Maycke's IT Guides

	  
################################ Proxy using SQUID ###################################
~Squid is a proxy HTTP, HTTPS and FTP for Linux.

##### basic SQUID configuration:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# in this configuration example, the proxy server will be one of the devices connected
#  to an internal network in which we want to restrict the access to some websites/domains.
# the proxy server will have one network card with this configuration:
# IPv4: 10.1.0.4/24
# gateway: 10.1.0.3                             #potential firewall too
# DNS: 8.8.8.8

#### install squid:
apt install squid

## go the the squid configuration directory:
cd /etc/squid
## make a copy of squid.conf to keep an intact version of that template:
cp squid.conf squid.conf.orig

# (optional) confirm the service is running (it should be on the default port 3128):
apt install net-tools               #in case you need it
netstat -ltunap

#### edit the configuration file /etc/squid/squid.conf:
## all network traffic is blocked by standard (http, https and ftp) 

### to unblock the traffic originated from your network via HTTP, locate this comment
###  on the configuration file:
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
## then, add these lines below it:
# Allow Network 10.1.0.0/24 via ACL (Access Control List)
acl mynet src 10.1.0.0/24
## after that, below 'http_access allow localhost', add these lines:
# Allow mynet ACL
http_access allow mynet
### adding those 2 specific lines will enable the traffic coming from your internal network!

### to block specific sites, add the next lines (with the proper changes you choose), right
### after this line 'acl mynet src 10.1.0.0/24':
# Block websites via ACL - see the dstdomain parameter
# .site.com also block all of the subdomains on site.com
acl blocked_websites dstdomain .facebook.com .twitter.com .reddit.com       #example blocking 
# Block access of sites within the                                          # those 3 domains
# acl blocked_websites
http_access deny blocked_websites

#### restart the service:
systemctl restart squid
#########################################################################################

##### CONFIGURING the proxy CLIENT and TESTING the proxy SERVER:~~~~~~~~~~~~~~~~~~~~~~~~~
## on a desktop client machine in the same internal network, enable the use of the proxy:
Settins / Network / Network Proxy / Manual
HTTP Proxy: 10.1.0.4 Sockets: 3128

## on the proxy server, to monitor the proxy logs:
tail -f /var/log/squid/access.log

## again on the desktop client machine: try to acces the blocked and not blocked 
##  sites/domains using the browser and see what happens!!!
#########################################################################################

##### FORCING the CLIENT to USE the PROXY through firewall rules copnfiguration:~~~~~~~~~

### assuming you have a firewall configured through scripts in this internal network
###  (check the firewall guide in this site to see how to do it)

## to force the client to use the proxy (it won't matter if they turn off the proxy 
##  configuration on the client):
# edit the filter.sh script on the firewall machine:
nano /etc/firewall/filter.sh

# on the FORWARD filter rules, limit the TCP to allow ONLY the proxy's IP (switch the IPs
#  on those lines to the proxy's specific IP):
$ADD -p tcp --dport 80 -s 10.1.0.4 -j ACCEPT
$ADD -p tcp --dport 443 -s 10.1.0.4 -j ACCEPT

## now, the clients on this internal network can only browse through the proxy!!!
#########################################################################################

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ EXTRAS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

##### SQUID.CONF configuration EXAMPLE:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

## this example brings some other configuration options than what was presented in the 
##  basic configuration:

# proxy's access port (service):
http_port 3128
# log directory:
cache_access_log /var/log/squid/access.log
#******************************************** performance
# max size of objects in RAM:
maximum_object_size_in_memory 128 KB
# max size of objects in Disk:
maximum_object_size 15 MB
# minimum RAM usage (%):
cache_swap_low 90
# maximum RAM usage (%):
cache_swap_high 95
# directory to store objects (cache):
cache_dir ufs /var/spool/squid 1024 16 256
#******************************************** filtering
# variable defining all the IPs (all):
acl all src 0.0.0.0/0.0.0.0
# variable with IPs from the internal network:
acl internal_network src 10.1.0.0/24
# variable with file containing sites to block (regular expression):
acl sites_blocked url_regex -i "/etc/squid/blocked.txt"
# rule 1: blocks the "sites_blocked":
http_access deny sites_blocked
# rule 2: allow access from the internal network:
http_access allow internal_network
# rule 3: blocks everything!:
http_access deny all
#########################################################################################

Squid Proxy Server Script:

ATTENTION: Always read a script before you run it!!!

To run a basic Squid Proxy configuration script, run the following command line in your server's terminal:

     wget -nc https://www.maycke.com.br/guides/raw/proxy_squid.sh && chmod 700 proxy_squid.sh && sudo ./proxy_squid.sh && sudo rm proxy_squid.sh

#########################################################################################

~~~~~~~~~~Squid Proxy Server Script:~~~~~~~~~~

Squid Proxy Server Script: