I am trying to setup squid3 as an HTTPS proxy using the tutorial given here. I have properly setup the proxy settings in my browser and when I try to hit HTTP web sites, I am able to connect successfully. However, I keep getting a 'Connection timed out error' whenever I hit an HTTPS protocol web site and the following error in my
/var/log/squid3/cache.log :
Here is my
/etc/squid3/squid.conf file (commented lines removed for brevity):
Here is the output of my
squid3 -v :
I have spent a lot of time googling this error but could not arrive at a solution which would configure squid as an HTTP proxy. How do I get this working?
jobinjobin
2 Answers
May be you need to consider using
http_port directive with ssl-bump and not https_port , since you have your browsers configured with proxy (CONNECT method).
Intercept mode is appropriate for transparent proxy (no browser settings needed), when packets are automatically forwarded to the proxy using iptables.
https_port directive is used to intercept and handle such traffic arriving at proxy.
ssl-bump:http://www.squid-cache.org/Doc/config/ssl_bump/
This option is consulted when a CONNECT request is received on an
http_port (or a new connection is intercepted at an https_port ), provided that port was configured with an ssl-bump flag. The subsequent data on the connection is either treated as HTTPS and decrypted OR tunneled at TCP level without decryption, depending on the first matching bumping 'action'.
For ssl-bump example:http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
DiamantDiamant
7,58833 gold badges1717 silver badges3333 bronze badges
The error 'NF getsockopt(SO_ORIGINAL_DST)' is a NAT error. It has nothing to do with the encryption.
Since you have configured your browser to use the proxy explicitly:
So what you need to do to is simply to move the ssl-bump settings to your existing http_port line. It should become like this:
Other things you should do to correctly setup SSL-Bump is remove the following lines:
They do more harm than good and are not even useful for debugging.
Also, upgrade your proxy to the latest upstream release. TLS and SSL-Bump are involved in a fast changing arms race to do better security, and to decrypt that better security. Using older versions than latest is guaranteed to hit problems one way or another. Squid-3.3 specifically has issues with Elliptic Curve and other recent ciphers, breaks when TLS session resume is used, cannot bypass cert pinning using SNI, generates SHA-1 certificates, etc.
Amos JeffriesAmos Jeffries
Not the answer you're looking for? Browse other questions tagged ubuntuproxyhttpssquid or ask your own question.
A Linux Foundation Certified Engineer is a skilled professional who has the expertise to install, manage, and troubleshoot network services in Linux systems, and is in charge of the design, implementation and ongoing maintenance of the system-wide architecture.
Introducing The Linux Foundation Certification Program.
In Part 1 of this series, we showed how to install squid, a proxy caching server for web clients. Please refer to that post (link given below) before proceeding if you haven’t installed squid on your system yet.
In this article, we will show you how to configure the Squid proxy server in order to grant or restrict Internet access, and how to configure an http client, or web browser, to use that proxy server.
My Testing Environment SetupSquid ServerClient Machine 1Client Machine 2
Let us remember that, in simple terms, a web proxy server is an intermediary between one (or more) client computers and a certain network resource, the most common being access to the Internet. In other words, the proxy server is connected on one side directly to the Internet (or to a router that is connected to the Internet) and on the other side to a network of client computers that will access the World Wide Web through it.
You may be wondering, why would I want to add yet another piece of software to my network infrastructure?
Here are the top 3 reasons:
1. Squid stores files from previous requests to speed up future transfers. For example, suppose client1 downloads CentOS-7.0-1406-x86_64-DVD.iso from the Internet. When client2 requests access to the same file, squid can transfer the file from its cache instead of downloading it again from the Internet. As you can guess, you can use this feature to speed up data transfers in a network of computers that require frequent updates of some kind.
2. ACLs (Access Control Lists) allow us to restrict the access to websites, and / or monitor the access on a per user basis. You can restrict access based on day of week or time of day, or domain, for example.
3. Bypassing web filters is made possible through the use of a web proxy to which requests are made and which returns requested content to a client, instead of having the client request it directly to the Internet.
For example, suppose you are logged on in client1 and want to access www.facebook.com through your company’s router. Since the site may be blocked by your company’s policies, you can instead connect to a web proxy server and have it request access to www.facebook.com. Remote content is then returned to you through the web proxy server again, bypassing your company’s router’s blocking policies.
Configuring Squid – The Basics
The access control scheme of the Squid web proxy server consists of two different components:
Squid’s main configuration file is /etc/squid/squid.conf, which is ~5000 lines long since it includes both configuration directives and documentation. For that reason, we will create a new squid.conf file with only the lines that include configuration directives for our convenience, leaving out empty or commented lines. To do so, we will use the following commands.
And then,
Backup Squid Configuration File
Now, open the newly created squid.conf file, and look for (or add) the following ACL elements and access lists.
The two lines above represent a basic example of the usage of ACL elements.
The two lines below are access list rules and represent an explicit implementation of the ACL directives mentioned earlier. In few words, they indicate that http access should be granted if the request comes from the local network (localnet), or from localhost. Specifically what is the allowed local network or local host addresses? The answer is: those specified in the localhost and localnet directives.
