{"id":993,"date":"2013-05-17T19:49:08","date_gmt":"2013-05-17T23:49:08","guid":{"rendered":"https:\/\/infotechguy.net\/?p=993"},"modified":"2025-02-22T11:08:13","modified_gmt":"2025-02-22T16:08:13","slug":"squid-3-1-caching-proxy-with-ssl","status":"publish","type":"post","link":"https:\/\/infotechguy.net\/?p=993","title":{"rendered":"Squid Proxy — Caching Proxy with SSL with Squid3.1"},"content":{"rendered":"

Hello, hello! Recently I posted a two part article on creating a Guest wireless network using OpenWRT<\/a>, VLANs, and Firewall rules. Now we left things kinda open from a security standpoint. WE gave our Guest users full Internet access with no restrictions on sites, bandwidth usage, or ports!! Yikes! For this article I am going to walk you through the steps to close those gaps. We are going to first configure a Web Proxy server that will proxy outbound Internet connections. This allows us to check where and what are Guests are trying to get their hands on. Good and bad. We will also force Guests to connect to this Web Proxy server transparently. What I mean by that is the Guests will not be required to do anything on their side to connect, our firewall will take care of that. And lastly, I want only allow limited bandwidth of HTTP traffic. You will see later on how we can accomplish this. I’ve expanded upon this article<\/a> of mine that uses squid proxy to filter Ads.
\n
\nPhew, let’s get started.<\/p>\n

Installing Squid Proxy<\/h3>\n
    \n
  1. \n

    Install dependencies<\/h4>\n

    The easiest way to install dependencies on Ubuntu or another Debian based Linux server is to use the apt-get build-dep<\/strong> and apt-get source<\/strong> commands. We are installing Squid from source, because the default Squid package in the Ubuntu repositories doesn’t have configuration items we need to make our project work.<\/p>\n

    apt-get install build-essential fakeroot devscripts gawk gcc-multilib dpatch \napt-get build-dep squid3 \napt-get build-dep openssl \napt-get source squid3<\/pre>\n
    NOTICE:<\/strong> We just installed the essential build tools, along with any Squid dependencies, and the source files.<\/em><\/p>\n
    You should now have a squid3-3.1.19 folder<\/strong>.<\/li>\n
  2. \n
    Modify the build script<\/h4>\n
    We need to modify the build script. This will make it so when we go to configure the source files it will include SSL support.<\/p>\n
    vi squid3-3.1.19\/debian\/rules<\/pre>\n
    Add –enable-ssl<\/strong> under the DEB_CONFIGURE_EXTRA_FLAGS<\/strong> section.<\/p>\n
    ...\nDEB_CONFIGURE_EXTRA_FLAGS := --datadir=\/usr\/share\/squid3 \n                --sysconfdir=\/etc\/squid3 \n                --mandir=\/usr\/share\/man \n                --with-cppunit-basedir=\/usr \n                --enable-inline \n                --enable-ssl \n...\n<\/pre>\n
    Don’t forget to save!
    \n<\/em><\/li>\n
  3. \n
    Configure, Make, Make Install<\/h4>\n
    cd squid3-3.1.19\/ \ndebuild -us -uc -b<\/pre>\n
     <\/p>\n
    NOTICE:<\/strong> Here we use debuild that will automatically Configure, Make, and create an installable DEB package.<\/em><\/p>\n
    After this has been completed a DEB package will appear in the parent directory. Mine was called squid3_3.1.19-1ubuntu3.12.04.2_amd64.deb<\/strong>, squid3-common_3.1.19-1ubuntu3.12.04.2_all.deb<\/strong>
    \nand squid3-dbg_3.1.19-1ubuntu3.12.04.2_amd64.deb<\/strong><\/p>\n
    Install them:<\/p>\n
    dpkg -i squid3_3.1.19-1ubuntu3.12.04.2_amd64.deb squid3-common_3.1.19-1ubuntu3.12.04.2_all.deb squid3-dbg_3.1.19-1ubuntu3.12.04.2_amd64.deb<\/pre>\n<\/li>\n
  4. \n
    Verify Squid Installation<\/h4>\n
    For this step we just need to make sure that Squid properly installed itself and has SSL support.<\/p>\n
    squid3 -v<\/pre>\n
    Look for the version number 3.1.19<\/strong><\/p>\n
    squid3 -v |grep ssl<\/pre>\n
    Look for the –enable-ssl<\/strong> item.<\/li>\n<\/ol>\n
    Configuring Squid Proxy<\/h3>\n
      \n
    1. \n
      Copy the Squid3.conf file<\/h4>\n
      cp \/etc\/squid3\/squid3.conf \/etc\/squid3\/squid3.conf.bak<\/pre>\n<\/li>\n
    2. \n
      Preparing Squid<\/h4>\n
      We need to prepare the cache directory for Squid.<\/p>\n
      \/home\/usermkdir squidcache\nchown proxy. squidcache<\/pre>\n
      This will make a new directory in our home folder called squidcache with the user proxy ownership.<\/li>\n
    3. \n
      Initializing Squid Cache<\/h4>\n
      Ensure squid is not running first!<\/p>\n
      service squid3 stop<\/pre>\n
      Initialize cache…<\/p>\n
      quid3 -z<\/pre>\n<\/li>\n
    4. \n
      Edit the squid3.conf file<\/h4>\n
      NOTICE: <\/strong>I highly recommend taking a look at Squid3 Documentation, here<\/a>.<\/p>\n
      vi \/etc\/squid3\/squid3.conf\n#.................................\n#Access Lists\nacl manager proto cache_object\nacl localhost src 127.0.0.1\/32 ::1\nacl home_network src 192.168.0.0\/24\nacl guest_network src 192.168.1.0\/24\n\n#Ports allowed through Squid\nacl Safe_ports port 80 #http\nacl Safe_ports port 443 #https\nacl SSL_ports port 443\nacl SSL method CONNECT\nacl CONNECT method CONNECT\n\n#allow\/deny\nhttp_access allow localhost\nhttp_access allow home_network\nhttp_access allow guest_network\nhttp_access deny !Safe_ports\nhttp_access deny CONNECT !SSL_ports\nhttp_access deny all\n\n#proxy ports\nhttp_port {proxy_server_IP}:3128\nhttp_port {proxy_server_IP}:8080 intercept\n\n#caching directory\ncache_dir ufs \/home\/user\/squidcache\/ 2048 16 128\ncache_mem 1024 MB\n\n#refresh patterns for caching static files\nrefresh_pattern ^ftp: 1440 20% 10080\nrefresh_pattern ^gopher: 1440 0% 1440\nrefresh_pattern -i .(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private\nrefresh_pattern -i .(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private\nrefresh_pattern -i .(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private\nrefresh_pattern -i .index.(html|htm)$ 0 40% 10080\nrefresh_pattern -i .(html|htm|css|js)$ 1440 40% 40320\nrefresh_pattern . 0 40% 40320\n\n#nameservers\ndns_nameservers {your DNS server IP}\n<\/pre>\n
      Let’s step through this:<\/p>\n