Squid 2.6.x proxy configuration
From LinuxReviews
Jump to navigationJump to searchSquid is a heavy proxy which can be used both as a local proxy and a reverse proxy. Light-weight proxies such as Polipo may be preferred for single-users (specially on low-resource systems). Here is a sample configuration for using Squid as a proxy with an upstream proxy such as Privoxy:
File: /etc/squid/squid.conf
# Access control directives. These have no effect on their # own - they are later used by the access rules. acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT # Allow localhost to manage the cache http_access allow manager localhost http_access deny manager # Allow localhots to purge the cache http_access allow purge localhost http_access deny purge # Deny all ports except those mentioned as safe-ports http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # Allow access to use Squid from localhost http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all coredump_dir /var/cache/squid never_direct allow Safe_ports # Listening port http_port 3128 # Parent proxy cache_peer localhost parent 8118 7 no-query default # Important: header_access via deny all header_access from deny all forwarded_for off visible_hostname 127.0.0.1 access_log /var/log/squid/access_log_v3 cache_access_log /var/log/squid/cache_acces_log_v3 # Memory control cache_mem 64 MB cache_dir ufs /var/cache/squid 256 16 128
This configuration assumes there is an upstream proxy listening at port 8118. Remove this line:
File: /etc/squid/squid.conf
# Parent proxy cache_peer localhost parent 8118 7 no-query default
...if you involvement with upstream proxy is not indicated.
Transparent squid proxy (using iptables)[edit]
Using iptables:
INTF=eth1 # internal network interface ONTF=eth0 # external default route / public interface
File: iptables config script
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to 3128
This configuration may leak DNS requests. You need dns-proxy-tor if you are going to use iptables to forward DNS requests. It can be done using this line:
File: iptables config script
$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp --dport 53 -j REDIRECT --to 65533
..where 65533 is where dns-proxy-tor is listening.