At this point you can restart Squid in order to apply any pending changes.
and then configure a client browser in the local network (192.168.0.104 in our case) to access the Internet through your proxy as follows.
In Firefox
1. Go to the Edit menu and choose the Preferences option.
2. Click on Advanced, then on the Network tab, and finally on Settings…
3. Check Manual proxy configuration and enter the IP address of the proxy server and the port where it is listening for connections.
Configure Proxy in Firefox
Note That by default, Squid listens on port 3128, but you can override this behaviour by editing the access list rule that begins with http_port (by default it reads http_port 3128).
4. Click OK to apply the changes and you’re good to go.
Verifying that a Client is Accessing the Internet
You can now verify that your local network client is accessing the Internet through your proxy as follows.
1. In your client, open up a terminal and type,
That command will display the current IP address of your client (192.168.0.104 in the following image).
2. In your client, use a web browser to open any given web site (www.tecmint.com in this case).
3. In the server, run.
and you’ll get a live view of requests being served through Squid.
Restricting Access By Client
Now suppose you want to explicitly deny access to that particular client IP address, while yet maintaining access for the rest of the local network.
1. Define a new ACL directive as follows (I’ve named it ubuntuOS but you can name it whatever you want).
2. Add the ACL directive to the localnet access list that is already in place, but prefacing it with an exclamation sign. This means, “Allow Internet access to clients matching the localnet ACL directive except to the one that matches the ubuntuOS directive”.
3. Now we need to restart Squid in order to apply changes. Then if we try to browse to any site we will find that access is denied now.
Block Internet Access
Configuring Squid – Fine TuningRestricting access by domain and / or by time of day / day of week
To restrict access to Squid by domain we will use the dstdomain keyword in a ACL directive, as follows.
Where forbidden_domains is a plain text file that contains the domains that we desire to deny access to.
Finally, we must grant access to Squid for requests not matching the directive above.
Or maybe we will only want to allow access to those sites during a certain time of the day (10:00 until 11:00 am) only on Monday (M), Wednesday (W), and Friday (F).
Otherwise, access to those domains will be blocked.
Restricting access by user authentication
Squid support several authentication mechanisms (Basic, NTLM, Digest, SPNEGO, and Oauth) and helpers (SQL database, LDAP, NIS, NCSA, to name a few). In this tutorial we will use Basic authentication with NCSA.
Add the following lines to your /etc/squid/squid.conf file.
Note: In CentOS 7, the NCSA plugin for squid can be found in /usr/lib64/squid/basic_nsca_auth, so change accordingly in above line.
Enable NCSA Authentication
A few clarifications: Kingdoms and castles cheat codes.
Run the following command to create the file and to add credentials for user gacanepa (omit the -c flag if the file already exists).
Open a web browser in the client machine and try to browse to any given site.
Enable Squid Authentication
If authentication succeeds, access is granted to the requested resource. Otherwise, access will be denied.
Using Cache to Sped Up Data Transfer
One of Squid’s distinguishing features is the possibility of caching resources requested from the web to disk in order to speed up future requests of those objects either by the same client or others.
Add the following directives in your squid.conf file.
A few clarifications of the above directives.
The first and second 2880 are lower and upper limits, respectively, on how long objects without an explicit expiry time will be considered recent, and thus will be served by the cache, whereas 0% is the percentage of the objects’ age (time since last modification) that each object without explicit expiry time will be considered recent.
Case study: downloading a .mp4 file from 2 different clients and testing the cache
First client (IP 192.168.0.104) downloads a 71 MB .mp4 file in 2 minutes and 52 seconds.
Second client (IP 192.168.0.17) downloads the same file in 1.4 seconds!
Verify Squid Caching
That is because the file was served from the Squid cache (indicated by TCP_HIT/200) in the second case, as opposed to the first instance, when it was downloaded directly from the Internet (represented by TCP_MISS/200).
The HIT and MISS keywords, along with the 200 http response code, indicate that the file was served successfully both times, but the cache was HIT and Missed respectively. When a request cannot be served by the cache for some reason, then Squid attempts to serve it from the Internet.
Conclusion
In this article we have discussed how to set up a Squid web caching proxy. You can use the proxy server to filter contents using a chosen criteria, and also to reduce latency (since identical incoming requests are served from the cache, which is closer to the client than the web server that is actually serving the content, resulting in faster data transfers) and network traffic as well (reducing the amount of used bandwidth, which saves you money if you’re paying for traffic).
You may want to refer to the Squid web site for further documentation (make sure to also check the wiki), but do not hesitate to contact us if you have any questions or comments. We will be more than glad to hear from you!
Share
A proxy server is a computer that acts as an intermediary between a desktop computer and the internet and allows a client machine to make an indirect connection to network servers and services. There are many reasons why you might want to include a proxy server on your network:
Clearly some of the above reasons are perfectly fitting for a business and some, well, may not fall in line with your best practices. Regardless, knowing how to install and configure a proxy server is a must-have skill for a network administrator. So, let's take care of that. I will demonstrate installing the Squid proxy server on Ubuntu 16.04 server.
