Proxy Server (Squid)

A proxy service provides management and control over Internet access. A proxy server, which can be a computer or
dedicated hardware device running proxy service software, acts as an intermediary between a user on the internal
network and a service on the external network (normally the Internet). The proxy server takes requests from a user
and then performs those requests on behalf of the user. To the external system, the request looks as if it originated
from the proxy server, not from the user on the internal network.

192.248.56.3

Figure: A proxy server in a typical network configuration.

There are a couple of excellent reasons to implement a proxy server:

• To perform NAT functions. A proxy server can process and execute commands on behalf of clients that have
private IP addresses. This enables an organization with only one registered IP address to provide Internet
access to a large number of computers. This process is known as IP proxy.

• To allow Internet access to be controlled having a centralized point of access allows for a great deal of
control over the use of the Internet. By using the functionality of a proxy server application or by using an
add-on feature, proxy servers can filter requests made by clients and either allow or disallow them. You can,
for example, implement uniform resource locator (URL) filtering, which allows or denies users access to
certain sites. More sophisticated products can also perform tests on retrieved material, to see if it fits
acceptable criteria. Such measures are intended to prevent users from accessing inappropriate Internet web
pages. As an "after the event" feature, proxy server applications also normally provide logging capabilities so
that Internet usage can be monitored.

Although the most common function of a proxy server is to provide access to the Web for internal clients, that is not
its only function. A proxy server, by definition, can be used as an intermediary for anything, not just HTTP requests.
Other services can be supported by a proxy server, depending on the proxy server application being used and its
configuration. For example, you might configure a proxy server to service HTTP requests (TCP port 80), Post Office
Protocol 3 (POP3) email retrieval (TCP port 110), Simple Mail Transfer Protocol (SMTP) mail sending (TCP port 25),
and HTTPS requests (TCP port 443). With an understanding of what a proxy server is designed to do, you can look at
one additional feature built in to proxy server functionality, caching.

1
An additional feature offered by many proxy server applications is caching; such a server is known as a caching proxy
server. Caching enables the proxy server to store pages that it retrieves as files on disk. Consequently, if the same
pages are requested again, they can be provided more quickly from the cache than if the proxy server had to
continue going back to the Web server from which the pages were originally retrieved. This approach has two
benefits:

• Significantly improves performance: Performance is improved particularly in environments such as a

universities, schools, companies , etc., where there is a great likelihood that more than one user might
retrieve the same page.

• Reduces demands on Internet connections: Because there are fewer requests to the Internet when a
caching proxy server is in use, there is a reduced demand on the Internet connection. In some cases, this
results in a general speed improvement. In extreme cases, it might even be possible to adopt a less
expensive Internet connectivity method because of the lower level of demand.

As with any technology, with caching proxy servers, there are issues to be considered. Sometimes a sizable amount
of hard disk space is required to store the cached pages. With the significant decline in the cost of hard disk space
over recent years, this is not likely to be much of a problem, but it still needs to be considered.

Another factor is that it's possible for pages held in the cache to become stale. As a result, a user might retrieve a
page and believe that it is the latest version when, in fact, it has since changed, but the new page has not been
updated in the proxy server cache. To prevent this problem, caching proxy servers can implement measures such as
aging of cached information so that it is removed from the cache after a certain amount of time. Some proxy
applications can also make sure that the page stored in the cache is the same as the page currently available on the
Internet. If the page in the cache is the same as the one on the Internet, it is served to the client from the cache. If
the page is not the same, the newer page is retrieved, cached, and supplied to the client.

The /etc/squid/squid.conf File

The main Squid configuration file is squid.conf, and, like most Linux applications, Squid needs to be restarted for
changes to the configuration file can take effect.

The Visible Host Name

Squid will fail to start if you don't give your server a hostname. You can set this with the visible_hostname
parameter. Here, the hostname is set to the real name of the server linuxbox.ati.lk.

visible_hostname linuxbox.ati.lk

Access Control Lists

You can limit users' ability to browse the Internet with access control lists (ACLs). Each ACL line defines a particular
type of activity, such as an access time or source network, they are then linked to an http_access statement that tells
Squid whether or not to deny or allow traffic that matches the ACL.

Squid matches each Web access request it receives by checking the http_access list from top to bottom. If it finds a
match, it enforces the allow or deny statement and stops reading further. You have to be careful not to place a deny
statement in the list that blocks a similar allow statement below it. The final http_access statement denies
everything, so it is best to place new http_access statements above it.

2
Note: The very last http_access statement in the squid.conf file denies all access. You therefore have to add your
specific permit statements above this line. In the chapter's examples, I've suggested that you place your statements
at the top of the http_access list for the sake of manageability, but you can put them anywhere in the section above
that last line.

Squid has a minimum required set of ACL statements in the ACCESS_CONTROL section of the squid.conf file. It is best
to put new customized entries right after this list to make the file easier to read.

Restricting Web Access by Time

You can create access control lists with time parameters. For example, you can allow only business hour access from
the home network, while always restricting access to host 192.168.1.23.
#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
acl RestrictedHost src 192.168.1.23
#
# Add this at the top of the http_access section of squid.conf
#
http_access deny RestrictedHost
http_access allow home_network business_hours

Or, you can allow morning access only:

#
# Add this to the bottom of the ACL section of squid.conf
#
acl mornings time 08:00-12:00
#
# Add this at the top of the http_access section of squid.conf
#
http_access allow mornings

Restricting Access to specific Web sites

Squid is also capable of reading files containing lists of web sites and/or domains for use in ACLs. In this example we
create to lists in files named /usr/local/etc/allowed-sites.squid and /usr/local/etc/restricted-sites.squid.
# File: /usr/local/etc/allowed-sites.squid
www.openfree.org
linuxhomenetworking.com

# File: /usr/local/etc/restricted-sites.squid
www.wow.com
illegal.com

These can then be used to always block the restricted sites and permit the allowed sites during working hours. This
can be illustrated by expanding our previous example slightly.
#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
acl GoodSites dstdomain "/usr/local/etc/allowed-sites.squid"
acl BadSites dstdomain "/usr/local/etc/restricted-sites.squid"

#
# Add this at the top of the http_access section of squid.conf
#
http_access deny BadSites
http_access allow home_network business_hours GoodSites
3
Restricting Web Access by IP Address

You can create an access control list that restricts Web access to users on certain networks. In this case, it's an ACL
that defines a home network of 192.168.1.0.
#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/255.255.255.0
You also have to add a corresponding http_access statement that allows traffic that matches the ACL:
#
# Add this at the top of the http_access section of squid.conf
#
http_access allow home_network

Password Authentication Using NCSA

You can configure Squid to prompt users for a username and password. Squid comes with a program called
ncsa_auth that reads any NCSA-compliant encrypted password file. You can use the htpasswd program that comes
installed with Apache to create your passwords. Here is how it's done:

1) Create the password file. The name of the password file should be /etc/squid/squid_passwd, and you need to
make sure that it's universally readable.
[root@linuxbox tmp]# touch /etc/squid/squid_passwd
[root@linuxbox tmp]# chmod o+r /etc/squid/squid_passwd

2) Use the htpasswd program to add users to the password file. You can add users at anytime without having to
restart Squid. In this case, you add a username called www:
[root@linuxbox tmp]# htpasswd /etc/squid/squid_passwd www
New password:
Re-type new password:
Adding password for user www
[root@linuxbox tmp]#

3) Find your ncsa_auth file using the locate command.

[root@linuxbox tmp]# locate ncsa_auth
/usr/lib/squid/ncsa_auth
[root@linuxbox tmp]#

4) Edit squid.conf; specifically, you need to define the authentication program in squid.conf, which is in this case
ncsa_auth. Next, create an ACL named ncsa_users with the REQUIRED keyword that forces Squid to use the NCSA
auth_param method you defined previously. Finally, create an http_access entry that allows traffic that matches the
ncsa_users ACL entry. Here's a simple user authentication example; the order of the statements is important:
#
# Add this to the auth_param section of squid.conf
#
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

#
# Add this to the bottom of the ACL section of squid.conf
#
acl ncsa_users proxy_auth REQUIRED

#
# Add this at the top of the http_access section of squid.conf
#
http_access allow ncsa_users

5) This requires password authentication and allows access only during business hours. Once again, the order of the
statements is important:

4
 #
# Add this to the auth_param section of squid.conf
#
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

#
# Add this to the bottom of the ACL section of squid.conf
#
acl ncsa_users proxy_auth REQUIRED
acl business_hours time M T W H F 9:00-17:00

#
# Add this at the top of the http_access section of squid.conf
#
http_access allow ncsa_users business_hours

Remember to restart Squid for the changes to take effect.

Making Your Squid Server Transparent To Users

It is possible to limit HTTP Internet access to only the Squid server without having to modify the browser settings on
your client PCs. This called a transparent proxy configuration. It is usually achieved by configuring a firewall between
the client PCs and the Internet to redirect all HTTP (TCP port 80) traffic to the Squid server on TCP port 3128, which is
the Squid server's default TCP port.

Squid Transparent Proxy Configuration

Your first step will be to modify your squid.conf to create a transparent proxy. The procedure is different depending
on your version of Squid.

Prior to version 2.6: In older versions of Squid, transparent proxy was achieved through the use of the httpd_accel
options which were originally developed for http acceleration. In these cases, the configuration syntax would be as
follows:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Version 2.6 and Beyond: Newer versions of Squid simply require you to add the word "transparent" to the default
"http_port 3128" statement. In this example, Squid not only listens on TCP port 3128 for proxy connections, but will
also do so in transparent mode.
http_port 3128 transparent

Manually Configuring Web Browsers to Use Your Squid Server

If you don't have a firewall that supports redirection, then you need to configure your firewall to only accept HTTP
Internet access from the Squid server, as well as configure your PC browser's proxy server settings manually to use
the Squid server.

Squid Disk Usage

Squid uses the /var/spool/squid directory to store its cache files. High usage squid servers need a large amount of
disk space in the /var partition to get optimum performance.

Every webpage and image accessed via the Squid server is logged in the /var/log/squid/access.log file. This can get
quite large on high usage servers. Fortunately, the logrotate program automatically purges this file.