How to install Squid as a forward proxy on Ubuntu 18.04 – Siaka Baro

Last updated on March 11, 2022

Squid is an HTTP proxy that offers a rich set of traffic optimization features to cache frequently accessed content and save bandwidth. This open source software is widely used by businesses and is even built into some firewall devices. If you are not familiar with the concept of proxy servers, I recommend you check out my previous article on HTTP proxies.

In this article, I will show you how to install and configure Squid as a forward proxy on an Ubuntu 18.04 server, and then configure your client machine to use the proxy server.

<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/Http-Proxies-Hands-on-1024×350.png" alt="Squid configured as forward proxy

” />Squid
configured as forward proxy

Prerequisites

For this demo session, we will install Squid on an Ubuntu server. You will need the following materials for this hands-on lab:

A

  • server machine running the Ubuntu operating system (ideally, Ubuntu 18.04 or later). A
  • client computer running Windows 10. You can use Windows Server 2016 or later if you don’t have a Windows 10 machine. In addition, you can install Wireshark on the client machine to analyze network traffic.

For the sake of this tutorial, I’m using 2 virtual machines in the cloud (i.e. I’m using Microsoft Azure, but you can use any other cloud provider). If you also want to use Microsoft Azure, you can create your Azure free account here: Microsoft typically offers 12 months of free services for new accounts.

Install and Configure Squid on Ubuntu 18.04

Here are the steps for this hands-on

session.

Step 1 – Open an SSH

session with your Ubuntu server

You need to open a command line session with your Ubuntu server. To do this, you can use Putty to open an SSH session with the server. I strongly recommend using a public key authentication mechanism. If you create an Ubuntu virtual machine in the cloud, you should be able to create a user with “sudo” privileges, generate and download a private key for that user. After downloading the PEM file, here are the steps to follow to open an SSH session with your server:

  1. First you need to convert the PEM file to a PPK file. To achieve this, you need to upload the PEM file to PuttyGen and then save the private key as a PPK file.

Open the PEM file with Putty Key Generator.

PuttyGen - Press the Save Private Key button to export the PEM file in PPK format

2.

Open Putty

and update the settings to use the PPK file. Then enter the server information and click the “open” button to start a new SSH session.

Putty - Set PPK file for SSH authentication

Putty - Enter the hostname and open the SSH connection

Step 2 – Update the list

of available packages

Make sure you have the latest packages by running the following command:

sudo

apt-get

update Download latest packages with apt-get updateDownload latest packages with apt-get update

Step 3 – Install

Squid Install Squid by running the following command:

sudo apt-get install squid

Install Squid
Install

Squid

Step 4 – Back up

the Squid configuration file before editing

it In the next step, you will change some settings in the Squid configuration file. So, you need to make sure that you have a backup of this file in case you want to go back to the original version of the file.

Run the following command to create a copy

of the configuration file: sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.initial

And then update the permissions on the backup to set it to Read Only

. sudo chmod 444 /etc/squid/squid.conf.initial

This update will ensure that no one can accidentally modify the backup

file.

Step 5: Configure the proxy server port and ACL

To configure the server, you must open the configuration file with a file editor. In this example, we are using the well-known text editor, nano.

sudo nano /etc/squid/squid.conf

Open
Squid configuration file with Nano

Here are the changes we will make to this file:

  1. We will change the HTTP port to 8080. You can actually set it on any port you want. The default port for Squid is 3128.

<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/set_port1-1024×603.png" alt="Configure

Squid port” />
Configure Squid port

2. Make sure that the server accepts TCP connections on the selected port. If you are using Microsoft Azure, you can configure inbound ports on the network page of the virtual machine.

<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/ProxyServer_InboundRule-1024×233.png" alt="Proxy VM Inbound Rules

” />
Proxy VM Inbound
Rules

3. We will create an access control permission with the IP address of the client machine that will connect to this HTTP proxy. Because it is not recommended to give everyone permission to use your server, you can register the IP addresses or subnet of the client machines that you want to allow:

#In squid.conf acl proxyclient src 20.49.57.241 #test client

Here 20.49.57.241 is the public IP address of the test VM that will connect to this proxy.

