How to Setup Squid Proxy Cache Server in AWS (Ubuntu or CentOS)

To setup and install a Squid proxy server in AWS on a VM EC2 running on Linux Ubuntu or CentOS, the easiest and quickest way is to use our Squid proxy solution in the AWS marketplace. Launch the image direct from the marketplace, direct links below.

 

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages.

 

Squid has extensive access controls and makes a great server accelerator.

 

Squid can implement caching and proxying of Secure Sockets Layer (SSL) requests and caching of Domain Name Server (DNS) lookups, and perform transparent caching. 

 

Squid also supports a wide variety of caching protocols, such as Internet Cache Protocol (ICP), the Hyper Text Caching Protocol (HTCP), the Cache Array Routing Protocol (CARP), and the Web Cache Coordination Protocol (WCCP).

Squid Proxy

Table of Contents

AWS Squid Proxy Video Tutorial

Getting Started with Squid Proxy AWS

This article looks at installing a Squid proxy server on Ubuntu or CentOS on AWS. Please read the steps below after deploying AWS Squid Proxy.

 

Once you’ve deployed the Squid Proxy to your AWS tenant, you’ll need to make the following configuration changes depending on what you want to use the proxy for.

 

The sections below highlight the different configurations that can be done depending on what you want to achieve with your new proxy:

Connecting to AWS Squid Proxy - SSH

Follow the AWS guidance on how to  connect to server instances of Squid Proxy on Linux  https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html

Squid Proxy Default configuration

The AWS Squid proxy comes configured with the following options (features), that can be easily changed:

 

  • Proxy Port is set to 3128.
  • Hostname is SquidProxy.
  • Access control list is set to block all networks by default. This needs to be changed to allow your networks, instructions below.
  • Optimization tweaks have been made to make the server perform faster.

 

Details on how to optimize Squid Proxy Server on AWS are explained below:

Squid Proxy Server Optimization

We’ve configured the AWS virtual machine Squid config file (squid.conf) and tuned it for high performance with the following tweaks, that can be changed.

 

  • hosts_file /etc/hosts
  • cache_replacement_policy heap LFUDA
  • cache_swap_low 90
  • cache_swap_high 95
  • maximum_object_size_in_memory 50 KB
  • cache_dir aufs /var/spool/squid 3000 16 256
  • cache_mem 100 MB
  • logfile_rotate 10
  • memory_pools off
  • maximum_object_size 50 MB
  • quick_abort_min 0 KB
  • quick_abort_max 0 KB
  • log_icp_queries off
  • client_db off
  • buffered_logs on
  • half_closed_clients off

 

We’ve also added the following feature: refresh_patterns to speed up browsing the  internet of common media file types that will be cached:

Squid Proxy AWS Setup

Proxy ACL – Access Control List 

To use the proxy, you’ll first need to define which networks are allowed access to use your Squid proxy. By default all networks are blocked for security. The first step is to define which of your networks are allowed to use this Squid proxy.

 

  1. First SSH into your Squid Proxy using the admin credentials you supplied during the provisioning of the VM.  You can download Putty, a free tool to SSH into your Ubuntu/CentOS Linux server.

2. Open up the Squid.conf file to edit the settings of your proxy. This is the main file to make any changes to your Proxy. Run the following commands to open the squid.conf vile

				
					cd /etc/squid
sudo nano squid.conf
				
			

You should now see the nano gui editor allowing you to make changes.  

 

Press Ctrl+W on your keyboard which opens up the search function.

 

Search for the following text: acl localnet src.

 

This will bring up the ACLs you can define which networks you want to give access. In my example i’ve enabled network: 10.0.0.0/8 by removing the #

 

Add the networks you want to enable access from your local networks.

 

For AWS networks, refer to AWS documentation on EC2 IP addressing:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html

To block access to an already enabled network simply put a # infront of the acl.

 

To define your own networks add a new line and type the following command:

				
					acl src
				
			

In our config we call our network (localnet), you can use any name to identify your networks.

 

Next step is to tell Squid.conf to allow access for http.

 

Press Ctrl+W and search for http_access allow localnet

 

Here we define which networks you defined earlier to allow access for http.

 

Type the following line

				
					http_access allow
				
			

In the screenshot we say allow the network called localnet. This will allow network 10.0.0.0/8 we defined in the previous step:

Add as many lines as needed depending on how many networks you’ve defined.

 

When complete, press Ctrl + O to save changes and then Ctrl + X to close the nano editor.

 

Restart squid with the following command 

				
					sudo service squid restart
				
			

Users can now connect to the proxy by updating their browser proxy config and putting in the IP address and port (3128) and start using the proxy to access the internet.

Change the Squid admin email address

This option sends an email to the administrator when Squid encounters a problem. Very useful to have to monitor the health of your server. 

 

Within the Squid.conf, using the nano editor search for the text cache_mgr.

 

Remove the the # and add the email address a shown in the screen shot:

 

cache_mgr admin@yourdomain.com

Change the listener port

If you want to change the default port of 3128 to another port, or add and extra ports simply open up the Squid.conf file via the nano editor, as  shown  in my previous step and search for – http_port 3128 and replace with your desired port.

 

If you would like to add more listerner ports, simply add another line to your config, as shown in the screenshot.

