it’s been a while since i’ve set up any [non]caching proxy servers. i’ve mostly dealt with reverse proxies, apache2 in 90% of cases, nginx – in few. below few copy&paste configs.
apt-get install squid3
content of /etc/squid3/squid.conf – basic config:
#no_cache deny STOPLISTA cache_mem 4 MB cache_dir ufs /var/spool/squid3/ 4 16 256 redirect_rewrites_host_header off cache_replacement_policy lru acl localnet src 192.168.0.0/16 acl localnet src 10.0.0.0/8 acl localnet src 127.0.0.1 acl Safe_ports port 80 # http acl CONNECT method CONNECT acl gmail dst gmail.com # authentication auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/auth acl passauth proxy_auth REQUIRED acl ncsa_users proxy_auth REQUIRED http_access allow localnet #http_access deny gmail #http_access allow localnet http_access deny all maximum_object_size 150000 KB store_avg_object_size 50 KB cache_effective_user proxy cache_effective_group proxy log_icp_queries off buffered_logs off cache_access_log /var/log/squid3/access.log cache_log /var/log/squid3/cache.log cache_store_log /var/log/squid3/store.log store_dir_select_algorithm least-load forwarded_for on # what not to cache: acl QUERY urlpath_regex cgi-bin \? acl url_htm url_regex \.htm$ acl url_html url_regex \.html$ acl url_pdf url_regex \.pdf$ acl url_xls url_regex \.xls$ acl SSL_ports port 443 563 no_cache deny QUERY no_cache deny url_xls no_cache deny url_pdf no_cache deny url_html no_cache deny url_htm no_cache deny SSL_ports http_port 3128
to run transparent proxy [ on your router ] change:
http_port 3128
into
http_port 3128 transparent
and redirect all outgoing http traffic to the proxy:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
to introduce proxy authentication – remove transparent part, add at the top of acls:
# authentication auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/auth acl passauth proxy_auth REQUIRED acl ncsa_users proxy_auth REQUIRED http_access allow passauth http_access deny all
you will need to create password with logins and hashes using apache2’s htpasswd:
htpasswd -c /etc/squid3/auth username0 htpasswd /etc/squid3/auth username1
if you want to block access to some domain:
acl gmail dst gmail.com http_access deny gmail