Linux Proxy Server
Server Administration

Block, Modify Content, Anonymize and Authenticate Users Using Linux Proxy Server

Linux proxy server or proxy server generally is a server that caches the internet. The clients connect to the proxy server with a request. The proxy server will connect to the internet or another caching server and cache the pages retrieved from the internet or from the other proxy server that had cached that page before.

A proxy server has many advantages. It improves web browsing speed when returning cached data to the clients and reduces the traffic which means less cost.

One study has shown that running a caching server can reduce external bandwidth requirements by up to 45%.

Another main advantage for proxy servers, when web traffic passes via a proxy server, you can configure the proxy with some settings for access control, like user account access, website URL, IP address or DNS restrictions.

If you surf the web before from an anonymous proxy, this is actually a proxy server, where the proxy server connects on your behalf to a website.

There are a lot of Linux proxy server implementations available on the web like:

Squid, Polipo, Varnish, TinyProxy, Lusca, ExaProxy, Gate.js and Artica Proxy

In this post, we will discuss the most common Linux proxy server which is Squid.

 

Install squid

Installing squid proxy server is very simple. If you are using Red Hat based distro you can install it like this:

$ dnf -y install squid

Or if you are using Debian based distro you can install it like this:

$ apt-get -y install squid

Now you can start squid service and enable it at startup:

The main configuration file for squid proxy server is /etc/squid/squid.conf  file

Before we dig into the configuration, let’s test the proxy server.

Just change the proxy setting on your browser to the IP address of the proxy and the port 3128 since this is the squid default port. You can change the default port by changing the http_port option in the configuration file.

Linux Proxy Server set client

As shown on the image I’ve pointed my browser to my Linux proxy server and I can browse the web without any problems.

If you are using iptables firewall, don’t forget to open the squid server port. I recommend you to review the Linux iptables firewall post.

Allow IP Address Range

If you open the configuration file /etc/squid/squid.conf you will see the rules that allow IP addresses to connect like this:

acl localnet src 192.168.0.0/16

However, you can add a new ACL entry to allow a range of IP addresses to connect to your proxy server:

acl localnet src 212.80.113.0/16

Then save the file and restart squid service:

$ systemctl restart squid

Very easy, right?

Also, if you remove any ACL from the file, all IP addresses from that range will not be able to connect to the proxy server.

Allow Specific Ports

You can find all ports that are allowed in the configuration file like this:

acl Safe_ports port 80

Consider adding Safe_ports ACL rule for any port that your clients need.

You can add a port range instead of writing a rule for every port like this:

acl Safe_ports port 6000-7000

Don’t forget to restart the squid proxy server after the modification:

$ systemctl restart squid

Authenticating Users

You can force your users to authenticate before they use your Linux proxy server using basic authentication like the one you see when using Linux web server.

I recommend you to review the web server post to know installation and configuration of Apache web server.

First, we create a file that will store the users:

$ touch /etc/squid/passwd

Then change the ownership to squid daemon so it can access the file:

$ chown squid /etc/squid/passwd

Now we will create a new user using the htpasswd command:

$ htpasswd /etc/squid/passwd likegeeks

It will prompt you for the password twice.

If you open the file we’ve created, you will see the user and the hashed password.

Then we change the squid configuration to tell it about the authentication that it should use.

Add the following lines under the ACL ports and nowhere else to enable authentication:

Then restart the squid service and try to open the browser again.

$ systemctl restart squid

Linux proxy server authentication

As you can see, if you try to connect to the Linux proxy server, it will prompt you for the username and the password.

Block Websites

You can block websites from the proxy users, just create a separate file that will be the list of domains you want to block and point that file from the squid configuration like this:

$ touch /etc/squid/blocked

Then type all websites you want to block one per line in that file and save it.

Now change the squid configuration to block those websites under acl list and http_access list.

Then restart squid service:

$ systemctl restart squid

There are a lot of ready to use lists on the web and they are categorized, you can use them in squid, like MESD blacklists, Shalla’s Blacklists.

Modify Content

Since the Linux proxy server is between the browser and the internet, this is a very good position to alter the delivered content.

You can change images or ads or whatever. This can be done using the url_rewrite_program module.

Actually, you can do more than that, but we don’t want to be evil.

In our example, we will flip the images and surf the flipped images instead of the original.

First, we need to install ImageMagick:

$ dnf -y install imagemagick

Then we will write the script that will do the magic. The script will be written in Perl.

This Perl script search for JPG, GIF and PNG, images in the carried content, once it found it uses mogrify utility that shipped with iImageMagick to flip the images and put the flipped image in /var/www/html/  which is the root directory for apache server and apache service should be running of course, then send the flipped images as a response.

Just make sure to add ownership for squid for this folder:

$ usermod -aG www-data squid

Finally, you have to tell squid about this script. Open the configuration file and type the following:

url_rewrite_program /home/likegeeks/flip.pl

Then restart your squid service

$ systemctl restart squid

The web has a lot of Perl scripts that play with the content, some of them are good, and some others are evil.

Anonymous Browsing

By default squid proxy server forwards the client IP address to the requested site, if you want the proxy to be surf users anonymously, you should send squid IP instead of clients IPs.

To do that, change the forwarded_for option to off in /etc/squid/squid.conf  file.

forwarded_for off

And add the following options at the end of the configuration file:

Then restart the service:

$ systemctl restart squid

You can check your public IP address, you will notice that your IP is the squid proxy server IP.

Connecting Squid Servers

The cache_peer directive defines your neighbor caches and tells Squid how to communicate with them.

It is written like this:

cache_peer hostname type http-port icp-port [options]

The first argument is the other squid hostname or IP address.

The second argument specifies the type of the other squid cache. The choices are parent, sibling, or multicast.

The third argument is the other squid HTTP port number. It should correspond to the http_port.

The fourth argument specifies either the ICP (Internet Caching Protocol). Squid uses ICP to query other caches. The default ICP port is 3130.

The cache_peer has some options you can use like:

proxy-only: This option tells Squid not to store any responses it receives from the other squid server.

no-delay: This option tells Squid to ignore any delay pools settings for requests to the other squid server.

login= credentials: This option instructs Squid to send HTTP authentication credentials to the other squid server. You can write it in this formula login =user:password.

connect-timeout: This option specifies how long Squid should wait when establishing a TCP connection to the other squid server.

Write your options and save the configuration file and restart the service.

Squid Log Files

Log files are your main source for problem diagnostics and various squid operations.

The three primary files are cache.log, access.log, and store.log. You can find them in /var/log/squid directory.

The cache.log file contains informational messages about Squid’s operation.

The access.log file contains an entry for every HTTP request made by the clients.

The store.log file contains low-level information about objects that enter and leave the cache

Each action on those files is written with timestamps when the message was generated.

Major errors and abnormal conditions are likely to be reported in cache.log.

I hope you find working with Linux proxy server is easy.

Thank you.

  • Halim Ben

    Great job bro. I was looking for to configure squid on my network and here i found out all necessary information thanks again

    • Thank you very much. You are always welcome.
      Regards

  • This is really great post. Well documented. Thanks and keep posting.

    • Thank you very much. I’m doing my best to make posts like that. all my experience and friends and others collected then presented as you see.
      Regards.

  • Eric Yeoh

    The dnf package manager is NOT in any Red Hat Enterprise Linux-based distros and there is no such things as “Red Hat based” distribution; Red Hat is a company NOT a distribution name. The dnf package manager ONLY exists in Fedora Linux or its derivatives like Korora Linux, both are community distributions. Also, I am quite sure that a normal system user CANNOT create/modify files outside his/her home directory – so WTF is “$ touch /etc/squid/passwd” or “$ usermod -aG www-data squid”. Check your facts and proof-read your stuff before you publish anything.

    • since yum in obsoleted, dnf is used.dnf can be installed in Red Hat based.
      I’m not the only one saying that. wikipedia also say it
      https://en.wikipedia.org/wiki/Red_Hat_Enterprise_Linux_derivatives
      Regarding editing file touch /etc/squid/passwd. i suppose that readers have a little knowledge to know that root only can do that and if you review other Linux posts you will have more understanding.
      The same goes for usermod and chmod.
      I think that I can publish what I want and you read what you want.

      • Eric Yeoh

        Yum is still supported in all currently supported RHEL-based distros. It will be supported until 2024 and thus people in Red Hat will still ensure yum’s survival by contributing code either by fixing it or backport from libzypp or dnf – like they do for many of their core stuff – you are right that it is no longer actively used in Red Hat sponsored community distros and its deriatives – which was not what I used as reference. You can theorectically make apt-get work in RHEL if you put your mind to it, cue PCLinuxOS – the only apt-get on RPM distro still in active development. Yes, the future RHEL 8 and its clones will most probably have dnf by default – but until an official annoucement is made it will be mere grapevine chatter – you would recall the numerous speculations over the default UI for RHEL 7. You also have VERY LOW opinion of your readers by commenting, “readers have a little knowledge to know that root only can do that and if you review other Linux posts” – the fact is, I do a lot of reviews. I am effectively the go to “Linux guy” at where I work – and I also write a tons of documentation and training and also do a lot of reviews of posts, articles and from the printed media. You need to start respecting your audience. Saying that others make the same mistakes and dumn your readers will not know the differences is pure laziness, arrogance and incompetence

  • Saaed

    Thank You for the great post, how can I make squid authenticate with the Windows Active Directory?