This article looks at installing a Squid proxy server on Ubuntu 18.04. First let’s look at what a proxy is.
What is a Proxy
A proxy is an intermediary between two systems. This can be a proxy server caching images onto a network so each subsequent visitor gets a better, faster experience or a proxy can be an Apple Software Update Server running on macOS server that is specifically tuned to cache slices of apps so large networks don’t get crushed when downloading software. These are known as forward proxies.
There are also reverse proxies, which live on the side of a web server and proxy incoming requests. Tomcat, Apache (e.g. mod_proxy) and many a web services provide the ability to proxy a connection in order to shape traffic and/or filter and protect the service.
Proxies and Privacy
Proxies do come with some privacy challenges. For one, it’s really simple for a DHCP server to trick a device into routing web traffic through a proxy. This is because DHCP has a Web Proxy Autodiscovery options where we create a PAC file, put it on a web server and then configure the DHCP server to have devices blindly use that PAC:
option auto-proxy-config code 252 = ” https://krypted.com/proxy.pac”;The great thing about using DHCP to automatically configure devices to use proxies is that we can mass deploy a proxy to 10s of thousands of devices. The danger here is that some devices would then be susceptible to us enabling the DHCP server on our MacBook, sharing our internet connection at the old airport wifi, and proxying (thus caching to our local hard disk) the internet traffic of any devices picking that DHCP server because it’s closer on the network.
While most airports don’t use rogue access or DHCP server protection on their network – this kind of thing is pretty limited given the amount of traffic running over https, set not to cache, and the fact that honestly people’s stuff is pretty boring – and it takes a lot of disk space so it’s not worth caching the data long. Well, until it’s not. If we think of the places during our sessions on the Internet (which let’s face it are now just one long session) where our privacy is at risk, one is networks that use a proxy to improve our experience by serving us faster information that’s cached locally rather than retrieved from a provider.
Install Squid
Now that we’ve looked at the privacy concerns, let’s look at a few use cases for a proxy. We’ll use Squid as it’s one of the oldest and most flexible proxies out there, with a ton of options and add-ons. First let’s install it.
The default port for squid is 3128. We’ll use that through this article; however it takes about 30 seconds to change it in the squid.conf file once installed. Simply find the http_port setting in the config file and change the numbers. We will want to open that port (or the one used if it’s been changed) for ingress traffic in our Ubuntu instance when we launch that on AWS though. So step one, create an instance and log in through ssh using your .pem and step two open that port.
Next, we’ll be using the apt package manager to install. So let’s just update our local files on that before we start (it’s always a good idea to update the package manager before potentially installing stale packages using older recipes):
sudo apt update
The squid installation itself is then pretty simple using apt:
sudo apt install squid
Before we go mucking with the config, let’s just make a backup in case we mess something up (and this is a good idea each time it’s being edited later):
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.bak
By default access to the proxy is limited. Because the host in this example is protected on a network, let’s open it up to everyone that can see the iP. To do this we’ll look in /etc/squid and find the squid.conf file. Let’s just open that in a text editor:
sudo pico /etc/squid/squid.conf
And then lets find http_access allow and set that to all:
http_access allow all
And let’s find the deny all for the rule and just comment that out:
#http_access deny all
Once done, we’ll just want to restart the service, in this case just using the service command:
sudo service squid restart
Test and Use The Proxy
We can then set the proxy using our network settings. On a Mac this is in System Preferences -> Network -> the name of our adapter (in this case Wi-Fi) and then the proxies tab, per service.
Or we can just do Chrome for testing by launching Chrome with a –proxy-server flag:
"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --user-data-dir="$HOME/proxy-profile" --proxy-server="http://SQUID_IP:3128"
ACLs and Traffic Shaping
Now that we have a squid instance running, there’s lots we can do. We can define access controls (ACLs) or shape traffic. This is where working with squid can get fun. A common thing people do is to use squid to block certain sites. This is usually a list that grows so let’s create a text file called blocksitelist.txt. That file would then just be a running list where each domain or site we want to block lives on a new line. To create the ACL we’ll then add the following block (e.g. to the end of the squid.conf file).
acl blocksitelist dstdomain "/etc/squid/blocksitelist.txt"
http_access deny blocksitelist
Once done, restart the service and any domain listed in the file will start to load but eventually time out on the client machine. Services like YoYo, URLHaus, and KADhosts then provide lists of urls for types of sites we might want to block. And we can echo text into the end of the file whenever we want to add a new site, for example:
echo "kryptedwuzhere.com" >> /etc/squid/blocksitelist.txt
Squid also supports regular expressions so we can also block specific words. We’ll do the same thing, making a list of words to block (each on a new line) and then create an acl to use the file, as follows:
acl blockkeywordlist url_regex "/etc/squid/blockkeywordlist.txt"
http_access deny blockkeywordlist
Here we have to be careful. For example, at first it may seem as though a word like sex might seem like something we want to block, but then our biology teachers might get frustrated, as would anyone trying to do research on, let’s say, Middlesex College or the county in England. Let’s say we want to add a new patter, like kryptedwuzhere in, we can do that by echoing it into that txt file:
echo "kryptedwuzhere" >> /etc/squid/blockkeywordlist.txt
Proxy Authentication
Many squid deployments are meant for only a limited set of users. Let’s say we want to protect our proxy with a username and password. More advanced implementations of squid can be installed to use an IdP but squid has a basic encrypted password mechanism as well. For this, we’ll create an htpasswd file in the squid directory:
touch /etc/squid/htpasswd
Then we can use openssl to create a password for a user:
printf "krypted:$(openssl passwd -crypt PASSWORD)\n" | sudo tee -a /etc/squid/htpasswd
We’d then add the following authentication parameter into the squid.conf file:
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/htpasswd
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
And down in the http_access, we’d uncomment the deny all statement, set the allow to localhost and then do an allow for authenticated, so the block would look as follows:
http_access allow localhost
http_access allow authenticated
http_access deny all
And each time that config file is changed, don’t forget to restart the service:
sudo systemctl restart squid
There are alternatives to squid. According to the need Nginx makes a great web server that can act as a proxy and also be extended to support load balancing (most squid instances sit behind rudimentary VPCs using round robin, etc). And as mentioned, when proxying for a web app it’s usually better to use a tool that comes with the web app, like an apache mod. And in fact, those can often do exactly what we just configured squid to do, albeit with sometimes more complicated configs.
One other aspect is to install a proxy app on the edge to federate incoming traffic (the not-a-vpn) as defined at https://help.okta.com/en/prod/Content/Topics/Access-Gateway/add-sample-proxy-app-okta.htm. But at this point, we see how to do some rudimentary steps with squid to enable and protect a proxy.