A Squid proxy can help conserve bandwidth and control access on your network. In this video, explore the basics of setting up and configuring a Squid server.
- [Narrator] A Squid proxy lets you consolidate internet access through a single host and helps you conserve internet bandwidth by caching some files that were previously requested by clients using the proxy. This can be a useful set of features for an organization that wants to filter network traffic or just make sure it comes from one particular host for management purposes. Squid can block access to particular domains for the client that provides access to and it can be used as part of the solution to ensure that only authorized devices or users are allowed to access the internet.
It's also useful for a situation where internet bandwidth is limited or expensive. The modern web has a lot of repetitive, fairly large files, Java script libraries, web fonts, even image assets. For one person browsing, this doesn't represent a lot of traffic but in an organization of hundreds, each person downloading their own copy of these things starts to add up to a lot of wasted bandwidth. And if your clients are downloading large files like updates from a repository, caching them locally after the first request can speed things up and keep bandwidth bills down.
Keep in mind though, Squid can keep a cache of files requested through HTTPS. A proxy acts differently than a router. Instead of routing packets from one network to another, it accepts requests from clients and makes requests externally on their behalf. Proxy servers will often send encrypted connection straight through but even that's configurable. There are many privacy implications, design choices, and policy decisions you'll need to work through if you decide to set up a Squid proxy for your network.
And in this episode, I want to show you just the basics. Let's configure our host as a Squid proxy and then configure a client to use that proxy server for internet access. And in doing so, we'll see a little bit about how the proxy works. Here on the machine that I'll use as the proxy, I'll write apt install squid. And that'll install the software we need. The configuration file for the Squid server is a etc squid squid.com.
And it has many, many options. Nearly all the content in this file is commented out and there are a lot of directives you can use. And there's some helpful comments about what each option does. It can be intimidating to work with so to start, let's take a look at what actually is defined in the file. I'll write an expression to delete lines starting with a hash or pound sign. And then send the output of that through awk to show only lines that have one or more fields. So I'll write sed dash E, slash caret for the beginning of the line, pound sign for comment, another slash, and then D for delete.
And then I'll set the file name and pipe that through awk. We've got some ACLs to find, access control lists. In this case, when named SSL ports, that's just port 443. And when called safe ports which is the list of remote ports that Squid will allow access to. Then we're setting access parameters here. Denying access to things that are not the safe ports. And denying connect, which is how Squid sends connections directly through rather than proxying them on anything that isn't an SSL port.
So the server's not interfering with SSL connections, it's sending them right on through, but it will proxy everything else. We're allowing access to the local host to manage the service in the cache. And then denying everyone else access to manage it. And then we allow access to use the proxy server and cache to the local host and deny it to everyone else. We'll need to change this to allow other clients to connect. Squid runs on port 3128 by default but it can be moved to a different port as well.
And then we have settings for where information will go if Squid crashes. And the refresh pattern for certain kinds of information. I'm not going to get into that here, that's a more advanced thing to configure. What we will do though, is set up access to the proxy from another system on the same network and block a few websites so you can see how that works. To do that, we need to make ACLs or access control lists. I'll open up the configuration file.
And I'll scroll down to the section with ACLs. I'll create an ACL called localnet with a source address range of my 10.2.0.2 network. I'll also create an ACL to block a few sites. I'll call it badsites and for this the rule we'll use, destination domains or dstdomains of .example.com and .rouxacademy.com.
And then down here in the HTTP access section, I'll set two access rules. First, I'll write http_access deny badsites. And then I'll write http_access allow localnet. These rules are evaluated in sequence so if I had switched the order of these, none of my blocked sites would actually be blocked. Alright, I'll save this.
And I'll exit. And then I'll restart the Squid service. It takes 30 seconds because it's waiting for active connections to finish. I'll also make sure that port 3128 is open on my server. Otherwise my clients wouldn't be able to connect. And I'll check the IP address of the system so I know where to connect for my client.
This machine is 10.0.2.9. Okay, now I'll switch over to a client machine and open up a browser there. I'll go into settings and chose preferences and search for proxy. Then I'll click the settings button and I'll add my proxy server in here. 10.0.2.9 port 3128.
And I'll click OK. Then, I'll open up a new tab and browse to a site. And then let's try to visit example.com, one of the sites that I blocked. And I can see I'm denied access. Back on the server, I can take a look at the Squid access log to see what kind of activity the proxy is seeing. Alright, cat var log squid access.log.
Here I can see a bunch of requests from the client 10.0.2.8. In this case, gstatic.com on port 443 was sent through with a connect. That's an encrypted connection so our proxy didn't do anything with it. Here I can see that I requested to get example.com and that was denied. Instead, we served up an error page from the Squid proxy. Okay, let's take a quick look at some basic features of Squid and as I mentioned before, there's a lot you can do with a Squid proxy if you take the time to configure it.
Normally, for example Squid keep its cache in memory but you can also configure it to write to the disk. Using an in memory cache is faster but if the Squid service restarts, all that information goes away. Using a disk cache lets you persist the data even if it is a little bit slower to access. You can also tune how much information Squid keeps and how long it will consider content fresh before expiring it and removing it from the cache. You can add per user authentication, you can block or enable access to certain ports and protocols and more.
And be sure to both check out the commentary in the Squid.com file for a lot more information and read the Squid documentation online at squid-cache.org. Overall, you can control access pretty well by forcing your users to use a proxy server as long as you also deny them access to the internet without using the proxy. That's a topic for another episode though.
Note: Because this is an ongoing series, viewers will not receive a certificate of completion.