How To Install and Configure Squid as Transparent Proxy Server under Linux and FreeBSD

Squid is a proxy server and web cache daemon. It has a wide variety of uses: caching web, filtering traffic, caching DNS and other computer network lookups for a group of people sharing network resources.

Squid is primarily designed to run on Unix-like systems but it also runs on Windows-based systems. In this tutorial I'll show you how to install and configure squid proxy server to run under Linux and FreeBSD.

A proxy server software is based on the TCP/IP protocol. It monitors a special port such as 3128 or 8080. A computer who runs a proxy server software is called a proxy server. If other computer want to connect to Internet through the proxy server, it should know the proxy server's IP address and proxy port.

1. Squid Installation

Squid source code is available from squid-cache.org.Installation instructions are available in the ReadMe file in the source tar file. There is also binary packages for CentOS, Fedora, Red Hat Enterprise Linux, Ubuntu, Debian, FreeBSD and NetBSD.

To install Squid under CentOS/Fedora/RHEL, enter:

yum install squid

To install Squid under Debian/Ubuntu, enter:

sudo apt-get install squid

To install Squid under FreeBSD, enter (make sure SQUID_PF and SQUID_AUFS is checked):

cd /usr/ports/www/squid
make install clean

Now, create the cache and logs directories and set the proper permissions:

mkdir /squid
mkdir /var/log/squid
chown -R squid:squid /squid
chown -R squid:squid /var/log/squid

2. Squid configuration

The configuration file is usually located in /etc/squid/squid.conf (Linux) and /usr/local/etc/squid/squid.conf (FreeBSD).

Modify or add following squid directives to the squid.conf as follows:

# Set the port you want to act as a proxy
http_port 192.168.0.1:3128 transparent

# Squid hostname
visible_hostname squidproxy.example.com

# Admin e-mail
cache_mgr sysadmin@example.com

# DNS Servers (not required)
# Use this if you want to specify a list of DNS name servers to use instead of those
# given in your	/etc/resolv.conf file.
#dns_nameservers 127.0.0.1 192.168.0.1

# Squid logs
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

# Defines an access log format.
logformat custom %{%Y-%m-%d %H:%M:%S}tl %03tu %>a %tr %ul %ui %Hs %mt %rm %ru %rv %st %Sh %Ss

# The Cache can emulate the log file format which many 'httpd programs use.
# To disable/enable this emulation, set	emulate_httpd_log to 'off' or 'on'.
# The default is to use the native log format since it includes useful information Squid-specific log analyzers use.
#emulate_httpd_log off

# Rotate log files
# logfile_rotate specifies the number of logfile rotations to make when you type 'squid -k rotate'.
# The default is 10, which will rotate with extensions 0 through 9.
# Setting logfile_rotate to 0 will disable the file name rotation.
#logfile_rotate 10

# PID filename (not required)
#pid_filename /var/run/squid.pid
#pid_filename /var/squid/logs/squid.pid

# User and group for Squid
cache_effective_user squid
cache_effective_group squid

# Cache directory
# You can specify multiple cache_dir lines to spread the cache among different disk partitions.
# 20000 MB, 64 directories, 128 sub-directories for each directory
cache_dir aufs /squid 20000 64 128

# The ideal amount of memory to be used	for In-Transit objects, Hot Objects and Negative-Cached objects
cache_mem 96 MB

# Objects greater than this size will not be attempted to kept in the memory cache.
# This should be set high enough to keep objects accessed frequently in memory to improve performance
maximum_object_size_in_memory 32 KB

# Objects larger than this size will NOT be saved on disk.
# The value is specified in kilobytes.
maximum_object_size 32768 KB

# The size, low-, and high-water marks for the IP cache.
ipcache_size 4096

# Maximum number of FQDN cache entries.
fqdncache_size 4096

# Do not log ICP queries to access.log.
# You may wish do disable this if your ICP load is VERY high to speed things up or to simplify log analysis.
log_icp_queries off

# Enable persistent connection support for clients and servers.
# By default, Squid uses persistent connections (when allowed) with its clients and servers.
server_persistent_connections on
client_persistent_connections on

# Set timeouts
# dead_peer_timeout controls how long Squid waits to declare a peer cache as "dead."
dead_peer_timeout 30 seconds
# peer_connect_timeout specifies how long to wait for a pending TCP connection to a peer cache.
peer_connect_timeout 30 seconds
# Normally Squid will automatically determine an optimal ICPquery timeout value based on the round-trip-time of recent ICP queries.  If you want to override the value determined by Squid, set this 'icp_query_timeout' to a non-zero value (milliseconds).
#icp_query_timeout 5000

