Creating an HTTP Proxy Using Squid on CentOS 8
- Ubuntu 18.04
- Debian 10
- Deprecated guides:
- Ubuntu 12.04
- CentOS 6
Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
This guide will show you how to create your own HTTP proxy using Squid, a highly customizable proxy/cache application, on CentOS 8. An HTTP proxy acts as an intermediary between you and the internet. While connected to your Squid HTTP proxy, you will be able to:
- Anonymously access internet services.
- Bypass certain regional and local network restrictions.
Install Squid
Secure your Linode by completing the instructions in our guide on Securing Your Server, including adding a limited user account and configuring a firewall.
Note This guide is written for a limited, non-root user. Commands that require elevated privileges are prefixed withsudo
. If you are not familiar with thesudo
command, you can check our Users and Groups guide.Ensure that your system is up-to-date:
sudo yum update && sudo yum upgrade
Install Squid using the
yum
software package manager:sudo yum install squid
Copy the original configuration file to keep as a backup:
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.default
Note The Squid configuration file includes comprehensive documentation in its commented lines, along with several uncommented rules that will remain active. These default rules should not be modified while you are following this guide. To gain a deeper understanding of Squid’s options and default settings, you can review the full configuration file.
Configure Client Access
Now that you have Squid installed on your Linode, you can configure ways for it to accept connections and serve as an HTTP proxy. The following sections provide different ways for your Squid HTTP proxy to authenticate client connections. You can configure Squid to use either or both authentication methods.
IP Address Authentication
A simple way to use Squid as an HTTP proxy is to use a client’s IP address for authentication.
Edit the Squid configuration file and add the following lines at the beginning of the file:
- File: /etc/squid/squid.conf
1 2
acl client src 192.0.2.0 # Home IP http_access allow client
Replace
client
with a name that identifies the client computer that will connect to your Squid HTTP proxy, then replace192.0.2.0
with the client computer’s IP address. You can also update the optional comment# Home IP
to further describe the client.Alternatively, you can configure multiple clients by adding new
acl
lines to/etc/squid/squid.conf
and including them in thehttp_access allow
line as follows:- File: /etc/squid/squid.conf
1 2 3
acl client1 src 192.0.2.0 # Home IP acl client2 src 192.0.2.1 # Work IP http_access allow client1 client2
Replace
client1
andclient2
with names that identify the client computers, then replace192.0.2.0
and192.0.2.1
with their corresponding IP addresses. Update the optional comments# Home IP
and# Work IP
with accurate descriptions to help keep track of multiple clients. Access to the proxy is granted by adding the names defined by eachacl
to thehttp_access allow
line.
User/Password Authentication
You can also configure your Squid HTTP proxy to accept authentication with usernames and passwords.
Install
htpasswd
by installing the Apache utility programs. If you have installed Apache on your Linode, you will already have it and can skip this step.sudo yum install httpd-tools
Create a file to store Squid users and passwords:
sudo touch /etc/squid/squid_passwd
Change ownership of the password file:
sudo chown squid /etc/squid/squid_passwd
Create a username password pair, replacing
user1
with the name of the user you’d like to add:sudo htpasswd /etc/squid/squid_passwd user1
You will be prompted to create a password for this user:
New password: Re-type new password: Adding password for user user1
You can repeat this step at any time to create new users.
Check the location of the
nsca_auth
file:sudo rpm -ql squid | grep ncsa_auth
Edit the Squid configuration file and add the following lines at the beginning of the file:
Note Ensure that you update/usr/lib64/squid/basic_ncsa_auth
below with the location of thensca_auth
file that you checked in the previous step.- File: /etc/squid/squid.conf
1 2 3
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_passwd acl ncsa_users proxy_auth REQUIRED http_access allow ncsa_users
To remove a user’s access to the proxy, you must delete the corresponding entry in the
squid_passwd
file. Each user is represented in the file on a single line in the format ofuser:passwordhash
:- File: /etc/squid/squid_passwd
1
user1:\$p948w3nvq3489v6npq396g user2:\$q3cn478554387cq34n57vn
If you are using Nano, the command
Control+k
will remove the entire line where the cursor rests.Once you’ve saved and exited the file, complete user removal by restarting Squid:
sudo systemctl restart squid
Combined Authentication
You can combine authentication methods using the same acl
definitions that you have added in the previous two sections by using a single http_access
rule.
Remove any previous
http_access
lines you have added.Edit the Squid configuration file so that the lines you have added at the beginning of the file follow this form:
- File: /etc/squid/squid.conf
1 2 3 4 5
acl client1 src 192.0.2.0 # Home IP acl client2 src 192.0.2.1 # Work IP auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_passwd acl ncsa_users proxy_auth REQUIRED http_access allow client1 client2 ncsa_users
Note Take care to avoid using multiplehttp_access
rules when combining authentication methods, as Squid will follow the rules in the order that they appear. By using a singlehttp_access
rule for youracl
definitions, you will ensure that several authentication methods will apply to each client that attempts to connect to your Squid HTTP proxy.
Anonymize Traffic
Here, you will add rules to mask client IP addresses from the servers that receive traffic from you Squid HTTP proxy. Without these rules, the originating client IP addresses may be passed on through the X-Forwarded For
HTTP header.
Add the following lines at the beginning of the Squid configuration file:
- File: /etc/squid/squid.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
forwarded_for off request_header_access Allow allow all request_header_access Authorization allow all request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all request_header_access Proxy-Authenticate allow all request_header_access Cache-Control allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all request_header_access Proxy-Connection allow all request_header_access User-Agent allow all request_header_access Cookie allow all request_header_access All deny all
Enable Connections
Next, you will enable clients to connect to your Squid HTTP proxy.
Save and exit the Squid configuration file.
Restart Squid to enable the rules you have added:
sudo systemctl restart squid
Implement firewall rules to enable port
3128
, which is the default service port used by Squid:sudo firewall-cmd --add-port=3128/tcp --permanent sudo firewall-cmd --reload
You can find more information on configuring firewall rules for CentOS in our guide on Introduction to FirewallD on CentOS.
Connect to your Squid HTTP Proxy
Your Squid HTTP proxy is now ready to accept client connections and anonymously handle internet traffic.
At this point, you can configure your local browser or operating system’s network settings to use your Linode as an HTTP proxy. The settings to do this will vary depending on your OS and browser. Instructions for certain OS and browser settings are located in the More Information section below.
Generally, connecting to your Squid HTTP proxy requires the following information:
- The IP address or domain name associated with your Linode.
- The port that is being used by Squid. The default port is
3128
. - A username and password if you have configured them for authentication.
Once you have established your OS or browser settings, test the connection by pointing your browser at a website that tells you your IP address, such as:
The result should display your Linode’s IP address instead of the IP address of your client computer.
More Information
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
This page was originally published on