How to Install and Configure Squid Proxy Server

How to Configure Squid Proxy Server with Authentication on a Custom Port Allowing All Ports

Table of Contents

  1. Introduction
  2. Prerequisites
  3. Step 1: Install Squid
  4. Step 2: Change the Default Listening Port
  5. Step 3: Enable Username and Password Authentication
  6. Step 4: Allow Access to All Ports
  7. Step 5: Finalize the Squid Configuration
  8. Step 6: Adjust Firewall Settings
  9. Step 7: Restart and Enable Squid Service
  10. Step 8: Test the Proxy Server
  11. Conclusion
  12. Additional Tips

Introduction

Squid is a high-performance proxy caching server for web clients, supporting HTTP, HTTPS, FTP, and more. This guide will walk you through configuring Squid to:

  • Allow access to all ports
  • Provide HTTP and HTTPS access
  • Require username and password authentication
  • Listen on a custom port instead of the default 3128

By following these steps, you’ll enhance your network’s security and flexibility.


Prerequisites

  • A server running a Linux distribution (Ubuntu, Debian, CentOS, etc.)
  • Root or sudo user access
  • Basic knowledge of command-line operations

Step 1: Install Squid

First, install Squid on your server.

For Debian/Ubuntu Systems:

sudo apt-get update
sudo apt-get install squid

For CentOS/RHEL Systems:

sudo yum install squid

For Fedora Systems:

sudo dnf install squid

Step 2: Change the Default Listening Port

By default, Squid listens on port 3128. You can change this to a port of your choice (e.g., 8080).

  1. Open the Squid Configuration File:
   sudo nano /etc/squid/squid.conf
  1. Modify the http_port Directive: Find the line containing http_port and change it:
   http_port 8080

Replace 8080 with your desired port number.

  1. Save and Close the File: Press Ctrl + X, then Y, and Enter to save changes.

Step 3: Enable Username and Password Authentication

To restrict access, you can enable Basic HTTP Authentication using the htpasswd utility.

Install the htpasswd Utility

The htpasswd command is part of the Apache utilities.

For Debian/Ubuntu Systems:

sudo apt-get install apache2-utils

For CentOS/RHEL Systems:

sudo yum install httpd-tools

Create the Password File

  1. Create a Directory for the Password File (if not existing):
   sudo mkdir -p /etc/squid
  1. Create the Password File and Add a User:
   sudo htpasswd -c /etc/squid/passwd your_username
  • Replace your_username with your desired username.
  • You’ll be prompted to enter and confirm a password.
  • Note: Use the -c flag only when creating the file for the first time.
  1. Set Appropriate Permissions:
   sudo chown proxy:proxy /etc/squid/passwd
   sudo chmod 640 /etc/squid/passwd

Configure Squid to Use Authentication

  1. Open the Squid Configuration File:
   sudo nano /etc/squid/squid.conf
  1. Add the Following Lines to Enable Authentication:
   # Enable Basic Authentication
   auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
   auth_param basic realm "Proxy Authentication Required"
   auth_param basic credentialsttl 2 hours
   auth_param basic casesensitive on

   # Define ACL for authenticated users
   acl authenticated_users proxy_auth REQUIRED

   # Allow authenticated users
   http_access allow authenticated_users
  • Note: The path /usr/lib/squid/basic_ncsa_auth may vary. Use the find command to locate it: sudo find / -name basic_ncsa_auth
  1. Comment Out or Remove Other http_access Rules that May Allow Unauthenticated Access.

Step 4: Allow Access to All Ports

To permit access to all ports, you need to define an ACL and adjust the http_access rules.

  1. Open the Squid Configuration File:
   sudo nano /etc/squid/squid.conf
  1. Add the Following ACL:
   acl all_ports port 1-65535
  1. Modify the http_access Rule:
   http_access allow authenticated_users all_ports
  1. Ensure the Deny Rule is at the End:
   http_access deny all

Step 5: Finalize the Squid Configuration

Your updated /etc/squid/squid.conf should include:

# Squid Configuration File

# Change default listening port
http_port 8080

# Enable Basic Authentication
auth_param basic program /path/to/basic_ncsa_auth /etc/squid/passwd
auth_param basic realm "Proxy Authentication Required"
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive on

# Define ACLs
acl authenticated_users proxy_auth REQUIRED
acl all_ports port 1-65535

# Allow authenticated users to access all ports
http_access allow authenticated_users all_ports

# Deny all other access
http_access deny all

# Recommended settings
forwarded_for off
via off

# Logging (optional)
access_log /var/log/squid/access.log squid

Note: Replace /path/to/basic_ncsa_auth with the actual path found using the find command.


Step 6: Adjust Firewall Settings

Ensure your firewall allows incoming connections on the new port.

For UFW (Ubuntu):

sudo ufw allow 8080/tcp

For Firewalld (CentOS/RHEL):

sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --reload

For iptables:

sudo iptables -I INPUT -p tcp --dport 8080 -j ACCEPT
  • Note: To make iptables rules persistent, you may need to install additional packages like iptables-persistent.

Step 7: Restart and Enable Squid Service

Restart Squid to Apply Changes:

sudo systemctl restart squid

Enable Squid to Start on Boot:

sudo systemctl enable squid

Check Squid Status:

sudo systemctl status squid
  • Ensure the service is active and running without errors.

Step 8: Test the Proxy Server

Configure a Client to Use the Proxy

  1. Set Proxy Settings in Your Browser or System:
  • Proxy IP: Your server’s IP address.
  • Port: The port you configured (e.g., 8080).
  1. When Prompted, Enter Your Username and Password.

Verify Access

  • Open a web browser and navigate to a website.
  • Authentication should be required, and access should be granted upon providing valid credentials.

Troubleshooting

  • Check Squid Logs for Errors:
  sudo tail -f /var/log/squid/access.log
  • Ensure the Password File Has Correct Permissions.

Conclusion

You’ve successfully configured Squid to:

  • Listen on a custom port
  • Require username and password authentication
  • Allow access to all ports for authenticated users

This setup enhances security by restricting proxy usage to authorized users while providing flexibility in port access.


Additional Tips

  • Security Considerations:
  • Basic Authentication transmits credentials in Base64 encoding, which is not encrypted.
  • For enhanced security, consider setting up SSL/TLS encryption.
  • Adding More Users:
  • To add additional users, run: sudo htpasswd /etc/squid/passwd new_username
  • Monitor Squid Performance:
  • Regularly check logs and monitor performance to ensure optimal operation.
  • Regular Updates:
  • Keep your system and Squid package updated to benefit from security patches and improvements.

Need Further Assistance?

If you have questions or need help troubleshooting, feel free to reach out to the community or consult the Squid documentation.