How to Setup Squid Proxy Server on Google Cloud GCP (Secure Cache)
To setup and install a Google Cloud GCP Proxy Server is to use a Squid Proxy. Simply deploy the Squid Proxy on Ubuntu or CentOS with Squid using the Google marketplace Squid proxy server
With a Squid Proxy you will be able to secure your users internet access, secure your network with the following Google proxy features:
Google Cloud GCP Squid Proxy Features
Internet Security
- Block/Allow access to certain websites
- Cache frequently accessed websites, cache files/media
- Hide users internal IP Addresses
- Traffic Interception with WCCP
- Set authentication to get users to Authenticate (LDAP, Active Directory,RADIUS, POP3, DB, etc)
- Adaptation protocol (C-ICAP / eCAP)
Caching
- Caching Dynamic Content
- Fully Transparent Interception with Squid-2, TPROXYv2 and WCCP
- Configuring multiple interception ports using WCCPv2
- WCCP2 and NAT on a private internal network
- Webwasher integration - prevent downloading of virus-infected files or to filter out adult content
- So much more you can do with this proxy
Install Google Cloud GCP Squid Proxy
Table of Contents
Google Cloud GCP Squid Proxy Video Tutorial
Connecting to GCP Squid Proxy Instance
Follow Google’s guide on connecting to Ubuntu Linux instances – https://cloud.google.com/compute/docs/instances/connecting-to-instance
Default configuration for Google Squid Proxy
The Google Squid proxy comes configured with the following options that can be easily changed:
- Proxy port is set to 3128.
- Hostname is SquidProxy.
- Access control list is set to allow 10.0.0.0/8. This can be changed to allow your networks, instructions below.
- Optimization tweaks have been made to make the server perform faster. Details below.
Squid Proxy Server Optimization
We’ve configured the GCP virtual machine Squid config file (squid.conf) and tuned it for high performance with the following tweaks that can be changed.
- hosts_file /etc/hosts
- cache_replacement_policy heap LFUDA
- cache_swap_low 90
- cache_swap_high 95
- maximum_object_size_in_memory 50 KB
- cache_dir aufs /var/spool/squid 3000 16 256
- cache_mem 100 MB
- logfile_rotate 10
- memory_pools off
- maximum_object_size 50 MB
- quick_abort_min 0 KB
- quick_abort_max 0 KB
- log_icp_queries off
- client_db off
- buffered_logs on
- half_closed_clients off.
We’ve also added the following refresh_patterns to speed up browsing the internet of common media file types that will be cached:
Getting Started with Google Cloud GCP Squid Proxy
Once you’ve deployed the Squid Proxy to your Google project, you’ll need to make the following configuration changes depending on what you want to use the proxy for.
The sections below highlight the different configurations that can be done depending on what you want to achieve with your new proxy:
Squid Proxy ACL – Access Control List
To use the proxy, you’ll first need to define which networks are allowed access to use your Squid proxy. By default network 10.0.0.0/8 is enabled. This can be disabled if you don’t want to allow this network.
- First SSH into your Squid Proxy using the admin credentials you supplied during the provisioning of the VM. You can download Putty, a free tool to SSH into your Linux server.
2. Open up the Squid.conf file to edit the settings of your proxy. This is the main file to make any changes to your Proxy.
Run the following commands to open the squid.conf vile
cd /etc/squid
sudo nano squid.conf
You should now see the nano gui editor allowing you to make changes.
Press Ctrl+W on your keyboard which opens up the search function.
Search for the following text: acl localnet src 10
This will bring up the ACLs you can define which networks you want to give access.
By default we’ve allowed 10.0.0.0/8. To block access to this network simply put a # infront of the acl.
To define your own networks add a new line and type the following command:
acl src
In our config we call our network (localnet), you can use any name to identify your networks.
Next step is to tell Squid.conf to allow access for http.
Press Ctrl+W and search for http_access allow localnet.
Here we define which networks you defined earlier to allow access for http. Type the following line:
http_access allow
In the screenshot we say allow the network called localnet. This will allow network 10.0.0.0/8 we defined in the previous step:
Add as many lines as needed depending on how many networks you’ve defined.
When complete, press Ctrl + O to save changes and then Ctrl + X to close the nano editor.
Restart squid with the following command:
service squid restart
Users can now connect to the proxy by updating their browser proxy config and putting in the IP address and port (3128) and start using the proxy to access the internet.
Change the Squid admin email address
This option sends an email to the administrator when Squid encounters a problem. Very useful to have to monitor the health of your server.
Within the Squid.conf, using the nano editor search for the text cache_mgr
Remove the the # and add the email address a shown in the screen shot:
cache_mgr admin@yourdomain.com
Change the proxy listener port
If you want to change the default port of 3128 to another port, or add and extra ports simply open up the Squid.conf file via the nano editor as shown in the previous step and search for – http_port 3128 and replace with your desired port.
If you would like to add more listener ports, simply add another line to your config as shown in the screenshot:
Change the proxy hostname
To change the hostname that users will see on the proxy error page, simply do a search for visible_hostname within the squid.conf file and replace with your desired host name.
The default hostname is SquidProxy, simply replace that with your new name.
Squid Proxy Authentication with LDAP or Kerberos
If you want users to login and authenticate to use your Squid proxy you can integrate authentication with LDAP or Kerberos using your Microsoft Active Directory (AD). Redhat have an excellent tutorial on this, check out this link
Block access to certain websites using Squid Proxy
If you need to block access to certain websites for your users you can do this by defining them in your Squid.conf file as follows:
Using the nano editor do a search for the text TAG: http_access.
Let’s say for example we want to block facebook.com and youtube.com.
Add a new new line above the text TAG: http_access as below and add the following lines.
acl block_websites dstdomain .facebook.com .youtube.com
http_access deny block_websites
Save the config by pressing Ctrl + O and then Ctrl + X to close the config and restart the Squid service with the following command
service squid restart
Users should now be blocked from accessing those websites and receive the Squid Proxy page:
Block access to ports
To block access to ports, its the same process as above to blocking websites, just add the following lines:
acl blocked_port port 80
http_access deny blocked_port
Transparent or Intercepting Proxy
If your going to intercept users browser traffic by forcing http traffic to go via your proxy.
For example reconfiguring your router or firewall so that all HTTP connection requests (port 80) are routed to the proxy server on the appropriate port (3128 by default, unless you changed it).
Open up Squid.conf using the nano editor and search for http_port 3128.
Simply add the word transparent after the port number. Thats its. Save the config Ctrl+O and close the config Ctrl+X and then restart the Squid service
service squid restart
Anonymous Browsing
By default squid forwards the client IP to the respective website, but to set up an anonymous proxy we will disable it to hide client IPs and send only IPs which are configured on the squid server.
Search for the following line in the squid.conf using the nano editor:
forwarded_for on
Change it to:
forwarded_for off
And add at the bottom of the squid.conf file the following instructions:
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
All done, save the file (Ctrl+O) – Close (Ctrl+X) and restart squid.
service squid restart
Google Squid Proxy Support / Further Documentation
Check out the following links for further documentation and support for Squid Proxy:
