Last updated on March 11, 2022
Squid is an HTTP proxy that offers a rich set of traffic optimization features to cache frequently accessed content and save bandwidth. This open source software is widely used by businesses and is even built into some firewall devices. If you are not familiar with the concept of proxy servers, I recommend you check out my previous article on HTTP proxies.
In this article, I will show you how to install and configure Squid as a forward proxy on an Ubuntu 18.04 server, and then configure your client machine to use the proxy server.
<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/Http-Proxies-Hands-on-1024×350.png" alt="Squid configured as forward proxy
Prerequisites
For this demo session, we will install Squid on an Ubuntu server. You will need the following materials for this hands-on lab:
A
- server machine running the Ubuntu operating system (ideally, Ubuntu 18.04 or later). A
- client computer running Windows 10. You can use Windows Server 2016 or later if you don’t have a Windows 10 machine. In addition, you can install Wireshark on the client machine to analyze network traffic.
For the sake of this tutorial, I’m using 2 virtual machines in the cloud (i.e. I’m using Microsoft Azure, but you can use any other cloud provider). If you also want to use Microsoft Azure, you can create your Azure free account here: Microsoft typically offers 12 months of free services for new accounts.
Install and Configure Squid on Ubuntu 18.04
Here are the steps for this hands-on
session.
Step 1 – Open an SSH
session with your Ubuntu server
You need to open a command line session with your Ubuntu server. To do this, you can use Putty to open an SSH session with the server. I strongly recommend using a public key authentication mechanism. If you create an Ubuntu virtual machine in the cloud, you should be able to create a user with “sudo” privileges, generate and download a private key for that user. After downloading the PEM file, here are the steps to follow to open an SSH session with your server:
- First you need to convert the PEM file to a PPK file. To achieve this, you need to upload the PEM file to PuttyGen and then save the private key as a PPK file.
2.
and update the settings to use the PPK file. Then enter the server information and click the “open” button to start a new SSH session.
Step 2 – Update the list
of available packages
Make sure you have the latest packages by running the following command:
sudo
update Download latest packages with apt-get update
Step 3 – Install
Squid Install Squid by running the following command:
sudo apt-get install squid
Squid
Step 4 – Back up
the Squid configuration file before editing
it In the next step, you will change some settings in the Squid configuration file. So, you need to make sure that you have a backup of this file in case you want to go back to the original version of the file.
Run the following command to create a copy
of the configuration file: sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.initial
And then update the permissions on the backup to set it to Read Only
. sudo chmod 444 /etc/squid/squid.conf.initial
This update will ensure that no one can accidentally modify the backup
file.
Step 5: Configure the proxy server port and ACL
To configure the server, you must open the configuration file with a file editor. In this example, we are using the well-known text editor, nano.
sudo nano /etc/squid/squid.conf
Here are the changes we will make to this file:
- We will change the HTTP port to 8080. You can actually set it on any port you want. The default port for Squid is 3128.
<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/set_port1-1024×603.png" alt="Configure
2. Make sure that the server accepts TCP connections on the selected port. If you are using Microsoft Azure, you can configure inbound ports on the network page of the virtual machine.
<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/ProxyServer_InboundRule-1024×233.png" alt="Proxy VM Inbound Rules
3. We will create an access control permission with the IP address of the client machine that will connect to this HTTP proxy. Because it is not recommended to give everyone permission to use your server, you can register the IP addresses or subnet of the client machines that you want to allow:
#In squid.conf acl proxyclient src 20.49.57.241 #test client
Here 20.49.57.241 is the public IP address of the test VM that will connect to this proxy.
4. We will apply proxy authentication. Basically, users trying to use the server must authenticate:
#In squid.conf authenticated acl proxy_auth REQUIRED http_access allow authenticated proxyclient <img src="https://www.siakabaro.com/wp-content/uploads/2021/04/config_acl4_good_one-1024×589.png" alt="Squid ACL Settings – Defining Our Custom ACL
Step 6 – Configure the proxy authentication module
In the previous step, we added an access control permission that only allows users authenticated from a specific IP address. However, Squid supports different types of authentication, such as Basic, Digest, and OAuth 2.0. Each type of authentication is handled by a dedicated module that must be installed on top of the proxy software.
Simply put, Squid will simply forward the authentication request to the configured module. For this demo, we will use basic authentication with the htpasswd module, which is part of the Apache utils package in the Ubuntu repositories.
Therefore, run the following command to install the Apache2 utilities:
sudo apt-get install apache2-utils <img src="https://www.siakabaro.com/wp-content/uploads/2021/04/install_apache_utils-1024×460.png" alt="Install
And then create a new user with htpasswd. You must create a password for that user. The -c option is required to create the etc/squid/passwd file if it does not exist. In this example, we are creating a user named “proxyuser”.
sudo htpasswd -c /etc/squid/passwd proxyuser
After this step, edit the squid.conf
file to add the following settings: #In squid.conf
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd auth_param basic children 5 start=5 inactive = 1 auth_param basic realm Squid proxy server auth_param basic credentialssttl 2 hours
=”https://www.siakabaro.com/wp-content/uploads/2021/04/auth_param-1024×586.png” alt=”Configure Squid authentication type” />Configure Squid authentication type
This basically tells Squid that the module in charge of Basic authentication is located in /usr/lib/squid/basic_ncsa_auth and the list of proxy users is located in /etc/squid/passwd. The second line establishes the maximum number of authentication processes to be generated (that is, it is 5 in this case). Additionally, once a user authenticates, the result is cached for a 2-hour TTL.
