Would you like to learn how to install a Squid transparent proxy on Ubuntu Linux? In this tutorial, we are going to show you how to install and configure a Transparent Proxy server using the Squid software on Ubuntu Linux version 17.

Hardware List:

The following section presents the list of equipment used to create this Ubuntu Linux tutorial.

Every piece of hardware listed above can be found at Amazon website.

Squid Related Tutorial:

On this page, we offer quick access to a list of tutorials related to Squid linux.

Tutorial – Squid on Ubuntu Linux

On the Linux console, use the following commands to set the correct timezone.

# dpkg-reconfigure tzdata

Install the Ntpdate package and set the correct date and time immediately.

# apt-get install ntpdate
# ntpdate pool.ntp.br

In our example, the Ntpdate command was used to set the correct date and time using the Brazilian server pool.ntp.br

Let’s install the NTP service.

# apt-get install ntp

NTP is the service that will keep our server updated.

Use the command date to check the date and time configured on your Ubuntu Linux.

# date

If the system shown the correct date and time, this means that you followed all the steps correctly.

Use the following commands to install the required packages.

# apt-get update
# apt-get install build-essential openssl libssl-dev

Download, compile and install the Squid package.

# mkdir /downloads
# cd /downloads
# wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.27.tar.gz
# tar -zxvf squid-3.5.27.tar.gz
# cd squid-3.5.27
# ./configure –with-default-user=proxy
# make
# make install

Here is the original squid configuration file installed by the Squid Package.

# vi /usr/local/squid/etc/squid.conf

acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all

http_port 3128

coredump_dir /usr/local/squid/var/cache/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

Here is the new file with our configuration.

The changed directives were highlighted in bold.

# vi /usr/local/squid/etc/squid.conf

acl localnet src 192.168.0.0/24  # My internal Network

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all

http_port 3128 intercept   # TRANSPARENT PROXY

coredump_dir /usr/local/squid/var/cache/squid
cache_dir ufs /usr/local/squid/var/cache/squid 1000 16 256  # 1GB as Cache

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

My configuration is just basic.

It is highly recommended that you study this configuration file to improve your configuration.

Use the following command to Create the necessary cache folders.

# chown -R proxy:proxy /usr/local/squid -R
# /usr/local/squid/sbin/squid -z

Use the following command to start the Squid service.

# /usr/local/squid/sbin/squid -d 10

If everything worked correctly, you should see the following messages on the screen:

Starting Squid Cache version 3.5.27 for x86_64-pc-linux-gnu…
Service Name: squid
Process ID 19569
Process Roles: worker
With 1024 file descriptors available
Initializing IP Cache…
DNS Socket created at [::], FD 6
DNS Socket created at 0.0.0.0, FD 8
Adding nameserver 172.31.0.2 from /etc/resolv.conf
Adding domain us-west-2.compute.internal from /etc/resolv.conf
Logfile: opening log daemon:/usr/local/squid/var/logs/access.log
Logfile Daemon: opening log /usr/local/squid/var/logs/access.log
Unlinkd pipe opened on FD 14
Store logging disabled
Swap maxSize 1024000 + 262144 KB, estimated 98934 objects
Target number of buckets: 4946
Using 8192 Store buckets
Max Mem size: 262144 KB
Max Swap size: 1024000 KB
Rebuilding storage in /usr/local/squid/var/cache/squid (no log)
Using Least Load store dir selection
Set Current Directory to /usr/local/squid/var/cache/squid
Finished loading MIME types and icons.
HTCP Disabled.
Squid plugin modules loaded: 0
Adaptation support is off.
Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 16 flags=9
Done scanning /usr/local/squid/var/cache/squid dir (0 entries)
Finished rebuilding storage from disk.
0 Entries scanned
0 Invalid entries.
0 With invalid flags.
0 Objects loaded.
0 Objects expired.
0 Objects cancelled.
0 Duplicate URLs purged.
0 Swapfile clashes avoided.
Took 0.04 seconds ( 0.00 objects/sec).
Beginning Validation Procedure
Completed Validation Procedure
Validated 0 Entries
store_swap_size = 0.00 KB
storeLateRelease: released 0 objects

Your transparent proxy solution is installed.

Now, you need to redirect every connection from the internal network trying to reach an HTTP website to force the utilization of your proxy server.

Use the following command to redirect every packet from the internal network trying to reach an HTTP website to the TCP port 3128 of your Squid proxy.

# iptables -t nat -I PREROUTING -p tcp -s 192.168.0.0/24 –dport 80 -j REDIRECT –to-port 3128

To test the installation, go to a computer located on your internal network and open its browser and try to access an HTTP website.