How to Setup Squid Proxy Cache on Windows in Azure/AWS/GCP

To install Squid Proxy Cache on Windows Server on any of the cloud platforms, the recommended way is to use our publicly available images in the cloud marketplaces.  They come pre configured with Squid Proxy running on Windows and optimised for speed and performance. Check the links below for more details.

Squid Proxy Windows

Squid Proxy on Windows Server Features

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.

 

Along with server caching, Squid offers a wide range of features such as distributing the load over intercommunicating hierarchies of proxy servers, defining strict access control lists for all clients accessing the proxy, allowing or denying access to specific websites with the help of other applications, and generating statistics about frequently visited web pages for the assessment of the users surfing habits. Squid proxy is not just a generic proxy. It normally proxies only HTTP connections. It does also support the protocols FTP, Gopher, SSL, and WAIS.

 

  • Set ACL for which networks have access to internet
  • Block/Allow access to certain websites
  • Block/Allow Content Based on MIME Types (e.g image, text, mpeg)
  • Set time in which users can access the internet at certain times in the day
  • Cache frequently accessed websites, cache files/media
  • Hide users internal IP Addresses
  • Load balance with other Squid proxies
  • Clustering
  • Traffic Interception with WCCP
  • Set authentication to get users to Authenticate (LDAP, Active Directory, RADIUS, POP3, DB, etc)
  • Allow/Block IM (Instant Messaging)
  • Block coin-mining scripts from using CPU/memory on users browsers. A new modern trend.
  • Adaptation protocol (C-ICAP / eCAP)
  • Caching Dynamic Content
  • Fully Transparent Interception with Squid-2, TPROXYv2 and WCCP
  • Configuring multiple interception ports using WCCPv2
  • WCCP2 and NAT on a private internal network
  • PHP Redirectors
  • SMP Carp Cluster
  • Torrent filtering
  • Webwasher integration – prevent downloading of virus-infected files or to filter out adult content

Table of Contents

Getting Started with Squid Proxy

RDP (Remote Desktop Protocol) into new server

Once you have deployed Squid Proxy on Windows server, the first step is to RDP into the new instance once it has fully booted up.  The following links explain how to connect the VM once it has finished being deployed:

 

 

Once logged in, you’re now ready to start setting up your new server as per the following sections.

Setting up Squid Proxy

To start Squid, press the ‘Squid Server Tray‘ icon on the desktop and this will create a tray icon. To edit Squid, right click the tray icon and select ‘Open Squid Configuration‘ as per the following screenshot:

Squid Proxy ACL – Access Control List

To use the proxy, you’ll first need to define which networks are allowed access to use your Squid proxy. By default several private networks are enabled for Azure and GCP proxies.  For AWS Squid Proxy all networks have been disabled by default.

 

You can enable or disable any networks you require.

 

Within the Squid configuration file edit the following lines:

Define Allowed Networks

To define your own networks add a new line and type:

 

acl name src IP address space 

 

For example for a network called webservers of 10.300.0.0/8 you would write:

 

acl webservers src 10.300.0.0/8

 

Simply remove the networks you don’t need or add an ‘#‘ to the start of the line to disable.  Add your own private networks you would like to enable. Here is an example of networks enabled called localnet:

In our config we call our network (localnet), you can use any name to identify your networks.

 

Next step is to tell Squid.conf to allow access for http. Scroll down to http_access allow localnet.

 

Here we define which networks you defined earlier to allow access for http. Type the following line:

				
					http_access allow
				
			

In the screenshot we say allow the network called localnet. This will allow the networks created in the previous step :

Restart Squid Service

Once updated, save the file and then restart the Squid service. You can do this via the Squid Tray Icon (Stop Squid Service, then Start Squid Service).

Update Browser Proxy LAN settings and port

Users can now connect to the proxy by updating their browser proxy config and putting in the IP address and port (3128) and start using the proxy to access the internet.

If users can’t connect, make sure you have port 3128 open on any firewalls and any security groups.

Change the Squid listener port

If you want to change the default port of 3128 to another port, or add and extra ports simply open up the Squid.conf file and search for – http_port 3128 and replace with your desired port.

Then restart the Squid service.

Block access to certain websites

If you need to block access to certain websites for your users you can do this by defining them in your Squid.conf file as follows:

 

Within the Squid.conf file search for the text

				
					 http_access deny all
				
			

Lets say, for example, we want to block facebook.com and youtube.com. 

 

Add a new new line above the text http_access deny all as below and add the following lines.

				
					acl block_websites dstdomain .facebook.com .youtube.com
http_access deny block_websites
				
			

Save the Squid.conf and restart the Squid Service.

 

You can do this via the Squid Tray Icon (Stop Squid Service, then Start Squid Service).

 

Users should now be blocked from accessing those websites and receive the Squid Proxy page:

Block access to ports

To block access to ports, its the same process as above to blocking websites, just add the following lines:

				
					acl blocked_port port 80
http_access deny blocked_port
				
			

Transparent or Intercepting Proxy

If your going to intercept users browser traffic by forcing http traffic to go via your proxy. For example reconfiguring your router or firewall so that all HTTP connection requests (port 80) are routed to the proxy server on the appropriate port (3128 by default, unless you changed it).

 

Open up Squid.conf search for http_port 3128.

 

Simply add the word transparent after the port number. That is it. Save the config and then restart the Squid service.

Anonymous Browsing

By default squid forwards the client IP to the respective website, but to set up an anonymous proxy we will disable it to hide client IP’s and send only IP’s which are configured on the squid server.

 

Add the following line in the squid.conf file:

				
					forwarded_for on
				
			

And add at the bottom of the squid.conf file the following instructions:

				
					request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

				
			

Save the Squid.conf and restart the Squid Service.

Squid Firewall Ports

By default the following port has been enabled on the VM. This is the Squid listerner port:

 

TCP 3128

 

If you are using any of the cloud security groups and need to change / add ports refer to the following guides:

 

To setup AWS firewall rules refer to – AWS Security Groups

To setup Azure firewall rules refer to – Azure Network Security Groups

To setup Google GCP firewall rules refer to – Creating GCP Firewalls

Squid Proxy Support / Further Documentation

Check out the following links for further documentation and support for Squid Proxy.

 

 

Disclaimer: Squid is licensed under GNU GPL license. No warrantee of any kind, express or implied, is included with this software. Use at your risk, responsibility for damages (if any) to anyone resulting from the use of this software rest entirely with the user.

Avatar for Andrew Fitzgerald
Andrew Fitzgerald

Cloud Solution Architect. Helping customers transform their business to the cloud. 20 years experience working in complex infrastructure environments and a Microsoft Certified Solutions Expert on everything Cloud.

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x