Sep 16 2012
A basic SQUID configuration providing Internet access through a specific network (Using VPN)
Hey,
Setup my first proxy server today on a linux box using squid 2.7 for the specific purpose of re-routing my traffic through a Thessaloniki company network which has a static ip.
This was for the purpose to access specific services; services that are only accessible with that IP and which I needed.
I wanted to avoid the cycle of uploading code, executing and debugging only to upload again…
Diagram:
My Laptop -> VPN Connection Through Internet -> Server Behind Router running Squid -> Internet
This was a very frustrating process as the access denied message kept on rearing its’ uglyhead despite http_access allow commands
/var/logs/squid/access.log was littered with entries such as:
1347741694.553 0 10.9.8.90 TCP_DENIED/403 1539 GET
http:/www.google.com – NONE/ text/html
As it took some troubleshooting I’m writing my 2 cents below which helped me personally as well as including my squid.conf:
1) Simplify your conf file. I cannot stress enough that this is what helped me.
The default is very large and has too many options and settings. My proxy was denying all access to the internet until I removed everything I did not need and was able to set it up to my specs.
(Everyone add your own 2 cents if you have them =) ).
2) Have a look at the log files within /var/log/squid . They can glint some light.
3) If squid does not start normally with sudo service squid start , it may be your config has an error someplace. If your connections in the browser are being refused it is a good indication.
You can check if squid is running through various methods (though a is optimal):
a) ps -ef | grep ‘squid’
b) top command
Finally, below my config stripped down to the bare necessities.
—————————————————————————————————————
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
#which specific IPs do you want to allow to connect and use the proxy? Labeled them as clients here.
#could have entered 10.9.8.0 to specificy all computers between 10.9.8.1 to 10.9.8.255 or added a subnet mask.
acl clients src 10.9.8.90
#specify from which network the clients are from (localnet)
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#on which ports do we allow connections using the proxy
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost clients
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent web applications running on the proxy server who think the only one who can access services on “localhost” is a local user
http_access deny to_localhost
http_access allow localnet
http_access allow localhost clients
# And deny all other access to this proxy
http_access deny all
#allow HTTP connections from clients group of IP addresses
http_access allow clients
http_reply_access allow clients localnet
# Squid normally listens to port 3128
http_port 8080
Tchuk Rolley
Jan 16, 2014 @ 23:16:19
From your laptop, you need to setup the proxy settings in your web browser?
Menelaos
Jun 02, 2014 @ 23:22:52
Yes, you would need the proxy settings to be added to the browser.