Author: Hussam Al-Tayeb
The following tutorial illustrates how to install and run a Squid proxy server.
First off, a little info about Squid, Squid is a fully-featured HTTP/1.0 proxy which is almost (in progress) HTTP/1.1 compliant. Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications.
You will need the following programs installed. ‘openssl’ ‘pam’ ‘perl’ and any ‘cron’ daemon preferably dcron. A recent gcc version is also needed.
Installing Squid:
First you need to download the following source tarball.
Open a terminal window and cd to the folder where you downloaded the file
run: tar -jxvf squid-2.6.STABLE14.tar.bz2 && cd squid-2.6.STABLE14
The next step is to run the configure script.
./configure –prefix=/usr –datadir=/usr/share/squid \
–sysconfdir=/etc/squid –libexecdir=/usr/lib/squid \
–localstatedir=/var –enable-auth=”basic,digest,ntlm” \
–enable-removal-policies=”lru,heap” \
–enable-digest-auth-helpers=”password” \
–enable-storeio=”aufs,ufs,diskd,coss,null” \
–enable-basic-auth-helpers=”getpwnam,YP,NCSA,SMB,MSNT,PAM, multi-domain-NTLM” \
–enable-external-acl-helpers=”ip_user,unix_group,wbinfo_group” \
–enable-ntlm-auth-helpers=”SMB,fakeauth,no_check” \
–enable-delay-pools –enable-arp-acl –enable-ssl \
–enable-linux-netfilter –enable-ident-lookups \
–enable-useragent-log –enable-cache-digests –enable-referer-log \
–enable-async-io –enable-truncate –enable-arp-acl \
–enable-htcp –enable-carp –enable-poll –with-maxfd=4096
Then run ‘make’ and hope for the best.
After it is done compiling, type ’su’ then enter your root password and run ‘make install’
Configuring Squid:
I have an incoming Internet connection through ppp0 and I am hooked to the other computers on my network though the interface eth0. My ip on eth0 is 10.0.2.1 and the addresses of the clients ranges from 10.0.2.2 to 10.0.2.254
Open a terminal and type su. Then type vi /etc/squid/squid.conf
add the following information. Note that lines starting with ## are comments to help you understand the syntax of the file.
http_port 10.0.2.1:3128
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
## This is the maximum size of a single file that the cache can hold.
## You may change this
maximum_object_size 100096 KB
minimum_object_size 0 KB
cache_replacement_policy heap LFUDA
## This is where squid’s cache will be placed. You may change it’s location and
## size.
cache_dir ufs /var/cache/squid 1000 16 256
## location of log file.
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
## my_network is the codename for my network, you may change this to anything you want
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl my_network src 10.0.2.0-10.0.2.254
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
# And finally deny all other access to this proxy
http_access allow my_network
http_access deny all
http_reply_access allow all
#Allow ICP queries from everyone
icp_access allow all
Starting Squid:
as root, run:
/usr/sbin/squid -z
This will create the initial cache directory.
You can start the server by running
/usr/sbin/squid -D
You clients can now connect to your proxy server if they are using IP addresses from 10.0.2.2 to 10.0.2.254
They should add 10.0.2.1 as proxy and 3128 as port in their internet programs.
The final step is to secure your server unless you are running other services.
Run vi /etc/iptables/iptables.rules and insert the following lines:
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-N SCANDROP
-A SCANDROP -m limit –limit 4/minute -j LOG –log-prefix scan
-A SCANDROP -j DROP
-N LOGDROP
-A LOGDROP -m limit –limit 4/minute -j LOG
-A LOGDROP -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp –icmp-type echo-request -j DROP
-A INPUT -i eth0 -p tcp -s 10.0.2.0/24 -d 10.0.2.1 –destination-port 3128 -m state –state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i ppp0 -p icmp -m icmp –icmp-type echo-request -j DROP
-A INPUT -i ppp0 -s 127.0.0.1 -j LOGDROP
-A INPUT -p tcp –tcp-flags ACK,FIN FIN -j SCANDROP
-A INPUT -i ppp0 -p udp –sport 67 -d 255.255.255.255/32 –dport 68 -j ACCEPT
-A INPUT -i ppp0 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ppp0 -m state –state NEW -j LOGDROP
-A INPUT -j LOGDROP
COMMIT
Note that we are closing everything on eth0 but connection from “10.0.2.0/24” on port 3128. This means clients can’t even ping the server. You may add other lines if your server offers other services.
To start your firewall, run the following as root.
‘/usr/sbin/iptables-restore /etc/iptables/iptables.rules’
That’s it. You should now have a running proxy server! 
