How to Install Squid Proxy on Ubuntu 22.04

Build your own caching solution for your local network with Squid and Ubuntu server. Implementing Squid as caching solutions will save your bandwidth and speed up client connections.

Squid proxy is feature-rich caching solution for HTTP, HTTPS, FTP, and transparent proxy. It also provides proxy authentication and ACLs (Access Control Lists).

In this guide. you’re going to learn how to install Squid proxy on the Ubuntu 22.04 server. You will set up HTTPS Squid proxy via ssl_bump and enable Squid authentication via the basic_ncsa_auth module.

Prerequisites

Ensure you’ve gathered the following for this guide:

• An Ubuntu 22.04 server.
  See more: 15 Steps to Install Ubuntu Server 22.04 LTS
• A non-root user with sudo or root privileges.
• A client machine – Windows/Linux/MacOS.

Installing Squid on Ubuntu

Squid is a web proxy cache for minimizing bandwidth speeding up your network speed. It is available for Unix and Linux operating systems, you can install Squid via package manager.

To install Squid on Ubuntu, carry out these steps:

1. To get started, run the apt command below to update the Ubuntu repository and get the latest package index.

sudo apt update

2. Install squid-openssl using the following command. Input Y to proceed with the installation. The squid-openssl package supports ssl-bump feature for creating HTTPS proxy.

sudo apt install squid-openssl squidclient

3. After you’ve installed squid, the squid service will start and be enabled automatically on your server.

Run the following command to check the squid service status.

sudo systemctl is-enabled squid
sudo systemctl status squid

When squid is running, you will see the output active (running). The output enabled confirms squid will start automatically on system boot.

4. Lastly, verify the details of Squid version using the command below.

squid -v

Ensure the build parameter --with-openssl and --enable-ssl-crtd is available. Those two parameters allows you create HTTPS Proxy with Squid.

Squid Configuration Files and Directory

Before configuring squid, familiarize yourself with the squid configuration files and directories below:

• squid.service: This service file for squid is located in the /usr/lib/systemd/system/ directory.
• /etc/squid: Configuration directory where squid.conf – main squid configuration is stored.
• /var/spool/squid: The default cache directory for squid.
• /var/log/squid: The log directory for squid. Check the access.log to debug squid and cache.log to get detailed squid cache information.

Generating Self-Signed SSL/TLS Certificates

In this section, you will generate new self-signed SSL/TLS certificates for creating a squid HTTPS proxy on your Ubuntu server.

Perform these actions to generate Self-Signed SSL/TLS certificates:

1. Execute the following command to create a new directory /etc/squid/cert/ and move into it.

mkdir -p /etc/squid/cert; cd /etc/squid/cert/

2. Generate Self-Signed TLS certificates using the openssl command below. You will generate two keys squid-ca.key and squid-ca.crt.

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -extensions v3_ca -keyout squid-ca.key -out squid-ca.crt

3. Now, run the command below to convert the squid-ca.crt to .PEM format squid-ca.pem. The certificate file squid-ca.pem will be used by the client browser.

openssl x509 -in squid-ca.crt -outform PEM -out squid-ca.pem

4. Next, run the command below to generate the DHPARAM certificate squid-ca-dhparam.pem.

openssl dhparam -outform PEM -out squid-ca-dhparam.pem 2048

5. After that, change the ownership of the /etc/squid/cert directory to the user proxy.

sudo chown -R proxy /etc/squid/cert

6. Lastly, run the following command to initialize the certificate database for squid.

sudo -u proxy /usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB

Configuring Squid HTTPS Proxy on Ubuntu

Now that you’ve installed Squid and generated SSL/TLS certificates, you’re ready to create an HTTPS proxy server with Squid. The squid HTTPS proxy server will be able to cache both HTTP and HTTPS requests from the client.

To configure Squid as a HTTPS proxy, execute these steps:

1. First, backup the squid configuration to /etc/squid/squid.conf.orig and open the file /etc/squid/squid.conf using vim.

cp /etc/squid/squid.conf /etc/squid/squid.conf.orig
sudo vim /etc/squid/squid.conf

2. Find the http_port line, and input your internal IP address and the port for squid.

In this case, squid will be run at 192.168.5.30 with default port 3128 and enable the ssl_bump feature to set up HTTPS proxy.

# Squid normally listens to port 3128
http_port 192.168.5.30:3128 ssl-bump generate-host-certificates=on tls-cert=/etc/squid/cert/squid-ca.crt tls-key=/etc/squid/cert/squid-ca.key tls-dh=/etc/squid/cert/squid-ca-dhparam.pem

3. Insert the following configuration to enable bumping for intercepting HTTPS connections.

# New with peek and bump
# enable ssl_bump
acl step1 at_step SslBump1                       
ssl_bump peek step1                       
ssl_bump bump all

# setup sslcrtd_program
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB
sslcrtd_children 5

ssl_bump server-first all
sslproxy_cert_error allow all

Alternative to that, you can use below configuration:

# setup sslcrtd_program
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB
sslcrtd_children 5

# enable ssl_bump
ssl_bump server-first all
ssl_bump stare all

4. Next, uncomment the cache_dir option to enable squid cache via disk. Tune up the default configuration with the following:

cache_dir ufs /var/spool/squid 3000 16 256 max-size=200000000

Save the file and exit the editor when finished.

Below are the detailed options of squid cache_dir:

• ufs: This is the default storage format for squid.
• /var/spool/squid: Target directory where squid cache will be stored.
• 3000: Set up the total cache size max to 3000MB or 3GB.
• 16: The default first level of sub-directories for squid cache is 16.
• 256: The second level of sub-directories for squid cache will be 256.
• max-size: Set up the max cached file size will be 200000000 bytes or 20GB.

5. Next, run the vim command below to create a new ACL (Access Control Lists) configuration for your local network.

sudo vim /etc/squid/conf.d/acl.conf

Add the following configuration and be sure to change the details of the subnet with your local network subnet.

# Create ACL mynet with network 192.168.5.0/24
acl mynet src 192.168.5.0/24

# Create ACL kids_net with network 172.8.1.0/24
acl kids_net src 172.8.1.0/24

# Create ACL kids_hours type time
# Mondat-Saturday on clock 12:00-20:00
acl kids_hours time M T W T F A 12:00-20:00

# Allow mynet to access squid
http_access allow mynet

# Allow kids_net to access squid
# on kids_hours only
http_access allow kids_net kids_hours

When finished, save the file and exit the editor.

In this example, you will create three ACLs:

• mynet with default source network 192.168.5.0/24.
• kids_net with the source network 172.8.1.0/24.
• kids_hours is the ACL type time, which specifies days Monday-Saturday and hours 12:00-20:00.

Then, you will allow access to squid via the http_access allow parameter:

• Allow mynet to access the squid proxy.
• Allow kids_net to access squid proxy only within the kids_hours, which is Moday-Saturday on hours 12:00-20:00.

6. Now run the squid command below to verify squid configurations.

squid -k check && squid -k parse

Ensure you’ve no syntax error and the acl.conf file is loaded by squid.

7. Lastly, run the following systemctl command to restart squid and take the effects of your changes.

sudo systemctl restart squid

Adding Authentication to Squid

After configuring the squid HTTPS proxy, you will configure squid authentication via the squid basic_ncsa_auth module.

To set up squid authentication, complete these tasks:

1. First, generate the password file /etc/squid/htpasswd using the following command. Be sure to change the user geekandnix and the password secretpass.

printf "geekandnix:$(openssl passwd -apr1 secretpass)\n" | sudo tee -a /etc/squid/htpasswd

2. Open the custom ACL configuration /etc/squid/conf.d/acl.conf using vim.

sudo vim /etc/squid/conf.d/acl.conf

3. Put the following configuration in before the parameter http_access allow mynet.

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/htpasswd
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED

# Create ACL mynet with network 192.168.5.0/24
acl mynet src 192.168.5.0/24

...

http_access allow authenticated

# Allow mynet to access squid
http_access allow mynet

Save the file and exit the editor when you’re done.

4. Now, run the command below to verify the squid configuration. Ensure the new configuration is loaded.

squid -k check && squid -k parse

5. Lastly, restart the squid service using the following command to apply your changes.

sudo systemctl restart squid

Configuring UFW (Uncomplicated Firewall)

Now that you’ve configured the squid HTTPS proxy and enabled the authentication, you can proceed to configure UFW (Uncomplicated Firewall) and allow traffic to squid port 3128.

