Best Squid Proxy Server Setup on Debian 12 Bookworm

In this guide, you will learn a Best Squid Proxy Server Setup on Debian 12 Bookworm. As you may know, Squid is a caching proxy server for Linux-based distributions. Now let’s see how it works, then, start Best Squid Proxy Server Setup on Debian 12 Bookworm.

What Squid Proxy can be used for?

The common usage of Squid Proxy includes caching, load balancing, filtering traffic from websites, and for security purposes. The Squid Proxy must be installed on a separate server rather than the web server.

Squid will help the improvement of Web server speed by storing the requested internet objects on a machine that is closer to the requesting workstation than the server.

Also, it can be used for HTTP and FTP. But it can be used for other protocols including HTTPS, SSL, and Gopher.

Now that you have understood the main concept of Squid proxy, you can proceed to the following steps to start your Best Squid Proxy Server Setup on Debian 12 Bookworm.

Before you start your Best Squid Proxy Server Setup on Debian 12 Bookworm, you must have access to your server as a non-root user with sudo privileges and set up a basic firewall. For this purpose, you can visit the Initial Server Setup with Debian 12 Bookworm.

Install Squid Proxy on Debian 12 — Squid Proxy Server Setup on Debian 12 Bookworm

Step 1 – Install Squid Proxy Caching Server on Debian 12

Squid packages are available in most Linux-based distributions by default. So run the system update first with the command below:

sudo apt update

Then, run the following command to install the Squid proxy server:

sudo apt install squid -y

Step 2 – Check Squid Service Status

When your Squid Proxy Server Setup on Debian 12 Bookworm is completed, your Squid service must be started automatically on your Debian 12. To verify this, run the command below:

sudo systemctl status squid.service

In your output you should see:

**Output**
● squid.service - Squid Web Proxy Server
     Loaded: loaded (/lib/systemd/system/squid.service; enabled; preset: enabled)
     Active: **active** (**running**) since Thu 2023-08-31 06:06:50 EDT; 1min 23s ago
       Docs: man:squid(8)
    Process: 141356 ExecStartPre=/usr/sbin/squid --foreground -z (code=exited, status=0/SUCCESS)
   Main PID: 141384 (squid)
      Tasks: 4 (limit: 4653)
     Memory: 16.1M
        CPU: 334ms
     CGroup: /system.slice/squid.service
...

If your service is not activated on your server, you can run the command below:

sudo systemctl restart squid.service

Step 3 – Allow User Clients To Connect To the Squid Proxy Server

If you plan to allow clients to connect to the Squid server from outside this server setup, you can follow the steps below on Squid Proxy Server Setup on Debian 12 Bookworm.

You need to edit your Squid configuration file for this purpose. To do this, open the Squid config file with your desired text editor like vi editor:

sudo vi /etc/squid/squid.conf

In the file, you must search for the following content lines:

Include /etc/squid/conf.d/*.conf
...
http_access allow localhost
...
http_access deny all
...

If you want to allow everyone to your squid server, you need to change the deny all to the allow all. But it is not recommended to do this for the security reasons.

Instead of doing this, you can add the line below and define your IP address to connect to the Squid proxy.

Include /etc/squid/conf.d/*.conf
...
acl localnet src your_ip_address
http_access allow localhost
...
http_access deny all
...

Note: You can find your IP address from the What’s My IP?

When you are done, save and close the file.

Step 4 – Squid Password Pairs Setup on Debian 12

Squid allows you to create username-password pairs using built-in Linux functionality. It will help you to increase your Squid server access security. To do this, follow the rest steps of Squid Proxy Server Setup on Debian 12 Bookworm.

First, install Apache Utils to help you to generate username-password pairs for Squid:

sudo apt install apache2-utils -y

Then, run the following command to create a new username-password pair for the Squid Proxy server:

sudo htpasswd -c /etc/squid/passwords your_squid_username

Add the desired password for it:

New password:
Re-type new password:
Adding password for user orca

This command will store your username along with a hash of your new password in /etc/squid/passwords, which will be used as an authentication source by Squid.