Step 7 – Restart
Squid
For this configuration to take place, you must restart Squid by running this command:
sudo systemctl restart squid
You can then run the following commands to check the status of the process and make sure it is listening on the specified port (8080):
sudo systemctl status squid netstat -lnp | grep 8080 Configure the client computer
to use the Squid proxy server
On the client computer, you must configure system-wide proxy settings in Windows. This way, all HTTP or HTTPS requests on that machine will go through the proxy server. Here is an example:
<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/manual_proxy_config-1024×796.png" alt="Manually configure proxy settings on client computer
on client computer
Scan HTTP requests through proxy server To scan
traffic between the client machine and the
proxy server, you must install Wireshark on the client machine.
HTTP 407 – Proxy authentication required
Now, let’s run Wireshark on the client machine to capture all HTTP requests on both port 80 and port 8080, which is our proxy server port. Once Wireshark is set up, you can open a browser and try navigating to an HTTP website, such as http://www.httpvshttps.com/.
You should see outgoing requests in Wireshark:
<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/proxy_http_test1-1024×586.png" alt="Network traces when navigating to an HTTP website on the client computer
We can see from these traces that the browser sends an HTTP GET request to the proxy server for the website http://www.httpvshttps.com/. The proxy server then responds with a 407 HTTP response code (proxy authentication required). This is due to the fact that we enable proxy authentication on the Squid server. Basically, when this option is enabled, all clients must authenticate to the proxy server before they can access the Internet. After receiving the HTTP response code 407, the browser displays a pop-up window to request proxy credentials.
<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/Proxy_authentication1-1024×257.png" alt="Authentication window displayed by browser
authorization header
After providing the credentials, the proxy obtains the Web page on behalf of the client and then returns the response to the browser. Here are the traces of Wireshark once we provide the username/password for proxy authentication.
<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/proxy_http_test3-1024×586.png" alt="The browser forwards the HTTP request with a proxy authorization header
the HTTP request with a proxy authorization header
The browser sends an HTTP GET request that contains the proxy credentials in the proxy authorization header. As shown in the screenshot, the proxy credentials are in the Base64 format right after the Basic authentication scheme. And as expected, the proxy server validates the credentials and then returns an HTTP 200 response with the requested website content.
<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/proxy_http_test4-1024×585.png" alt="The proxy server returns the HTTP
NB: Because the proxy server uses Basic authentication over HTTP, authentication requests to the proxy server are sent in clear text. Therefore, in this example, authentication data is not sent over an encrypted channel. If you are using Basic authentication, it is best to configure Squid with HTTPS and install the proxy certificate in the client certificate store.
Scan HTTPS requests through the proxy server
Well, let’s say we keep the proxy settings as they are, on port 8080 and the client decides to navigate to an HTTPS website. Basically, the goal of using HTTPS is to make sure that clients are contacting a legitimate server and that communication is encrypted with TLS. Therefore, when the client navigates to an HTTPS website, we need to make sure that the HTTP proxy does not compromise or weaken the TLS connection. For this reason, HTTP proxies use a mechanism called HTTP tunneling to transport HTTPS traffic transparently.
Simply put, the client contacts the HTTP proxy to open a communication tunnel to the HTTPS server it wants to contact. Once the tunnel is opened, all communication between the two parties is simply forwarded by the proxy without any modification. In addition, the proxy does not see the content of the data exchange due to the encryption layer provided by TLS.
HTTP tunnel with CONNECT method
Now, let’s navigate to the https://www.httpvshttps.com website. Here are the traces of Wireshark that we captured on the client machine.
<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/proxy_https_test1-1024×585.png" alt="Network traces when navigating to an HTTPS website on the client computer
This trace shows that the browser is sending a CONNECT message to the proxy server with the destination server name and port. When the proxy receives this request, it will simply send a DNS query to find the IP address of the www.httpvshttps.com server and then open a TCP connection to port 443 of the machine that owns the IP address returned by the DNS. The proxy then sends an HTTP 200 message to the browser saying that the connection is established.
<img src="https://www.siakabaro.com/wp-content/uploads/2021/04/proxy_https_test2-1024×585.png" alt="The proxy server returns HTTP 200 to indicate that the tunnel is open
In addition, the client sends a Hello message to the client to initiate the TLS handshake. When the proxy server receives this message, it will simply forward it to the previously opened TCP connection for this hostname/port combination. After this step, the server responds with a Server Hello message from the TLS handshake, which in turn will be forwarded to the client. This is how the TLS connection will be established transparently through the proxy server. In the end, communication between the client machine and the web server occurs over the encrypted channel.
TLS interception with
Squid
Note that it is also possible to configure Squid for TLS interception. In such a case, Squid will act as a man in the middle of a secure connection and see the contents of the TLS connection. Basically, a first TLS connection is established between the client and the proxy server, and a second TLS connection is created between the proxy server and the web server hosting the website requested by the client.
Many organizations leverage TLS interception to inspect the content of TLS communication, primarily to
detect malware or to take advantage of some of the advantages of HTTP proxies (i.e. caching, content filtering). In addition, one of the prerequisites for TLS interception is to
install the root CA certificate of the proxy software on client machines. This certificate will be used by the proxy server to generate server certificates on the fly for visited websites. Therefore, it is not a simple interception mechanism.
For more information on the TLS interception procedure, you can read this documentation on the squid website.
That concludes the lab!
By following the steps outlined in this article, you have successfully installed and configured Squid as a forward proxy in Ubuntu 18.04.
After this hands-on session, if you’re looking for a forward proxy to install on your network or in your lab environment for testing purposes, it will only take you 30 minutes to deploy and configure Squid on a virtual machine. In addition, you can also explore other open source proxies, such as Apache Traffic Server and Apache http mod_proxy.