After combing through the docs and several how–tos on deploying the Squid proxy server – none of which really did everything I wanted, of course – I’ve finally gotten to the format below.
Installing Squid is easy-peasy – it’s in the standard package repos for the major platforms (CentOS/Fedora/RHEL, Ubuntu/Debian, etc) – so just run yum install squid or apt install squid on your platform of choice (my exact install command on Ubuntu 18.04 was apt -y install squid net-tools apache2-utils).
What I wanted was an “open” (password-protected) proxy server with disk-based caching enabled that would cover all of the ports I could reasonably expect to run into.
Why “open”? Because I want to be able to turn it on and off on various mobile devices which may (or may not) have stable-ish public IPs.
Here is the config as I have it deployed, minus sensitive/site-specific items (usernames, passwords, port, etc), of course:
A working /etc/squid/squid.conf
acl SSL_ports port 443 acl SSL_ports port 8443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 777 # multiling http acl Safe_ports port 8080 acl CONNECT method CONNECT auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/.htpasswd auth_param basic children 15 # after "realm", put some descriptive, clever, or otherwise-identifying string that will appear when you login auth_param basic realm Insert Incredibly Witty Title Here auth_param basic credentialsttl 5 hours acl password proxy_auth REQUIRED http_access allow password # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager #http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy # commented-out to allow "open" use (ie password authenticated) #http_access deny all # Squid normally listens to port 3128 # change this line if you want it to listen on something other port http_port 3128 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # format is cache_dir ufs /etc/squid/squid-cache 768 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 via off forwarded_for off request_header_access Allow allow all request_header_access Authorization allow all request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all request_header_access Proxy-Authenticate allow all request_header_access Cache-Control allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all request_header_access Proxy-Connection allow all request_header_access User-Agent allow all request_header_access Cookie allow all request_header_access All deny all
Finalize your Squid server system settings
Things you need to do once you do the above (prepend sudo to each command below if you’re not logged-in as root:
- Enable Squid to start at boot:
systemctl enable squid - Create the cache directories:
squid -z - Create a DNS entry for your proxy host (if you want it usable outside your home network, and don’t want to reference it by IP address only)
- Create the authentication file (
/etc/squid/.htpasswdin this example):touch /etc/squid/.htpasswd - Create a username and password:
htpasswd -c /etc/squid/.htpasswd(don’t forget this username/password combination!) - Start Squid:
systemctl start squid
Configure your browser to use your new proxy
Here’s where you need to go and what you need to change in Firefox:
- Navigate to
about:preferences - Click on Settings… under Network Proxy
- Enter your proxy host details:
To verify your proxy settings are correct, visit IPv4.cf with both the proxy off, and then again with it on.
If your reported IP address changes between visits (with the second check being your Squid server IP) – congratulations! You have successfully deployed a Squid proxy caching server.