Setup a proxy server using squid
Setup a proxy server using squid
I have written a few articles about how you can create a reverse proxy server for a backend web server and minimize impact on attacks or even on security. This time however I thought of showing you how you can install a proxy server (just a proxy) and secure it using squid configuration rules and iptables. Its not really that hard, but you need to be sure it is secured as there are a few bad users that can use it for different malicious things.
Why use a proxy server?
There are a number of reasons why you would need to use a proxy server, one case in particular were I was glad I had this was when a friend of mine had issues connecting to some part of a network and he was forced to use a proxy or similar to get by. However since its something that’s needed for work, we needed privacy and security there. So I asked him to use the proxy server installation that I had there installed and was laying around doing nothing (even now).
Using this proxy server my friend was able to do his work properly, even though it would be a bit slower, it was working for him and he could do his job. This type of setup is called transparent proxy configuration.
Installing squid proxy server
To install squid is really simple, almost every distribution now has it in its repos, so you just need to use the package installer to install the proxy server:
1 2 3 4 5 |
# Centos / Fedora / Redhat yum install squid # Debian / Ubuntu apt-get install squid |
After this is done, the proxy server is already installed and ready to work. What you would need to be careful are a few settings I’ll list below:
1 2 3 4 5 6 |
# Change default port to 4500 or other port http_port 4500 # Allow only access to specific IPs acl local_ips src 25.25.36.25 25.25.35.26 http_access allow local_ips |
Using the above settings you would restrict access to a specific port and allow access only to the IPs:
25.25.36.25
25.25.35.26
Next would be to specifically allow the ports you want to access through proxy:
1 2 3 4 5 6 7 8 9 10 11 |
# Add the ports you want to allow through proxy acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http |
The above is the important part where you restrict access to specific ports only, eg. allowing access through proxy only to port 80.
Next you need to restart your squid server with the new settings:
1 |
/etc/init.d/squid restart |
Iptables firewall settings for squid proxy
If you wish to further secure your access to your proxy, you can do this using a firewall, basically you would want to allow access only to your local IP addresses to access your proxy server, so you can use the bellow iptables rules to filter access to port 4500 only to specific IPs:
1 2 3 |
iptables -A INPUT ! -i lo -p tcp --dport 4500 -s 25.25.36.25 -j ACCEPT iptables -A INPUT ! -i lo -p tcp --dport 4500 -s 25.25.35.26 -j ACCEPT iptables -A INPUT ! -i lo -j DROP |
Of course, don’t forget that you would need to permit access to the ports where you allow the proxy server to connect, for instance:
1 2 |
iptables -A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT iptables -A OUTPUT ! -i lo -j DROP |
will allow access externally to port 80. Same would be with your other ports.
That would be all I could think of right now, basically you restrict access using iptables firewall, then using squid configuration rules, so you should be safe if say iptables rules are not loaded.
See you again in our next articles, cheers!