You can use the following command to see what that looks like:

sudo cat /etc/squid/passwords

**Output**
orca:$apr1$ON6ugl2y$/f0ksV70.s9lDnlOLWngI/

Step 4 – Squid Proxy Server Configuration on Debian 12

At this point of Squid Proxy Server Setup on Debian 12 Bookworm, when you have generated the username-password pairs for Squid, you must make some configuration changes to your Squid config file. Open the Squid config file again with your desired text editor:

sudo vi /etc/squid/squid.conf

Then, add the highlighted lines in your file as shown below:

...
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
include /etc/squid/conf.d/*.conf
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
acl localnet src your_ip_address
http_access allow localhost
http_access allow authenticated
# And finally deny all other access to this proxy
http_access deny all
...

When you are done, save and close the file.

To apply the changes, restart your Squid service on Debian 12 Bookworm:

sudo systemctl restart squid.service

Step 5 – Configure UFW Firewall Rules for Squid Server

In this step of Squid Proxy Server Setup on Debian 12 Bookworm, we assumed that you have a UFW-enabled firewall.

Now you need to open port 3128 through the firewall with the following command:

sudo ufw allow 3128

Reload the firewall to apply the new rules:

sudo ufw reload

Step 6 – Test Squid Proxy Server Connection

To display your Squid server through an HTTP connection, you can use the curl command on Debian 12 Bookworm. To do this, run the following command:

curl -v -x http://your_squid_username:your_squid_password@your_server_ip:3128 http://www.google.com/

In your output you will see:

**Output**
*   Trying ...
* Connected to ... (...) port 3128 (#0)
* Proxy auth using Basic with user 'orca'
> GET http://www.google.com/ HTTP/1.1
> Host: www.google.com
> Proxy-Authorization: Basic b3JjYTpvcmNhMTIz
> User-Agent: curl/7.88.1
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Date: Thu, 31 Aug 2023 10:40:13 GMT
< Expires: -1
< Cache-Control: private, max-age=0
< Content-Type: text/html; charset=ISO-8859-1
...

Also, you can access HTTPs sites with your Squid proxy without any configuration changes.

curl -v -x http://your_squid_username:your_squid_password@your_server_ip:3128 https://www.google.com/

In your output you will see:

**Output**
*   Trying ...
* Connected to ... (...) port 3128 (#0)
* allocate connect buffer
* Establish HTTP proxy tunnel to www.google.com:443
* Proxy auth using Basic with user 'orca'
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> Proxy-Authorization: Basic b3JjYTpvcmNhMTIz
> User-Agent: curl/7.88.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
..

That’s it, you are done with Best Squid Proxy Server Setup on Debian 12 Bookworm.

Conclusion

At this point, you have learned Best Squid Proxy Server Setup on Debian 12 Bookworm. The squid packages can be easily installed by the APT repository. Then, you have to restrict the client’s access to the Squid server by defining the IP address in the config file and generating the username-password pairs for Squid. Finally, you can test your Squid server connection through HTTP and HTTPS requests to see if it works correctly or not.

Hope you enjoy it. Need any help or have an idea? Please Comment for us.

Also, you may like to read the following articles:

Alternative Solutions for Proxying on Debian 12

While Squid is a robust and widely used proxy server, other solutions offer different advantages and trade-offs. Here are two alternative ways to achieve proxy functionality on Debian 12.

1. Tinyproxy: A Lightweight HTTP/HTTPS Proxy

Tinyproxy is a lightweight HTTP/HTTPS proxy server designed for simplicity and speed. It’s significantly smaller and easier to configure than Squid, making it a good choice for resource-constrained environments or when you only need basic proxy functionality. It lacks some of Squid’s advanced features like caching and complex access control lists (ACLs).

