I had a few use cases to set up my own web proxy. One such use case is, API calls to a few web services to get the pricing. So whenever I make an API call, it returns the value in my local currency. So I had to set up my own proxy server in my desired country (On the Cloud) and I make those API calls through that proxy. This way I get the pricing response in the desired currency.
After some research, I have found the
Table of Contents
Free Proxy Server With Squid Proxy
In this blog, I will explain the step-by-step process to set up a free proxy server using Squid Proxy on the latest Ubuntu server.
Note: I have used Digital Ocean Cloud to deploy my proxy server. You can choose from many regions for your proxy setup. Also, you can get $100 free Digital Ocean credits from here.
Follow the steps given below for a working proxy server.
Step 1: Log in to the server and update the package list.
sudo apt update -y
Step 2: Install the Squid Proxy server.
sudo apt -y install squid
Step 3: Start and enable squid service to start on system boot.
sudo systemctl start squid sudo systemctl enable squid
Step 4: Verify the squid service status. You should be seeing the “active” status.
sudo systemctl status squid
Squid Proxy Port
By default, squid runs on port 3128
You can check it using the following command.
netstat -tnlp
Now we have a working squid proxy server. The next important step is to configure the squid proxy based on your needs.
Squid proxy configuration
If you are setting up a squid proxy for your production environment, you have to make sure all the proxy configurations are set as per your needs.
The core settings of squid proxy are in /etc/squid/squid.conf
Squid proxy port
By default, squid proxy runs on port 3128. If you are on the cloud, make sure you allow 3128 in your firewall rules.
Also, you can change the default 3128 port to a custom port by editing the following configuration in the squid.conf
file.
http_port 3128
Proxying Internet Connectivity
The primary use case for most of us is to connect to the internet through a proxy server.
If you want to connect to the internet through your proxy, you need to configure ACLs (Access Control List) in your squid configuration.
Enable Squid ACLs for Internet Connectivity
By default, all the incoming connections to the proxy server will be denied. We need to enable a few configurations for the squid server to accept connections from other hosts.
Open /etc/squid/squid.conf
file.
vim /etc/squid/squid.conf
Search for an entry http_access allow localnet
in the file. By default, it will be commented out. Uncomment it.
The next step is to add ACLs to the squid config /etc/squid/squid.conf
acl localnet src [source-ip-range]
You can whitelist the source IP ranges in the following ways.
- Single IP [49.205.220.161]
- A range of IPs [0.0.0.1-0.255.255.255]
- CIDR range [10.0.0.0/28]
Based on your requirements you can add the localnet acl. For example, in my use case, I had to whitelist my home network. I found my home network public address using the Find My IP service and whitelisted that in the ACL as shown below.
acl localnet src 49.205.45.67
If you want to whitelist your private networks’ CIDR range, you can have the ACL like the following. Normally this kind of use case comes when you set up a virtual network for your organization.
acl localnet src 10.0.0.0/8
Note: You can add your ACL in the config file under the default ACLs are present. If you search for,
ACLs all
you will find the ACL default section. If you specify a CIDR private range, make sure the proxy is in the same private network.
Here is the ACL I added to my squid server.
#Default:
# ACLs all, manager, localhost, and to_localhost are predefined.
#
#
# Recommended minimum configuration:
#
acl localnet src 49.205.45.67
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
Test Proxy Connectivity
To test the proxy connectivity for the internet from your specified ACL source, you can use the following curl command syntax which should return a 200 OK
response code.
curl -x http://[YOUR-PROXY-IP]:3128 -I http://google.com
Output would like the following.
➜ ~ curl -x http://134.209.77.172:3128 -I http://www.google.com
HTTP/1.1 200 OK
Date: Sun, 24 Mar 2019 07:21:26 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: 1P_JAR=2019-03-24-07; expires=Tue, 23-Apr-2019 07:21:26 GMT; path=/; domain=.google.com
Set-Cookie: NID=164=QUlqgO1t2-LesVjVjqd0RqBXPUh3QMutuw31xovrIC4EXZOYF5KSpvmDuIORnkm2EvinnZRzqWwG6LbhWR-lb11HpiHQZczfWPN2HuT9FZjaLO_z0ku1qk0N-IWOv2W5l4XparkWr8kusyUPw3jBHGgtoB_gECW4VqUiPvK5H98; expires=Mon, 23-Sep-2019 07:21:26 GMT; path=/; domain=.google.com; HttpOnly
Accept-Ranges: none
Vary: Accept-Encoding
X-Cache: MISS from crunch-proxy
X-Cache-Lookup: MISS from crunch-proxy:3128
Via: 1.1 crunch-proxy (squid/3.5.27)
Connection: keep-alive
Setup Squid Proxy Authentication
The previous method would allow anonymous proxy usage. To prevent this, you can set up proxy authentication using a username and password.
Step 1: Install Apache utils.
sudo apt install apache2-utils -y
Step 2: Create a password file and change the ownership to proxy user.
sudo touch /etc/squid/passwd
sudo chown proxy /etc/squid/passwd
Step 3: Create a user-named proxyuser
user using the following command. It will prompt for a password. Provide a secure password.
sudo htpasswd /etc/squid/passwd proxyuser
Step 4: Open the squid.conf
file.
sudo vi /etc/squid/squid.conf
Step 5: Add the following content to the file.
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow auth_users
Step 6: Restart the Squid server for the changes to take place.
sudo systemctl restart squid
Test squid proxy authentication
Test squid proxy authentication using curl. You can use the following syntax.
curl -x http://[squid-server-IP]:3128 --proxy-user proxyuser:[proxy-password] https://www.google.com
For example,
curl -x http://134.209.77.172:3128 --proxy-user proxyuser:pa33w0rd https://www.google.com
You will see the following error if authentication details are not passed properly.
Received HTTP code 407 from proxy after CONNECT
Blocking Websites Using Squid Proxy
Another key use case of a squid proxy is to block certain websites being accessed. In this section, we will look into the steps to configure a website block list.
Step 1: Create a block list file named proxy-block-list.acl
sudo vi /etc/squid/proxy-block-list.acl
Step 2: Add the websites that has to be blocked to the file as shown below.
.facebook.com
.instagram.com
.twitter.com
Note: Make sure you do not have any
http_access allow all
rules above the block list rule. It will take precedence and the block list will not work.
Step 3: Open the squid configuration file.
sudo vi /etc/squid/squid.conf
Step 4: Add the following lines above the ACLs we have added in the previous steps.
acl bad_urls dstdomain "/etc/squid/proxy-block-list.acl"
http_access deny bad_urls
Step 5: Restart the squid server.
sudo systemctl restart squid
Test Squid Proxy Blocker Websites
Now if you try to access the websites that are in the block list, you will get 403 error
➜ ~ curl -x http://134.209.77.172:3128 --proxy-user proxyuser:pa33w0rd https://instagram.com
curl: (56) Received HTTP code 403 from proxy after CONNECT
Using Squid Proxy
You can use squid proxy in the following ways.
For Web Browsing
You can use the squid proxy endpoint as your browser proxy. Each browser has its own proxy settings. You can add the proxy IP, port, and authentication details if enabled.
For Applications
If you have applications running on a private network and you want to connect to the internet for specific calls, you can use the proxy endpoint to route that outbound internet traffic.
Blocking Unwanted Website Access
Organizations use a proxy server to limit access to certain unwanted websites.
Conclusion
Squid proxy offers a variety of solutions as a forward proxy. It is the best free proxy server software. Its implementation depends on your architecture and design. And, if you want to learn and manage squid proxy by yourself then check out this hands-on course.
2 comments
Thanks for this – nice and easy.
it is nise