See more: Master the UFW Firewall on Ubuntu: 17 Practical Examples

1. Execute the ufw command below to open squid http port 3128. Change the following subnet with your local networks.

sudo ufw allow from 192.168.5.0/24 to any port 3128
sudo ufw allow from 172.8.1.0/16 to any port 3128

2. Then, verify UFW using the following command.

sudo ufw status

Connecting to Squid from Client Machine

At this point, you have completed the squid proxy installation, it’s time to verify squid from the client machine. In this example, we’ll be using a Windows client machine with the Mozilla Firefox browser.

Complete these actions to connect to the squid HTTPS proxy server:

1. First, you must copy the certificate file squid-ca.pem from the squid server to your client machine. use the following scp command to achieve that.

scp [email protected]:/etc/squid/cert/squid-ca.pem .

2. Open your web browser and import the squid-ca.pem certificate file. Below is an example for a Firefox user.

• Click Settings > Privacy & Security.
• On the Security > Certificates > View Certificates.
• Click Import, then check the option Trust this CA to identify websites and click OK to confirm.

3. Now, install FoxyProxy extension via https://addons.mozilla.org/. Then, create a new proxy with the configuration like this:

Be sure to change the Proxy Type as HTTP, then input the IP address and user password for the squid proxy server.

4. Once you’ve activated the proxy, visit any sites with HTTPS protocol, such as https://geekandnix.com/. Then, click on the lock HTTPS icon to get information about the current SSL certificates.

Click View Certificates.

5. If your installation is successful, you should get the certificate of squid proxy, instead of certificate for geekandnix.com.

Managing Squid Service

This section shows you how to manage the squid service via the systemd systemctl utility.

1. To start squid, run the following systemctl command.

sudo systemctl start squid

2. Now, if you want to stop squid, use the command below.

sudo systemctl stop squid

3. After making changes to squid, apply your changes by executing the following.

sudo systemctl restart squid

4. Next, verify the squid service status using the command below.

If squid is running, you will see an output active (running). Also, you will see the output enabled, which confirms that squid will start automatically at boot.

sudo systemctl status squid

5. Lastly, if the squid service is disabled, run the command below to enable it.

sudo systemctl enable squid

How do I Know if Squid Proxy is Working?

To verify if Squid is working, do these actions:

Simple Check via tail command

To check if the squid working or not, you must check the squid log file /var/log/squid/access.log using the tail command below.

sudo tail -f /var/log/squid/access.log

You will see the squid log files, below is an example:

The TCP_INM_HIT/304 means that squid caches the request with the status 304 modified.

Generating Squid Report via Calamaris

1. First, run the apt command below to install the calamaris package.

sudo apt install calamaris

2. Now run the command below to generate report from Squid access log /var/log/squid/access.log.

cat /var/log/squid/access.log | calamaris

Within the Cache statistics section, you can see how much HIT rate and Bandwidth savings by Squid.

Basic Debugging Squid Proxy

When an error occurs on squid, take these actions to debug your squid proxy installation:

1. First, ensure that the squid service is running by executing the command below.

sudo systemctl status squid

2. If squid is running and you still can’t access it, check squid port 3128 to ensure that port 3128 is not blocked by the firewall.

nc -zv 192.168.5.30 3128

3. Lastly, be sure to check the squid error log /var/log/squid/error.log using the tail command below.

sudo tail -f /var/log/squid/error.log

Uninstalling/Removing Squid

1. Before uninstalling squid, stop and disable the service using the following command.

sudo systemctl disable --now squid

2. Now, remove the squid package using the apt command below.

sudo apt purge squid

3. Lastly, remove squid configuration files and directory using the following command.

sudo rm -rf /var/spool/squid /etc/squid

Conclusion

Congratulations! You’ve installed Squid and configured HTTPS Proxy on the Ubuntu 22.04 server. You’ve also enabled Squid authentication and secured Squid with UFW (Uncomplicated Firewall).

Moreover, you’ve also learned how to connect to the Squid HTTPS proxy from the client machine using FoxyProxy browser add-ons.

At this stage, you may also configure Squid as Transparent Proxy or “forced proxy” for your clients.

Read Also:

How to Install OpenVPN Server on Ubuntu 22.04

ArvidL

How to Install and Use Samba on Ubuntu 22.04

ArvidL