How to Setup Squid Proxy Cache on Windows in Azure/AWS/GCP

To install Squid Proxy Cache on Windows Server on any of the cloud platforms, the recommended way is to use our publicly available images in the cloud marketplaces.  They come pre configured with Squid Proxy running on Windows and optimised for speed and performance. Check the links below for more details.

Getting Started

 

RDP into new server

 

Once you have deployed Squid Proxy on Windows server, the first step is to RDP into the new instance once it has fully booted up.  The following links explain how to connect the VM once it has finished being deployed:

 

 

Once logged in, you’re now ready to start setting up your new server as per the following sections.

Setting up Squid Proxy

 

To start Squid, press the ‘Squid Server Tray‘ icon on the desktop and this will create a tray icon. To edit Squid, right click the tray icon and select ‘Open Squid Configuration‘ as per the following screenshot:

squid windows

 

ACL – Access Control List

 

To use the proxy, you’ll first need to define which networks are allowed access to use your Squid proxy. By default network 10.0.0.0/8 is enabled. This can be disabled if you don’t want to allow this network and add your own private networks.

 

Within the Squid configuration file edit the following lines:

Squid-Access-Control-list

 

As you can see from above the following networks are enabled:

 

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16
  • fc00::/7
  • fe80::/10

 

Simply remove the networks you dont need or add an ‘#‘ to the start of the line to disable.  Add your own private networks you would like to enable. Here is an example of networks i’ve enabled :

Squid-networks-allow

 

In our config we call our network (localnet), you can use any name to identify your networks.

 

Next step is to tell Squid.conf to allow access for http. Scroll down to http_access allow localnet

 

Here we define which networks you defined earlier to allow access for http. Type the following line

 

http_access allow

 

In the screenshot we say allow the network called localnet. This will allow the networks i created in the previous step :

Squid-Allow-Localnet

 

Once updated, save the file and then restart the Squid service. You can do this via the Squid Tray Icon (Stop Squid Service, then Start Squid Service)

 

Users can now connect to the proxy by updating their browser proxy config and putting in the IP address and port (3128) and start using the proxy to access the internet.

IE-Squid_settings2

 

If users can’t connect, make sure you have port 3128 open on any firewalls and any security groups.

 

Change the Squid listener port

 

If you want to change the default port of 3128 to another port, or add and extra ports simply open up the Squid.conf file and search for – http_port 3128 and replace with your desired port.

Squid-Listerner-Port

Then restart the Squid service.

 

Block access to certain websites

 

If you need to block access to certain websites for your users you can do this by defining them in your Squid.conf file as follows:

 

Within the Squid.conf file search for the text http_access deny all

 

Lets say for example we want to block facebook.com and youtube.com. 

 

Add a new new line above the text http_access deny all as below and add the following lines.

 

acl block_websites dstdomain .facebook.com .youtube.com

 

http_access deny block_websites

Squid-block-websites

 

Save the Squid.conf and restart the Squid Service You can do this via the Squid Tray Icon (Stop Squid Service, then Start Squid Service)

 

Users should now be blocked from accessing those websites and receive the Squid Proxy page:

 

Block access to ports

 

To block access to ports, its the same process as above to blocking websites, just add the following lines:

acl blocked_port port 80
http_access deny blocked_port

Transparent or Intercepting Proxy

 

If your going to intercept users browser traffic by forcing http traffic to go via your proxy. For example reconfiguring your router or firewall so that all HTTP connection requests (port 80) are routed to the proxy server on the appropriate port (3128 by default, unless you changed it)

 

Open up Squid.conf search for http_port 3128

 

Simply add the word transparent after the port number. Thats its. Save the config and then restart the Squid service

squid-transparent

 

Anonymous Browsing

 

By default squid forwards the client IP to the respective website, but to set up an anonymous proxy we will disable it to hide client IPs and send only IPs which are configured on the squid server.

 

Add the following line in the squid.conf file:

 

forwarded_for on

 

And add at the bottom of the squid.conf file the following instructions:

 

request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

 

Save the Squid.conf and restart the Squid Service

Squid Firewall Ports

 

By default the following port has been enabled on the VM. This is the Squid listerner port:

 

TCP 3128

 

If you are using any of the cloud security groups and need to change / add ports refer to the following guides:

 

To setup AWS firewall rules refer to – AWS Security Groups

To setup Azure firewall rules refer to – Azure Network Security Groups

To setup Google GCP firewall rules refer to – Creating GCP Firewalls

Support / Further Documentation

 

Check out the following links for further documentation and support for Squid Proxy

 

 

Disclaimer: Squid is licensed under GNU GPL license. No warrantee of any kind, express or implied, is included with this software. Use at your risk, responsibility for damages (if any) to anyone resulting from the use of this software rest entirely with the user.

Andrew Fitzgerald

Cloud Solution Architect. Helping customers transform their business to the cloud. 20 years experience working in complex infrastructure environments and a Microsoft Certified Solutions Expert on everything Cloud

No Comments

Post a Comment

Comment
Name
Email
Website