4. We will apply proxy authentication. Basically, users trying to use the server must authenticate:

#In squid.conf authenticated acl proxy_auth REQUIRED http_access allow authenticated proxyclient <img src="https://www.siakabaro.com/wp-content/uploads/2021/04/config_acl4_good_one-1024×589.png" alt="Squid ACL Settings – Defining Our Custom ACL

” />
Squid ACL Settings – Defining Our Custom
ACL Squid ACL Settings - Allow Predefined ACL SettingsSquid ACL Settings –
Allow Predefined ACLs

Step 6 – Configure the proxy authentication module

In the previous step, we added an access control permission that only allows users authenticated from a specific IP address. However, Squid supports different types of authentication, such as Basic, Digest, and OAuth 2.0. Each type of authentication is handled by a dedicated module that must be installed on top of the proxy software.

Simply put, Squid will simply forward the authentication request to the configured module. For this demo, we will use basic authentication with the htpasswd module, which is part of the Apache utils package in the Ubuntu repositories.

Therefore, run the following command to install the Apache2 utilities:

sudo apt-get install apache2-utils <img src="https://www.siakabaro.com/wp-content/uploads/2021/04/install_apache_utils-1024×460.png" alt="Install

Apache utilities” />
Install Apache utilities

And then create a new user with htpasswd. You must create a password for that user. The -c option is required to create the etc/squid/passwd file if it does not exist. In this example, we are creating a user named “proxyuser”.

sudo htpasswd -c /etc/squid/passwd proxyuser

Create a proxy user

After this step, edit the squid.conf

file to add the following settings: #In squid.conf

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd auth_param basic children 5 start=5 inactive = 1 auth_param basic realm Squid proxy server auth_param basic credentialssttl 2 hours

<img src

=”https://www.siakabaro.com/wp-content/uploads/2021/04/auth_param-1024×586.png” alt=”Configure Squid authentication type” />Configure Squid authentication type

This basically tells Squid that the module in charge of Basic authentication is located in /usr/lib/squid/basic_ncsa_auth and the list of proxy users is located in /etc/squid/passwd. The second line establishes the maximum number of authentication processes to be generated (that is, it is 5 in this case). Additionally, once a user authenticates, the result is cached for a 2-hour TTL.

Step 7 – Restart

Squid

For this configuration to take place, you must restart Squid by running this command:

sudo systemctl restart squid

You can then run the following commands to check the status of the process and make sure it is listening on the specified port (8080):

sudo systemctl status squid netstat -lnp | grep 8080 Configure the client computer

to use the Squid proxy server

On the client computer, you must configure system-wide proxy settings in Windows. This way, all HTTP or HTTPS requests on that machine will go through the proxy server. Here is an example:

<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/manual_proxy_config-1024×796.png" alt="Manually configure proxy settings on client computer

” />
Manually configure proxy settings

on client computer

Scan HTTP requests through proxy server To scan

traffic between the client machine and the

proxy server, you must install Wireshark on the client machine.

HTTP 407 – Proxy authentication required

Now, let’s run Wireshark on the client machine to capture all HTTP requests on both port 80 and port 8080, which is our proxy server port. Once Wireshark is set up, you can open a browser and try navigating to an HTTP website, such as http://www.httpvshttps.com/.

You should see outgoing requests in Wireshark:

<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/proxy_http_test1-1024×586.png" alt="Network traces when navigating to an HTTP website on the client computer

” />
Network traces when navigating to an HTTP website on the client computer
Proxy server returns HTTP 407 response (proxy authentication required)Proxy server
returns HTTP 407 response (proxy authentication required)

We can see from these traces that the browser sends an HTTP GET request to the proxy server for the website http://www.httpvshttps.com/. The proxy server then responds with a 407 HTTP response code (proxy authentication required). This is due to the fact that we enable proxy authentication on the Squid server. Basically, when this option is enabled, all clients must authenticate to the proxy server before they can access the Internet. After receiving the HTTP response code 407, the browser displays a pop-up window to request proxy credentials.

<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/Proxy_authentication1-1024×257.png" alt="Authentication window displayed by browser

” />Proxy authentication window
displayed by browser
Proxy

authorization header

After providing the credentials, the proxy obtains the Web page on behalf of the client and then returns the response to the browser. Here are the traces of Wireshark once we provide the username/password for proxy authentication.

