How to setup Squid proxy on Ubuntu 18.04 / Ubuntu 16.04 / CentOS 7

(: July 4, 2018)

Squid is a full-featured open source web proxy cache server that can be used by SME to large enterprise level networks to cache and proxy for FTP, HTTP, DNS lookups, and other protocols. Squid can also do caching and proxy for SSL requests. In this guide, we will cover how to install and configure Squid proxy server on Ubuntu 18.04 / Ubuntu 16.04 and CentOS 7.

For basics of how Proxy Servers work, check our guide on What are proxy servers and Types of Proxy Servers. In summary, it has extensive, granular access control mechanisms and you can monitor critical parameters using Simple Network Management Protocol (SNMP).

Installing Squid proxy on Ubuntu 18.04 / CentOS 7

Squid proxy package is available from Ubuntu repositories. It can be installed by running the command:{text-align:left} img{margin:0 auto 0 0}
$ sudo apt-get install squid

For CentOS 7, run:

$ sudo yum install squid

After the installation of the package, you’ll need to do a basic configuration before you can use Squid Proxy server.

Configuring Squid Proxy Server

The simplest configuration of Squid is as a forward proxy server. In this case, it will receive all requests from your servers and forward them accordingly. To configure Squid, edit the directives contained in the /etc/squid/squid.conf file.

$ sudo vim /etc/squid/squid.conf

Step 1: Define ACL for your internal trusted network:

Add the ACL after the line acl CONNECT

acl lan src

Then allow access based on ACL defined above, add the line after http_access allow localhost manager

http_access allow lan

Step 2: Configure client header requests to match

This should be put under the section TAG: request_header_access

request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Referer deny all
request_header_access Cache-Control deny all

This will turn headers off. The Via and Forwarded-For fields are configured to indicate that a request was forwarded by a proxy. This can expose your real IP by leaking the information that we’re using a proxy.

To remove more headers that can expose you, instead add:

via off
forwarded_for off

request_header_access From deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Cache-Control deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Server deny all
request_header_access Link deny all
request_header_access WWW-Authenticate deny all
request_header_access Proxy-Connection deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all

Restart squid proxy service after making the change:

$ sudo systemctl restart squid

Also, make sure the service is enabled star on boot.

$ sudo systemctl enable squid

The default service port used by squid is 3128. if you would like to change it, modify the line:

http_port 3128

In the configuration file and restart squid

# ss -tunelp | grep 3128
tcp   LISTEN  0       128                          *:3128               *:*      users:(("squid",pid=14580,fd=11)) ino:41513 sk:9 v6only:0 <->                  

Step 3: Configure Firewall Service

For a running firewall service on Ubuntu or CentOS, open the port on the firewall,

$ sudo firewall-cmd --add-service=squid --permanent
$ sudo firewall-cmd --reload
$ sudo ufw allow 3128/tcp

Configure Squid Client

Now that you have a proxy server ready, configure Client systems to connect.

Example 1: Configure Proxy for HTTP,HTTPS & FTP

$ sudo vim /etc/profile

export http_proxy=$ROXY_URL
export https_proxy=$PROXY_URL
export ftp_proxy=$PROXY_URL

For Web browser:

Firefox: Navigate to Settings > Preferences > Network Proxy > Settings > Manual proxy configuration

Tick Use this proxy server for all protocols{text-align:left} img{margin:0 auto 0 0}