More about NetworkingInstallation
This installation and configuration will be handled completely from the command line, so open up a terminal window and prepare to type.
The first thing we want to do (as with software installation on Ubuntu) is to update apt. From your terminal window, issue the command sudo apt-get update. Once that completes, you could also run an upgrade with the command sudo apt-get upgrade. Of course, should this upgrade the kernel, you'll want to do a reboot, so schedule this accordingly.
Once the update/upgrade is complete, install Squid with the command:
The installation will pick up the necessary dependencies (libecap3, libltdl7, squid-purge, and squid-langpack) and complete without issue.
That is all there is to the installation. Now we move on to the configuration of a basic proxy server.
Configuration
The configuration of the Squid Proxy Server is handled in the /etc/squid/squid.conf. I will show you how to configure a very basic proxy server. The first thing we need to do is uncomment the line (by removing the # character):
To find that line, issue the command:
As you can see (Figure A), the configuration option is found on line 1186 (of my installation). Open up the squid.conf file for editing, with the command sudo nano /etc/squid/squid.conf, and scroll down to that line and remove the # character.
Figure A
Next you want to look for the line:
There will be a number of them (for different network IP schemes). You will want to uncomment the one that matches your network (say 192.168.0.0/16) and alter it to your needs. Say you run your internal network on the 192.168.1.0/255.255.255.0 network. Your localnet configuration option would look like:
Jasa Setting Squid Proxy List
Restart squid with the command:
That's it. You now have a basic proxy server up and running on port 3128 and the IP address of the system you just installed Squid on. So you would then go to your client machines and configure them (either on a per-application or OS basis) to use that newly configured proxy via IP and port.
Make it work for you
Of course, Squid can do quite a bit more than serve as a basic proxy server. If you need to get deep into the various configuration options for Squid, make sure to take a look at the official documentation, where you can find out how to configure options for third-party applications, configure options for the neighbour selection algorithm, configure various network parameters, and much more. In the meantime, you can always take a look at the /var/log/squid/access.log and /var/log/squid/cache.log to see what Squid is doing on your network.
Open Source Weekly Newsletter
You don't want to miss our tips, tutorials, and commentary on the Linux OS and open source applications. Delivered Tuesdays
Sign up today Sign up today
Also see
A proxy server is a computer that acts as an intermediary between a desktop computer and the internet and allows a client machine to make an indirect connection to network servers and services. There are many reasons why you might want to include a proxy server on your network:
Clearly some of the above reasons are perfectly fitting for a business and some, well, may not fall in line with your best practices. Regardless, knowing how to install and configure a proxy server is a must-have skill for a network administrator. So, let's take care of that. I will demonstrate installing the Squid proxy server on Ubuntu 16.04 server.
More about NetworkingInstallation
This installation and configuration will be handled completely from the command line, so open up a terminal window and prepare to type.
The first thing we want to do (as with software installation on Ubuntu) is to update apt. From your terminal window, issue the command sudo apt-get update. Once that completes, you could also run an upgrade with the command sudo apt-get upgrade. Of course, should this upgrade the kernel, you'll want to do a reboot, so schedule this accordingly.
Once the update/upgrade is complete, install Squid with the command:
The installation will pick up the necessary dependencies (libecap3, libltdl7, squid-purge, and squid-langpack) and complete without issue.
That is all there is to the installation. Now we move on to the configuration of a basic proxy server.
Configuration
The configuration of the Squid Proxy Server is handled in the /etc/squid/squid.conf. I will show you how to configure a very basic proxy server. The first thing we need to do is uncomment the line (by removing the # character):
To find that line, issue the command:
As you can see (Figure A), the configuration option is found on line 1186 (of my installation). Open up the squid.conf file for editing, with the command sudo nano /etc/squid/squid.conf, and scroll down to that line and remove the # character.
Figure A
Next you want to look for the line:
There will be a number of them (for different network IP schemes). You will want to uncomment the one that matches your network (say 192.168.0.0/16) and alter it to your needs. Say you run your internal network on the 192.168.1.0/255.255.255.0 network. Your localnet configuration option would look like:
Restart squid with the command:
That's it. You now have a basic proxy server up and running on port 3128 and the IP address of the system you just installed Squid on. So you would then go to your client machines and configure them (either on a per-application or OS basis) to use that newly configured proxy via IP and port.
Make it work for you
Of course, Squid can do quite a bit more than serve as a basic proxy server. If you need to get deep into the various configuration options for Squid, make sure to take a look at the official documentation, where you can find out how to configure options for third-party applications, configure options for the neighbour selection algorithm, configure various network parameters, and much more. In the meantime, you can always take a look at the /var/log/squid/access.log and /var/log/squid/cache.log to see what Squid is doing on your network.
Squid Proxy ExampleOpen Source Weekly Newsletter
You don't want to miss our tips, tutorials, and commentary on the Linux OS and open source applications. Delivered Tuesdays
Sign up today Sign up today
Squid Proxy ConfigurationAlso see
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |