How to install Squid Proxy Server on Ubuntu 20.04 LTS Linux

last updated in Categories , , ,

How do I install Squid Proxy Server on Ubuntu 20.04 LTS Linux server for web clients? How can I filter out internet traffic for LAN users such as blocking domains, unwanted URLs, office hours for Internet access, and more using Squid running on Ubuntu server?

Squid proxy server is a free and open-source high performance caching and forwarding HTTP web proxy. It is mostly used for speeding up a web server by caching repeated requests, caching DNS and web lookups for a shared network. It also adds a security policy to filter out unwanted traffics for web or office users. This page explains how to install, set up, and configure the Squid proxy server on Ubuntu 20.04 LTS Linux server.

ADVERTISEMENTS


Step 1 – Install Squid proxy server on Ubuntu

First, log in using the ssh command:
ssh user@server-ip-here
ssh vivek@server1.cyberciti.biz

Next, update your system using the apt command:
sudo apt update
sudo apt upgrade

We can search for the squid package as follow:
apt show squid
Outputs:

Package: squid
Version: 4.10-1ubuntu1
Priority: optional
Section: web
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Luigi Gangitano <luigi@debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 8,792 kB
Provides: squid3
Pre-Depends: adduser
Depends: libc6 (>= 2.29), libcap2 (>= 1:2.10), libcom-err2 (>= 1.43.9), libdb5.3, libecap3 (>= 1.0.1), libexpat1 (>= 2.0.1), libgcc-s1 (>= 3.0), libgnutls30 (>= 3.6.6), libgssapi-krb5-2 (>= 1.17), libkrb5-3 (>= 1.10+dfsg~), libldap-2.4-2 (>= 2.4.7), libltdl7 (>= 2.4.6), libnetfilter-conntrack3 (>= 1.0.7), libnettle7, libpam0g (>= 0.99.7.1), libsasl2-2 (>= 2.1.27+dfsg), libstdc++6 (>= 9), libxml2 (>= 2.7.4), netbase, logrotate (>= 3.5.4-1), squid-common (>= 4.10-1ubuntu1), lsb-base, libdbi-perl, ssl-cert
Recommends: libcap2-bin, ca-certificates
Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbind, apparmor
Homepage: http://www.squid-cache.org
Download-Size: 2,556 kB
APT-Sources: http://mirrors.linode.com/ubuntu focal/main amd64 Packages
Description: Full featured Web Proxy cache (HTTP proxy)
 Squid is a high-performance proxy caching server for web clients, supporting
 FTP, gopher, ICY and HTTP data objects.

Installing Squid 4

Now that system software up to date, it is time to install the Squid server, enter:
sudo apt install squid
How to install Squid Proxy Server on Ubuntu 20.04 LTS LINUX

Step 2 – Configuring Squid server

The squid configuration file is located at /etc/squid/squid.conf and /etc/squid/conf.d/ directory. Let us edit the /etc/squid/squid.conf using a text editor. Make a backup of the original file so that we can go back if something goes wrong using the cp command:
sudo cp -v /etc/squid/squid.conf{,.factory}
'/etc/squid/squid.conf' -> '/etc/squid/squid.conf.factory'

sudo nano /etc/squid/squid.conf
## OR ##
sudo vim /etc/squid/squid.conf

Change squid port and listing IP address

By default, squid listens to all IP addresses on all interfaces. The default port is TCP 3128. Find line:
http_port 3128
Change it as follows or as per your needs:
http_port 10.8.0.1:3128

Setting up ACL for ports

ACL means an access control scheme, and we can use it to deny or allow access as per our needs. For example, time acl allows you to set up browsing time of day and day of the week for your users. Don't like social media domains? We can block domain such as Facebook and others using the Squid proxy server. There are several different access lists. Let us see some common examples.

Define SSL and safe ports that you would like to allow

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

Adapt to list your (internal) IP networks from where browsing should be allowed

acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

Define your LAN acl as follows

acl mylan src 10.8.0.0/24

We can also define other domains that you wish to block
acl baddomain1 dstdomain www-bad-guys-domain-name-here

Allow or deny access

Use the http_access that allows HTTP clients such as browsers to access the HTTP port. It is the primary access control listL

# Block access to all Unsafe ports i.e. only allow Safe_ports defined in acl above #
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Block domains #
http_access deny baddomain1
# only allow cachemgr access from localhost #
http_access allow localhost manager
http_access deny manager
# Allow internet access to localhost and mylan sub/net #
http_access allow localhost
http_access allow mylan
# and finally deny all other access to this proxy server #
http_access deny all

Squid Proxy Server Change Outgoing IP Address

Say if you have multiple IP addresses assigned to your server we can change proxy server outgoing IP address as follows:
tcp_outgoing_address 139.1.2.3

Set cache memory size as per your needs

cache_mem 256 MB

Force squid to hide client’s real IP address

forwarded_for delete
via off
forwarded_for off
follow_x_forwarded_for deny all
request_header_access X-Forwarded-For deny all
forwarded_for delete

Specify a list of DNS name servers to use

dns_nameservers 127.0.0.1 10.8.0.1
Squid has many more options. I covered the basic one here. Hence, see this page where you find all Squid configuration directives.

Verify that config options are valid

To parse and test configuration file, enter:
sudo /usr/sbin/squid -k check
echo $?
sudo /usr/sbin/squid -k parse

See "21 Examples To Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors" for more info.

Step 3 - Start/stop/restart Squid

First, turn on Squid service at boot time using the systemctl command:
sudo systemctl enable squid.service
The syntax is as follows:

Start the Squid server

sudo systemctl start squid.service

Stop the Squid server

sudo systemctl stop squid.service
OR
sudo squid -k shutdown

Restart the Squid server

sudo systemctl restart squid.service

Find the Squid server status

sudo systemctl status squid.service

Reload the Squid after config changes gracefully

Whenever you make changes to the squid.conf, reload it as follows:
sudo squid -k reconfigure
OR
sudo systemctl reload squid.service
Test and Set up Squid Proxy Server on Ubuntu 20.04 LTS Linux

Step 4 - Block domains

Let us block twitter.com and facebook.com:

acl socialsite dstdomain .twitter.com
acl socialsite dstdomain .facebook.com
http_access deny socialsite

Step 5 - Block URLs using keywords

Say if any url contains keyword such as "foo" or "browse.php?u=" block it using the url_regex acl:

acl urlkeywordsblocks url_regex -i "/etc/squid/blocked-urls-keyword.conf"
http_access deny urlkeywordsblocks

Create a file named /etc/squid/blockd-urls-keyword.conf as follows:
sudo vim /etc/squid/blocked-urls-keyword.conf
Append the urls/keywords:
foo
browse.php?u=

Step 6 - Block file extensions

We can block unwanted file extensions using the squid proxy too:

acl blockedexentions urlpath_regex -i "/etc/squid/blocked-file-externsions.conf"    
http_access deny blockedexentions

Append the following in /etc/squid/blocked-file-externsions.conf
.exec
.mp4
.mp3
.zip
.pdf

Step 7 - Allow internet access only between 9:00AM and 18:00 during weekdays

acl official_hours time M T W H F 09:00-18:00
http_access deny all
http_access allow official_hours

Step 8 - Configure web browser

Connection settings to use a proxy can be set in Firefox Preferences as follows:

  • Click the menu button and select Preferences
  • In the General panel, go to the Network Settings section by scrolling down option page.
  • Click Settings.... The Connection Settings dialog will open and set proxy server address such as 10.8.0.1 and port 3128:

Squid Proxy Settings

Conclusion

That is all for now. You learned how to install, set up, and deploy Squid 4 server for internet access and filter unwanted traffic on Ubuntu Linux 20.04 LTS. See Squid server docs here for more info.

ADVERTISEMENTS

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

1 comment

    Still, have a question? Get help on our forum!