Setup Squid Proxy with Webmin on Azure/AWS/GCP

Setup and install Squid proxy with Webmin on Ubuntu or Debian.  Squid Proxy Server is a powerful, versatile proxy server designed to optimize network performance, enhance security, and control web access. Squid’s caching capabilities, access management, and secure handling of web traffic improves network efficiency and security.  Deploy on Azure, AWS or Google GCP using our image using the links below:

Cloud Squid Proxy

Getting Started with Squid Proxy with Webmin

Once your Squid proxy server has been deployed, the following links explain how to connect to a Linux VM:

 

 

Once connected and logged in, the following section explains how to start using Squid proxy and the different use cases and configuration options.

Post-Deployment Tutorial: Using Squid Proxy with Webmin

Accessing Webmin

  • Open Webmin: In your browser, go to https://<your-server-IP>:10000.
  • Log in: Use the system credentials (usually the root username and password) to access the Webmin dashboard. Ignore any certificate warnings.

Initialize Cache

To active the Squid proxy, you first need to initialize the cache. Click the Initialize Cache button at the top.

Navigating to the Squid Proxy Module

  1. From the Webmin Dashboard, find Servers in the left sidebar.
  2. Click on Squid Proxy Server to open the Squid module.
  3. You’ll see options to configure, monitor, and manage Squid directly from the Webmin interface.

The next sections explain the different functions and use cases for using Squid proxy.

Bandwidth Optimization with Caching

Configuring Caching in Squid

  1. Navigate to Caching and Network Options:
      • In the Squid Proxy Server module, select Cache Options.
  2. Set Maximum Object Size:
      • Here, you can specify the maximum object size to cache, allowing you to store larger or smaller files depending on your network’s bandwidth needs.
  3. Configure Cache Directories:
      • Go to Cache Directory under Cache Options. Here, you can set up different cache directories and allocate more storage for caching, which helps store frequently accessed files and reduce bandwidth.
  4. Save and Apply:
      • Once configured, click Save and Apply Changes for the settings to take effect.

Monitoring Cache Performance

  1. Access Cache Statistics:
      • In the Squid Proxy Server module, select Cache Statistics.
  2. View Cache Hit Rates:
      • Monitor your cache hit rates, which indicate how effectively Squid is caching and delivering frequently requested content.

Access Control and Content Filtering

Setting Up Access Control Lists (ACLs)

  1. Navigate to Access Control:
      • Under the Squid Proxy Server module, select Access Control.
  2. Create New ACLs:
      • Add a new ACL by selecting Create New ACL. You can set up ACLs based on IP addresses, time, and domain names.
      • For example, if you want to block access to social media websites during work hours, create an ACL for the IP range or specific users, and set the time range.
  3. Configure Block or Allow Rules:
      • Under Proxy Restrictions, you can define rules to allow or deny access based on these ACLs.
      • Use the Deny action to restrict access or Allow to permit certain domains or IP addresses.
  4. Save and Apply:
      • Save your settings and Apply Changes.

Blocking Specific Websites

  1. Create a New ACL for Blocked Websites:
      • Under Access Control, create a new Domain ACL specifying URLs to block (e.g., facebook.com).
  2. Deny Access in Proxy Restrictions:
      • Go to Proxy Restrictions and create a Deny rule that references the newly created domain ACL.
  3. Save and Apply:
      • Save and apply your changes. The selected websites are now blocked for specified users or groups.

Further documentation can be found on:

https://webmin.com/docs/modules/squid-proxy-server/

Enforcing SSL/TLS Decryption for Secure Web Traffic

Configuring HTTPS Decryption in Squid

  1. Generate a Certificate for SSL Decryption:
    • Open a terminal and create a self-signed certificate if Squid doesn’t have one already:
				
					sudo openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout /etc/squid/squid.key -out /etc/squid/squid.crt

				
			

2. Install the Certificate in Squid:

    • Copy squid.crt and squid.key to Squid’s configuration directory (e.g., /etc/squid/ssl_cert/) and set the appropriate permissions.

3. Configure SSL Bump in Webmin:

    • In Webmin, go to Squid Proxy Server > Proxy Options.
    • Under SSL Bump Settings, configure the SSL bump to intercept and inspect HTTPS traffic.
    • Specify paths to the SSL certificate and key (/etc/squid/ssl_cert/squid.crt and /etc/squid/ssl_cert/squid.key).

4. Apply and Test:

    • Save and apply your changes. Now, Squid will decrypt HTTPS traffic for inspection based on the configured SSL bump settings.

Enabling SSL Filtering

  1. Navigate to SSL Bump Rules:
      • In SSL Bump Options, create rules to control SSL traffic inspection. You can specify domains or IP ranges that require decryption for compliance purposes.
  2. Apply and Monitor:
      • Once SSL filtering is configured, apply your settings. Monitor filtered traffic under Cache Statistics to ensure it’s working as expected.

Further documentation can be found on:

https://webmin.com/docs/modules/squid-proxy-server/

Monitoring and Analyzing Traffic Logs

Accessing Squid Logs via Webmin

  1. View Access Logs:
      • In the Squid Proxy Server module, select View Logs.
      • Here, you can view access logs to see user activity, which URLs were visited, and when.
  2. Generate Usage Reports:
      • For detailed insights, Webmin allows you to configure and view daily or monthly usage reports to analyze web traffic, detect unusual patterns, and improve access control.

Using Squid as a Reverse Proxy

Configuring Squid as a Reverse Proxy

  1. Navigate to Reverse Proxy Settings:
      • In the Webmin Squid Proxy Server module, go to Proxy Options.

 

2. Enable HTTP Accelerator (Reverse Proxy Mode):

      • Under HTTP Acceleration, set HTTP Accelerator Mode to Enabled. This tells Squid to operate as a reverse proxy for incoming requests.

 

3. Set Up Cache Peers (Backend Servers):

      • Under Cache Options, locate Cache Peer Settings. Here, you can add backend servers (cache peers) that Squid will forward requests to.
      • Click Add a new cache peer and enter the following details:
      • Hostname/IP: The IP address or hostname of your backend server.
      • Type: Set this to originserver (indicating the backend is the original content server).
      • Proxy Port: Specify the port on which the backend server is listening (e.g., 80 for HTTP or 443 for HTTPS).
      • Options: You can set no-query if the backend does not support ICP queries, and proxy-only to ensure that Squid forwards all requests to the backend without caching them.
      • Repeat this step for each backend server you want to add.

 

4. Set Cache Peer Selection Options:

      • Under Cache Peer Settings, configure options to control which backend server Squid selects. For example, you can set load balancing policies (detailed below) to control traffic distribution.

 

5. Save and Apply:

      • After configuring the reverse proxy settings, click Save and Apply Changes to enable Squid in reverse proxy mode.

Using Squid as a Load Balancer

Configuring Squid as a Load Balancer

  1. Set Load Balancing Options:
    • In the Squid Proxy Server module, go to Cache Peer Selection options.
    • Choose a load balancing policy that suits your requirements:
      • Round-robin: This is the default method, where requests are distributed evenly among all backend servers.
      • Weighted Round-robin: Allows you to set weights for each backend to prioritize some servers over others.
      • Failover: Squid will direct traffic to a primary server, only switching to a secondary server if the primary is down.

 

2. Configure Peer Weight (Optional):

    • If using a weighted round-robin approach, you can set a weight value for each backend in the Cache Peer Settings:
      • Higher weight values direct more traffic to a server, allowing you to prioritize specific backends.
    • Set weight in the Cache Peer Settings for each server (e.g., weight 10 for primary, 5 for secondary).

 

3. Health Check and Failover Configuration:

    • Squid can be configured to check the health of backend servers periodically. For failover to function effectively, Squid should know if a server goes down.
    • Under Cache Options, configure the dead peer timeout to specify how long Squid waits before marking an unresponsive server as “dead.”

 

4. Save and Apply Load Balancing Settings:

    • Once you have set up your desired load balancing settings, save and apply the changes.

Testing and Monitoring Reverse Proxy & Load Balancing

Test Reverse Proxy:

  • Visit your Squid server’s IP or domain in a browser. Squid will forward requests to the backend servers based on the load balancing configuration.
  • For example, if you visit http://<squid-server-ip>/, it should return content from one of the backend servers configured in the cache peer settings.

Verify Load Balancing:

  • Make multiple requests to your Squid server. If using a round-robin policy, each request should go to a different backend server.
  • For verification, check Access Logs in Webmin (Squid Proxy Server > View Logs). The logs should show alternating or weighted backend access according to your configuration.

Monitor Peer Health:

  • In Webmin, monitor Cache Statistics or Access Logs to ensure traffic is balanced correctly across the configured backend servers.
  • If a server goes down, Squid should automatically direct traffic to the available servers based on the failover policy.

Squid Proxy Firewall Ports

By default the following ports have been enabled on the VM:

 

  • TCP 3128 – Squid listerner
  • TCP 10000 – Webmin

 

If you are using any of the cloud security groups and need to change / add ports refer to the following guides:

 

To setup AWS firewall rules refer to – AWS Security Groups

To setup Azure firewall rules refer to – Azure Network Security Groups

To setup Google GCP firewall rules refer to – Creating GCP Firewalls

Squid Proxy Support / Further Documentation

Check out the following links for further documentation and support for Squid Proxy.

 

 

Disclaimer: Squid is licensed under GNU GPL license. No warrantee of any kind, express or implied, is included with this software. Use at your risk, responsibility for damages (if any) to anyone resulting from the use of this software rest entirely with the user.

Avatar for Andrew Fitzgerald
Andrew Fitzgerald

Cloud Solution Architect. Helping customers transform their business to the cloud. 20 years experience working in complex infrastructure environments and a Microsoft Certified Solutions Expert on everything Cloud.

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x