure you have /etc/init.d/squid

Then run:

update-rc.d squid add 

Option 2 - Manually start squid through the rc.local by using the following command:
sudo gedit /etc/rc.local


Add the lines and save: 

chmod 777 /var/log/squid/access.log
squid 






To be completed... how to restrict torrenting...

6 comments:

  1. hello.. i have a question for you.

    i have 1 computer with 2 network cards.
    i want to config eth0 as internet source and eth1 as router with squid proxy + dhcp enable for client computer.
    can you help me how to do that?
    thank you very much! :)

    ReplyDelete
  2. Thank you so much for your nice tutorial.

    Recently I setup a Reverse Proxy Server with Squid (server accelerator) and wrote a full detailed tutorial that you can find in:

    http://cosmolinux.no-ip.org/raconetlinux/html/17-squid.html

    where I explain how to configure Squid (version 3.x) as a reverse Proxy Server (server accelerator), providing examples about how to do it using two
    computers (one as a Proxy server and another as a Web Server) or just by using one single computer.

    I also describe how to format the Squid's logs and how to send the logs to a remote computer.
    Also, you can find an explanation of how to deny access to certain files and how to get correct logs in Apache Web Server.

    I wish it is useful to someone.

    ReplyDelete
  3. Fantastic sharing I will share these guides to all of my staff thanks.
    Fenopy UK proxy

    ReplyDelete
  4. Great article! Only one problem, Free Blacklists Suck!


    We specialize in serving intelligent network administrators high quality blacklists for effective, targeted web filtering.
    There is a demand for a better blacklist. And with few alternatives available, we intend to fill that gap.

    It would be our pleasure to serve you,

    Signed,

    Benjamin E. Nichols
    http://www.squidblacklist.org

    ReplyDelete
  5. I read a article under the same title some time ago, but this articles quality is much, much better. How you do this.. Microleaves

    ReplyDelete
  6. I read a article under the same title some time ago, but this articles quality is much, much better. How you do this.. Microleaves

    ReplyDelete