# The port number where Squid sends and receives ICP queries to and from neighbor caches.
# zero to disable
icp_port 0

# Do not cache dynamic files and dstdomains
hierarchy_stoplist cgi-bin php asp conf ?
acl QUERY urlpath_regex cgi-bin \? \.php$ \.asp$ \.shtml$ \.cfm$ \.cfml$ \.phtml$ \.php3$ \.conf$
acl nocache-domain dstdomain .mail.yahoo.com .login.yahoo.com .gmail.com

no_cache deny QUERY
no_cache deny nocache-domain

acl myself dst 127.0.0.1 192.168.0.1
always_direct allow myself

always_direct allow nocache-domain
always_direct allow QUERY

# other settings
# Only if you want your Squid box to cache aggressively, not recommended

#refresh_pattern -i kh.google 1440 20% 10080 override-expire override-lastmod reload-into-ims ignore-reload
#refresh_pattern -i keyhole.com 1440 20% 10080 override-expire override-lastmod reload-into-ims ignore-reload

#refresh_pattern ^ftp: 1440 20% 10080
#refresh_pattern ^gopher: 1440 0% 1440
#refresh_pattern -i \.gif$ 10080 100% 43200
#refresh_pattern -i \.jpg$ 10080 100% 43200
#refresh_pattern -i \.jpeg$ 10080 100% 43200
#refresh_pattern -i \.png$ 10080 100% 43200
#refresh_pattern -i \.bmp$ 10080 100% 43200
#refresh_pattern -i \.mid$ 10080 100% 43200
#refresh_pattern -i \.wav$ 10080 100% 43200
#refresh_pattern -i \.ico$ 10080 100% 43200
#refresh_pattern -i \.yim$ 10080 100% 43200
#refresh_pattern -i \.jar$ 10080 100% 43200
#refresh_pattern -i \.ldict$ 10080 100% 43200
#refresh_pattern -i \.swf$ 10080 100% 43200
#refresh_pattern -i \.class$ 10080 100% 43200
#refresh_pattern -i \.cab$ 10080 100% 43200

#refresh_pattern . 0 20% 4320

negative_ttl 5 minutes
positive_dns_ttl 6 hours
negative_dns_ttl 1 minute

connect_timeout 60 seconds
request_timeout 3 minutes
persistent_request_timeout 1 minute
read_timeout 15 minutes
client_lifetime 1 day
half_closed_clients off
pconn_timeout 2 minutes
shutdown_lifetime 1 seconds

#Configure downloading even after aborted requests.
quick_abort_min 0 KB
quick_abort_max 0 KB

# Access control list
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl LAN src 192.168.0.0/255.255.255.0
acl VPN src 192.168.2.0/255.255.255.0
acl user src 192.168.1.1 192.168.2.1

acl SSL_ports port 443 563 5190 5050
acl Safe_ports port 80 21 443 563 210 1025-65535 280 488 591 777
acl purge method PURGE
acl CONNECT method CONNECT

acl spammers dstdomain .example1.com .example2.com
acl urls url_regex http://www.example3.?
#acl fileext url_regex -i .xyz .zyx

deny_info TCP_RESET  spammers
deny_info TCP_RESET  urls

http_access deny spammers
http_access deny urls
#http_access deny fileext

http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access allow LAN
http_access allow VPN
http_access allow user
http_access deny all

#http_reply_access allow user
#http_reply_access deny all

#icp_access allow user
#icp_access deny all

#miss_access allow user
#miss_access deny all

Click here to download squid.conf.

In this example, the IP address that Squid is set to listen to is 192.168.0.1 using port number 3128. The transparent  option is used to inform squid that this IP and port should be listened to as a transparent proxy. This completes the configuration of Squid as a transparent proxy server (take a look to the ACL rules and generic settings and change them as you wish).

After making changes to any configuration file, you must make squid reread its config files using

squid -k reconfigure

3. Firewall Configuration for Transparent Proxy

Linux and iptables

Next, add the following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3128

FreeBSD and PF

Add the following line to /etc/pf.conf :

rdr on rl0 inet proto tcp from 192.168.1.0/24 to any port www -> 192.168.0.1 port 3128

NOTE: You may need to change network interfaces (eth0, eth1, xl0), IP addreses and ports according to your system configuration.

4. Finishing settings and testing the proxy

Enable squid to start on boot by typing:

CentOS,Fedora,RHEL:

chkconfig squid on

Debian/Ubuntu:

sudo update-rc.d squid enable

FreeBSD:

echo "squid_enable=YES" >> /etc/rc.conf

Start squid with option -z for the first time, to create the swap directories:

squid -z

If everything is OK, start Squid service by typing:

CentOS,Fedora,RHEL/Debian/Ubuntu:

service squid start

FreeBSD:

/usr/local/etc/rc.d/squid start

Now you can test if the proxy works by accessing http://checker.samair.ru.

You'll see something like this:

SQUID Transparent proxy

Always check cache.log for any error.

NOTE: For debugging, run squid -NDCd1

If you are looking for a high anonymity proxy or VPN provider to allow you to surf in private and protect your online identity than you might want to take a look at SSLPrivateProxy.com. I've been using few private proxies from them for the last month and they've been working perfectly.
Use this Coupons to get 10% discount:
SPP10FREE - for proxy services
SPP10VPN - for VPN services