<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/proxy_http_test3-1024×586.png" alt="The browser forwards the HTTP request with a proxy authorization header

” />The browser
forwards

the HTTP request with a proxy authorization header

The browser sends an HTTP GET request that contains the proxy credentials in the proxy authorization header. As shown in the screenshot, the proxy credentials are in the Base64 format right after the Basic authentication scheme. And as expected, the proxy server validates the credentials and then returns an HTTP 200 response with the requested website content.

<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/proxy_http_test4-1024×585.png" alt="The proxy server returns the HTTP

response” />The proxy server
returns the requested page

NB: Because the proxy server uses Basic authentication over HTTP, authentication requests to the proxy server are sent in clear text. Therefore, in this example, authentication data is not sent over an encrypted channel. If you are using Basic authentication, it is best to configure Squid with HTTPS and install the proxy certificate in the client certificate store.

Scan HTTPS requests through the proxy server

Well, let’s say we keep the proxy settings as they are, on port 8080 and the client decides to navigate to an HTTPS website. Basically, the goal of using HTTPS is to make sure that clients are contacting a legitimate server and that communication is encrypted with TLS. Therefore, when the client navigates to an HTTPS website, we need to make sure that the HTTP proxy does not compromise or weaken the TLS connection. For this reason, HTTP proxies use a mechanism called HTTP tunneling to transport HTTPS traffic transparently.

Simply put, the client contacts the HTTP proxy to open a communication tunnel to the HTTPS server it wants to contact. Once the tunnel is opened, all communication between the two parties is simply forwarded by the proxy without any modification. In addition, the proxy does not see the content of the data exchange due to the encryption layer provided by TLS.

HTTP tunnel with CONNECT method

Now, let’s navigate to the https://www.httpvshttps.com website. Here are the traces of Wireshark that we captured on the client machine.

<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/proxy_https_test1-1024×585.png" alt="Network traces when navigating to an HTTPS website on the client computer

” />
Network traces when navigating to an HTTPS website on the client computer

This trace shows that the browser is sending a CONNECT message to the proxy server with the destination server name and port. When the proxy receives this request, it will simply send a DNS query to find the IP address of the www.httpvshttps.com server and then open a TCP connection to port 443 of the machine that owns the IP address returned by the DNS. The proxy then sends an HTTP 200 message to the browser saying that the connection is established.

<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/proxy_https_test2-1024×585.png" alt="The proxy server returns HTTP 200 to indicate that the tunnel is open

” />
The proxy server returns HTTP 200 to indicate that the tunnel is open

In addition, the client sends a Hello message to the client to initiate the TLS handshake. When the proxy server receives this message, it will simply forward it to the previously opened TCP connection for this hostname/port combination. After this step, the server responds with a Server Hello message from the TLS handshake, which in turn will be forwarded to the client. This is how the TLS connection will be established transparently through the proxy server. In the end, communication between the client machine and the web server occurs over the encrypted channel.

TLS interception with

Squid

Note that it is also possible to configure Squid for TLS interception. In such a case, Squid will act as a man in the middle of a secure connection and see the contents of the TLS connection. Basically, a first TLS connection is established between the client and the proxy server, and a second TLS connection is created between the proxy server and the web server hosting the website requested by the client.

Many organizations leverage TLS interception to inspect the content of TLS communication, primarily to

detect malware or to take advantage of some of the advantages of HTTP proxies (i.e. caching, content filtering). In addition, one of the prerequisites for TLS interception is to

install the root CA certificate of the proxy software on client machines. This certificate will be used by the proxy server to generate server certificates on the fly for visited websites. Therefore, it is not a simple interception mechanism.

For more information on the TLS interception procedure, you can read this documentation on the squid website.

That concludes the lab!

By following the steps outlined in this article, you have successfully installed and configured Squid as a forward proxy in Ubuntu 18.04.

After this hands-on session, if you’re looking for a forward proxy to install on your network or in your lab environment for testing purposes, it will only take you 30 minutes to deploy and configure Squid on a virtual machine. In addition, you can also explore other open source proxies, such as Apache Traffic Server and Apache http mod_proxy.