Installation and Configuration:

Installation:

sudo apt update
sudo apt install tinyproxy -y

Configuration: Edit the /etc/tinyproxy.conf file. The key settings are:
- Port: Specifies the port Tinyproxy listens on (default is 8888).
- Listen: Specifies the IP address to listen on (defaults to all interfaces). For security, you should bind it to a specific internal IP address.
- Allow: Specifies IP addresses or networks that are allowed to use the proxy. This is crucial for security.
Example configuration (allowing only connections from the 192.168.1.0/24 network):
```
Port 8888
Listen 192.168.1.10  # Example internal IP of the proxy server
Allow 192.168.1.0/24
```
Restart Tinyproxy:
```
sudo systemctl restart tinyproxy
```
Firewall: Open port 8888 in your firewall:
```
sudo ufw allow 8888
sudo ufw reload
```

Advantages:

Lightweight: Uses fewer resources than Squid.
Simple Configuration: Easier to set up and manage.
Good for Basic Proxying: Suitable for simple web browsing and accessing websites.

Disadvantages:

Limited Features: Lacks caching, advanced ACLs, and other features of Squid.
Less Scalable: Not suitable for high-traffic environments.
No Authentication: By default, Tinyproxy does not support user authentication, making it less secure for public access. You can implement some level of authentication with external tools or scripts, but it’s not built-in.

When to Use:

Small networks with limited resources.
Simple proxying needs (e.g., basic web browsing).
When ease of setup is a priority.

2. Nginx as a Reverse Proxy

While typically used as a web server, Nginx can also be configured as a reverse proxy. A reverse proxy sits in front of one or more web servers and forwards client requests to those servers. This is different from a forward proxy (like Squid or Tinyproxy), where the client explicitly configures the proxy in their browser. However, Nginx as a reverse proxy can act as a forward proxy by routing all traffic through it. This method offers caching and security features, and allows for more control over traffic.

Installation and Configuration:

Installation:

sudo apt update
sudo apt install nginx -y

Configuration: Create a new configuration file (e.g., /etc/nginx/conf.d/proxy.conf):

server {
    listen 3128; # Proxy port
    resolver 8.8.8.8; # DNS resolver for upstream servers

    # Basic Authentication (Optional, but recommended)
    auth_basic "Restricted Access";
    auth_basic_user_file /etc/nginx/.htpasswd;

    location / {
        proxy_pass $scheme://$http_host$request_uri;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Enable caching (Optional)
        proxy_cache_bypass $http_upgrade;
        proxy_cache_valid  200 302  60m;
        proxy_cache_valid  404      1m;
        proxy_cache        nginx_cache;
        proxy_cache_key    $scheme$proxy_host$request_uri;
        add_header X-Cache-Status $upstream_cache_status;

        proxy_connect_timeout       60s;
        proxy_send_timeout          60s;
        proxy_read_timeout          60s;
        send_timeout                60s;
    }
}

# Define the cache (Optional)
proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=nginx_cache:10m max_size=10g inactive=60m use_temp_path=off;

Explanation:

listen 3128;: Specifies the port Nginx will listen on for proxy requests.
resolver 8.8.8.8;: Specifies Google’s public DNS resolver. Important for Nginx to resolve domain names.
auth_basic and auth_basic_user_file: Enable HTTP basic authentication. See step 3 for setting this up.
proxy_pass: The core directive. It tells Nginx to forward the request to the original destination. $scheme will be either http or https, $http_host contains the target host, and $request_uri is the rest of the URI.
proxy_set_header: Passes the client’s original headers to the upstream server. Important for correct website behavior.
proxy_cache_*: Enables caching. This is optional but improves performance. You’ll need to create the /tmp/nginx_cache directory: sudo mkdir /tmp/nginx_cache; sudo chown www-data:www-data /tmp/nginx_cache.

Create Authentication (Optional): If you enabled auth_basic, create a password file:

sudo apt install apache2-utils -y
sudo htpasswd -c /etc/nginx/.htpasswd your_username
sudo chown www-data:www-data /etc/nginx/.htpasswd

Remove Default Configuration:

sudo rm /etc/nginx/sites-enabled/default

Restart Nginx:

sudo nginx -t # Test configuration
sudo systemctl restart nginx

Firewall: Open port 3128 in UFW.