None

Squid 3 proxy server


Squid 3 proxy server with ssl interception running on raspberry pi.

By Kostas Koutsogiannopoulos

We present here a proxy server for your home (at least) with ssl interception that is making ad blocking and other custom domain blocking easy for all your devices (pcs, tablets, smartphones).
Blocking ads for applications running on your smartphone and effective control of your web access (for kids etc...) is probably impossible without a proxy running between you and the web.
In addition to blocking, the central caching functionality ensures great improvements in speed on browsing the web.
Last but not least, proxy's access logs provide usefull information and statistics about web access for analysing later.

In this installation the server is running on raspberry pi 2 (raspbian) consumming almost no power for 24/7 use.

Please note that in order to use ssl interception functionality you need to built the squid package adding the following configuration options:

–enable-ssl –enable-ssl-crtd –disable-arch-native

Built configuration for ssl interception

Confirm that your built is done with the required options running:

~# squid3 -v
Squid Cache: Version 3.4.8
Debian linux
configure options:  {...} '--enable-ssl' '--enable-ssl-crtd' '--disable-arch-native' {...}

You can generate your key-CA certifications with the following commands:

openssl genrsa -out squid.key 2048
openssl req -new -key squid.key -out squid.csr
openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out squid.crt
cat squid.key squid.crt > /etc/squid3/ssl_cert/myCA.pem

Of course, if you are using self-signed certificate like this, you have to add your CA to your browser's/devices's trusted CAs. Check android's, ios's etc documentation on how to do that.

Ad blocking

You can configure - built your ad domains with a script like that (use it with crontab):

#!/bin/bash
wget -O /tmp/temp_ad_file http://pgl.yoyo.org/adservers/serverlist.php?hostformat=squid-dstdom-regex;showintro=0 >/dev/null
cat /tmp/temp_ad_file | grep "(^|" > /etc/squid3/ad_sites.txt
rm -rf /tmp/temp_ad_file
service squid3 reload

Squid configuration example (squid.conf)

acl localnet src 192.168.16.0/24        # Internal Network 1
acl localnet src 192.168.25.0/24        # Internal Network 2
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 8080        # cloudstack management
acl skatosites dstdom_regex "/etc/squid3/banned_sites.txt"
acl ad_sites dstdom_regex "/etc/squid3/ad_sites.txt"
acl bypass-domains dstdomain images.linuxcontainers.org:8443 # Domains you want to bypass

acl CONNECT method CONNECT
always_direct allow bypass-domains
http_access deny skatosites !localhost
http_access deny ad_sites !localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost

http_access deny all

ssl_bump none localhost
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/myCA.pem
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB
sslcrtd_children 5
sslproxy_capath /usr/lib/ssl/certs
always_direct allow all
ssl_bump server-first all

# the following two options are unsafe and not always necessary:
#sslproxy_flags DONT_VERIFY_PEER

forward_max_tries 25
cache_mem 192 MB
maximum_object_size_in_memory 8192 KB
maximum_object_size 128000 KB
logformat squid %tl %6tr %>A %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
#logformat common %>a %>A [%tl] "%rm %ru HTTP/%rv" %>Hs %<st HTTP/%mt %Ss
logformat common %>a %>A [%tl] "%rm %ru HTTP/%rv" %>Hs %<st HTTP/%mt %Ss
access_log daemon:/var/log/squid3/access.log common
coredump_dir /var/spool/squid3

cache_dir aufs /mnt/a300/squid3cache 12000 14 256
cache_mgr thundercost@benini.com
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_swap_low 95
cache_swap_high 99
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
store_avg_object_size 13 KB

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320

#refresh patterns for caching static files
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern . 0 40% 40320

shutdown_lifetime 5
dns_v4_first on
error_default_language el # I am using greek for my error pages

#anonymize squid
via off
visible_hostname example.com
forwarded_for off
log_mime_hdrs on

View epilis's profile on LinkedIn Visit us on facebook X epilis rss feed: Latest articles