Change the proxy hostname

To change the hostname that users will see on the proxy error page, simply do a search for visible_hostname within the squid.conf file and replace with your desired host name. The default hostname is SquidProxy, simply replace that with your new name.

Squid Authentication with LDAP or Kerberos

If you want users to login and authenticate to use your Squid proxy you can integrate authentication with LDAP or Kerberos using Active Directory. Redhat have an excellent tutorial on this, check out this link.

Securing Squid with Password Based Authentication

Squid allows you to create username-password pairs using built-in Linux functionality, as an additional or an alternative step to restricting access to your proxy by IP address. To do that, you’ll create a file called /etc/squid/passwords and point Squid’s configuration to it.

Pre-installed with AWS Squid Proxy are apache2-utils. This package provides the htpasswd command, which you can use in order to generate a password for a new Squid user. Squid’s usernames won’t overlap with system usernames in any way, so you can use the same name you’ve logged in with if you want. You’ll be prompted to add a password as well:

				
					sudo htpasswd -c /etc/squid/passwords your_squid_username
				
			

This will store your username along with a hash of your new password in /etc/squid/passwords, which will be used as an authentication source by Squid. You can cat the file afterward to see what that looks like:

				
					sudo cat /etc/squid/passwords
				
			

Output
andrew:$apr1$Dgl.jInsd&dqLYjBGdtsNioaDjf83$.

After verifying your username and password have been stored, you can update Squid’s configuration to use your new /etc/squid/passwords file. Using your nano text editor, reopen the Squid configuration file and add the following highlighted lines:

				
					sudo nano /etc/squid/squid.conf
				
			
…
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
include /etc/squid/conf.d/*
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
# Example rule allowing access from your local networks.
acl localnet src your_ip_address
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost
http_access allow authenticated
# And finally deny all other access to this proxy
http_access deny all
…

These additional directives tell Squid to check in your new passwords file for password hashes that can be parsed using the basic_ncsa_auth mechanism, and to require authentication for access to your proxy. You can review Squid’s documentation for more information on this or other authentication methods. After that, you can finally restart Squid with your configuration changes. This might take a moment to complete.

				
					sudo service squid restart
				
			

Test Connecting to Proxy using new Password

From your local machine we can use the curl command. Enter the following on a local command line such as Windows command prompt to connect to the Squid Proxy, authenticate and access the internet:

				
					curl -v -x http://your_squid_username:your_squid_password@your_server_ip:3128 http://www.bbc.co.uk
				
			

And you should receive a similar output if the connection was succesful:

				
					C:\Users\andyf>curl -v -x http://root:parker@54.173.191.68:3128 http://www.bbc.co.uk
*   Trying 54.173.191.68:3128...
* Connected to 54.173.191.68 (54.173.191.68) port 3128 (#0)
* Proxy auth using Basic with user 'root'
> GET http://www.bbc.co.uk/ HTTP/1.1
> Host: www.bbc.co.uk
> Proxy-Authorization: Basic cm9vdDpwYXJrZXI=
> User-Agent: curl/7.83.1
> Accept: */*
> Proxy-Connection: Keep-Alive
				
			

Block access to certain websites

If you need to block access to certain websites for your users you can do this by defining them in your Squid.conf file as follows:

 

Using the nano editor do a search for the text TAG: http_access.

 

If,  for example, we want to block facebook.com and youtube.com. 

 

Add a new new line above the text TAG: http_access as below and add the following lines.

 

acl block_websites dstdomain .facebook.com .youtube.com

 

http_access deny block_websites

 

Save the config by pressing Ctrl + O and then Ctrl + X to close the config and restart the Squid service with the following command.

				
					sudo service squid restart
				
			

Users should now be blocked from accessing those websites and receive the Squid Proxy page:

Block access to ports

To block access to ports, its the same process as above to blocking websites, just add the following lines:

				
					acl blocked_port port 80
http_access deny blocked_port
				
			

Transparent or Intercepting Proxy

If you’re going to intercept users browser traffic by forcing http traffic to go via your proxy.

 

For example re-configuring your router or firewall so that all HTTP connection requests (port 80) are routed to the proxy server on the appropriate port (3128 by default, unless you changed it).

 

Open up Squid.conf using the nano editor and search for http_port 3128.

 

Simply add the word transparent after the port number. That’s it.

 

Save the config Ctrl+O and close the config Ctrl+X and then restart the Squid service

 

				
					sudo service squid restart
				
			

Anonymous Browsing

By default squid forwards the client IP to the respective website, but to set up an anonymous proxy we will disable it to hide client IP’s and send only IP’s which are configured on the squid server.

 

Search for the following line in the squid.conf using the nano editor:

 

forwarded_for on

 

Change it to:

 

forwarded_for off

And add at the bottom of the squid.conf file the following instructions:

 

request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

 

All done, save the file (Ctrl+O) – Close (Ctrl+X) and restart squid. 

 

				
					sudo service squid restart
				
			

Squid Proxy Server Support / Further Documentation

Check out the following links for further documentation and support for Squid Proxy

 

 

If you experience any issues with the deployment of this Squid Proxy Server on AWS, please contact us directly for assistance

Avatar for Andrew Fitzgerald
Andrew Fitzgerald

Cloud Solution Architect. Helping customers transform their business to the cloud. 20 years experience working in complex infrastructure environments and a Microsoft Certified Solutions Expert on everything Cloud.

2 1 vote
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x