Squid 2.6.x proxy configuration

From LinuxReviews
Jump to navigationJump to search

Squid is a heavy proxy which can be used both as a local proxy and a reverse proxy. Light-weight proxies such as Polipo may be preferred for single-users (specially on low-resource systems). Here is a sample configuration for using Squid as a proxy with an upstream proxy such as Privoxy:

File: /etc/squid/squid.conf
# Access control directives. These have no effect on their
# own - they are later used by the access rules.
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # SWAT

acl purge method PURGE
acl CONNECT method CONNECT

# Allow localhost to manage the cache
http_access allow manager localhost
http_access deny manager

# Allow localhots to purge the cache
http_access allow purge localhost
http_access deny purge

# Deny all ports except those mentioned as safe-ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Allow access to use Squid from localhost
http_access allow localhost
http_access deny all

http_reply_access allow all
icp_access allow all

coredump_dir /var/cache/squid

never_direct allow Safe_ports

# Listening port
http_port 3128

# Parent proxy
cache_peer      localhost       parent  8118    7       no-query default

# Important:
header_access via deny all
header_access from deny all
forwarded_for off
visible_hostname 127.0.0.1

access_log /var/log/squid/access_log_v3
cache_access_log /var/log/squid/cache_acces_log_v3

# Memory control
cache_mem 64 MB
cache_dir ufs /var/cache/squid 256 16 128

This configuration assumes there is an upstream proxy listening at port 8118. Remove this line:

File: /etc/squid/squid.conf
# Parent proxy
cache_peer      localhost       parent  8118    7       no-query default

...if you involvement with upstream proxy is not indicated.

Transparent squid proxy (using iptables)[edit]

Using iptables:

INTF=eth1 # internal network interface
ONTF=eth0 # external default route / public interface
File: iptables config script
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to 3128

This configuration may leak DNS requests. You need dns-proxy-tor if you are going to use iptables to forward DNS requests. It can be done using this line:

File: iptables config script
$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp --dport 53 -j REDIRECT --to 65533

..where 65533 is where dns-proxy-tor is listening.