Installing Squid proxy on Ubuntu 9.10 server

Recently at work we have been battling over the issue of controlling the Internet access for our users. The Internet is basically open to everything and of course in a business environment there's some abuse of the access. Taking a snap shot of the usage using WireShark connected to the core switch, allowing port mirroring we found that Youtube.com accounted for the majority of Internet traffic. Also we found that less than 4% of network traffic was internally routed, this could mean that we had many users accessing the other offices or way too many Internet browsing.

Since Youtube was our biggest website and it was not business related, we got the ok to block this site. But ran into our first problem. If you check the domain name Youtube from any nslookup utility you will find that Youtube IP address spans multiple addresses, and some cross over Google.com and Gmail.com. While we got Youtube blocked, it was slightly difficult and since it was done on the firewall, is not the recommended method.

So, looking around the Open Source world, there might been another solution.

Squid is a well know proxy for Linux that is easy to configure but appears a bit difficult at first. I was really overwhelmed looking at the config file but here I'll show you how easy it is to get running with very little work.

First, I'm going to give the step by step using Ubuntu Server 9.10, which I think is pretty easy to get running. We'll use the packages install which save some time and install any other requirements at the same time.

First part is having a Ubuntu server running, this is the easy part, just takes some time. Remember to have OpenSSH running so we can remote console into the server. Also since this is a server we will make it configure with a static IP address.

1) First, make sure your server is updated.

Run the following

sudo apt-get update (this is fast)

sudo apt-get upgrade (takes about 5 minutes depending on your Internet connection)

2) Then we will set up the IP address with a static entry. First, let's find out which network we need to configure.

Run ifconfig and take note of the network card that reports an IP address, usually it's "eth0".

Edit the following file.

/etc/network/interfaces

Then add the following information using a editor like VI and then save your work. Remember to save!

iface eth0 inet static
address 10.10.10.10 (enter your IP address here)
netmask 255.255.255.0 (enter your subnet mask here)
gateway 10.10.10.1 (enter your gateway here)

3) Now install Squid from the package, note this will install the requirements needed for Squid as well.

sudo apt-get install squid (takes about 5 minutes)

4) Now, Squid is installed, and we'll go over the important files of Squid.

/etc/squid/squid.conf

This file holds all of the important details of Squid, it's very long but we'll only need to edit a few parts.

First, make a backup of the file

cp squid.conf squid.conf_backup

Then edit the file

vi squid.conf

5) We're looking for a few areas in the squid.conf file, so we'll use the search function of VI.

Open the file in VI

vi squid.conf

Then search for the first item "TAG: http_port"

TAG: http_port(then press enter)

For me it's at line 1022. This value changes the setting for the proxy server settings on the browser. Normally it's set to port 8080, so we will change this. Enter in the following after the "TAG: http_port"

http_port 8080

6) Now search for "visible_hostname"

/visible_hostname

This value just gives an alternative name to the server, I just made it simple and used "proxy". The line was 3399.

7) Allowing access, this is a tricky part.

Ok, now we need to know the subnet you're allowing access for the proxy access. For this example, we'll use 192.268.1.0/24 (basically addresses from 1 to 255).

Search the squid.conf file for "TAG: acl" It's about at line 425. Go a few pages down until you see some uncommented entries without a # sign and enter your details there.

For this example we'll enter the following.

acl allowhome src 192.168.1.0/24

This means allow a new network called "allowhome" from the source address of "192.168.1.0/24"

Remember the name "allowhome" we'll need this later.

Also we'll need to define the access for "allowhome".

Search for "http_access" and once you scroll down you should see a few "allow" and "deny" entries. Enter in the following at the top of the section.

http_access allow allowhome

Now save your file and exit.

Just to be sure it took effect, restart Squid.

/etc/init.d/squid restart

Now from your home computer, point your browser to your server's IP address and port 8080. You should connect as before.

Pretty simple!

Next time I'll post about working with blacklists, blocking certain ports or websites, and Webmin as a GUI tool for administration.

Rob