Skip to content

Instantly share code, notes, and snippets.

@e7d

e7d/README.md

Last active October 22, 2025 12:09
Show Gist options
  • Save e7d/1f784339df82c57a43bf to your computer and use it in GitHub Desktop.
Save e7d/1f784339df82c57a43bf to your computer and use it in GitHub Desktop.
Download ZIP
[Debian] Build a Squid anonymous proxy from source code
Raw
README.md

Build a Squid anonymous proxy from source code

Please note that this whole manual refers to the version 3.5.23 of Squid. You probably would have to adapt some commands to the version you will actually download.

Table of contents

Automated install

Disclaimer

Read the install script before using it.
You may want to understand what the script is doing before executing it.
I will not be responsible for any damage caused to your server.

Squid installation script

wget -qO- https://gist.github.com/e7d/1f784339df82c57a43bf/raw/squid-install.sh | sh

Manual install

Resolve compilation dependencies

Edit your /etc/apt/sources.list file, and check that you have deb-src entries like the following sample.

deb http://httpredir.debian.org/debian stable main
deb-src http://httpredir.debian.org/debian stable main
deb http://security.debian.org/ stable/updates main
deb-src http://security.debian.org/ stable/updates main

Build Squid 3 dependencies

apt-get update
apt-get install build-essential libssl-dev apache2-utils
apt-get build-dep squid3

Grab a copy of the source code

cd /usr/src
wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.23.tar.gz
tar zxvf squid-3.5.23.tar.gz
cd squid-3.5.23

Compile your Squid 3

./configure --prefix=/usr \
  --localstatedir=/var/squid \
  --libexecdir=${prefix}/lib/squid \
  --srcdir=. \
  --datadir=${prefix}/share/squid \
  --sysconfdir=/etc/squid \
  --with-default-user=proxy \
  --with-logdir=/var/log/squid \
  --with-pidfile=/var/run/squid.pid
make -j$(nproc)
make install

Resolve library dependencies

Extract the content of squid-lib-3.4.8.tar.gz to /usr/lib

cd /usr/lib
wget -O /usr/lib/squid-lib.tar.gz http://e7d.github.io/resources/squid-lib-3.4.8.tar.gz
tar zxvf squid-lib.tar.gz
rm squid-lib.tar.gz

Build configuration file

Copy squid.conf contents to /etc/squid/squid.conf.

rm -rf /etc/squid/squid.conf
wget --no-check-certificate -O /etc/squid/squid.conf https://gist.github.com/e7d/1f784339df82c57a43bf/raw/squid.conf

With this sample configuration file, you can use a Htpasswd file at /etc/squid/users.pwd to manage a basic authentication.

rm -rf /etc/squid/users.pwd
wget --no-check-certificate -O /etc/squid/users.pwd https://gist.github.com/e7d/1f784339df82c57a43bf/raw/users.pwd

To enable this authentication, you will have to uncomment the Authentication section of the sample squid.conf configuration file. See Enable authentication.
You can create your users entries using the htpasswd tool from Apache. i.e. htpasswd -db /etc/squid/users.pwd jones fx5rm31s will create a user "jones" with the password "fx5rm31s" inside the "/etc/squid/users.pwd" file. See Manage user accounts.
You can directly use the users.pwd sample, providing you a basic user named proxy, using also proxy as password.

Build service runtime

Copy squid.sh contents to /etc/init/squid and make it executable.

wget --no-check-certificate -O /etc/init.d/squid https://gist.github.com/e7d/1f784339df82c57a43bf/raw/squid.sh
chmod +x /etc/init.d/squid

Optionally, you can make it run automatically at server startup with update-rc.d squid defaults.

Prepare execution folders

mkdir /var/log/squid
mkdir /var/cache/squid
mkdir /var/spool/squid
chown -cR proxy /var/log/squid
chown -cR proxy /var/cache/squid
chown -cR proxy /var/spool/squid

squid -z

Start!

Try to start your brand new Squid with service squid start

Going further

Customize configuration

Squid offers some interesting customisation options you should have a look at. Every of this suggestions implies a modification of the file located at /etc/squid/squid.conf.

Listening ports

With the provided configuration, your proxy will be listening on HTTP port 3128, which is the squid default. You can change it to any available port that suits you with:

http_port 3128

Enable authentication

Your proxy will respond to any request. If you want to limit its accessibility to a set of users, you may want to enable authentication, by uncommenting the following section:

#acl Users proxy_auth REQUIRED
#http_access allow Users

This authentication relies on a password file you will find at /etc/squid/users.pwd. A sample user is included, defined with the following identification:

  • username : proxy
  • password : proxy

This user file may be modified following the next section instructions.

Manage user accounts

Using the command htpasswd, you will be able to manage the IDs of the users able to use the proxy.

To add or update a user: htpasswd -bd /etc/squid/users.pwd johndoe mypw

To remove a user: htpasswd -D /etc/squid/users.pwd johndoe

NOTE: Provided authentication relies on CRYPT algorithm. Information defined in users.pwd must respect that, meaning that passwords can only be up to 8 characters.

Raw
squid-install.sh
#!/bin/sh
SQUID_VERSION=3.5.23
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
echo "Add repositories to Aptitude"
echo "deb http://httpredir.debian.org/debian stable main" > /etc/apt/sources.list.d/squid.list
echo "deb-src http://httpredir.debian.org/debian stable main" >> /etc/apt/sources.list.d/squid.list
echo "deb http://security.debian.org/ stable/updates main" >> /etc/apt/sources.list.d/squid.list
echo "deb-src http://security.debian.org/ stable/updates main" >> /etc/apt/sources.list.d/squid.list
echo "Update packages list"
apt-get update
echo "Build dependencies"
apt-get -y install build-essential libssl-dev apache2-utils
apt-get -y build-dep squid3
echo "Download source code"
cd /usr/src
wget http://www.squid-cache.org/Versions/v3/3.5/squid-${SQUID_VERSION}.tar.gz
tar zxvf squid-${SQUID_VERSION}.tar.gz
cd squid-${SQUID_VERSION}
echo "Build binaries"
./configure --prefix=/usr \
--localstatedir=/var/squid \
--libexecdir=${prefix}/lib/squid \
--srcdir=. \
--datadir=${prefix}/share/squid \
--sysconfdir=/etc/squid \
--with-default-user=proxy \
--with-logdir=/var/log/squid \
--with-pidfile=/var/run/squid.pid
make -j$(nproc)
echo "Stop running service"
service squid stop
echo "Install binaries"
make install
echo "Download libraries"
cd /usr/lib
wget -O /usr/lib/squid-lib.tar.gz http://e7d.github.io/resources/squid-lib-3.4.8.tar.gz
echo "Install libraries"
tar zxvf squid-lib.tar.gz
echo "Create configuration file"
rm -rf /etc/squid/squid.conf
wget --no-check-certificate -O /etc/squid/squid.conf https://gist.github.com/e7d/1f784339df82c57a43bf/raw/squid.conf
echo "Create users database sample"
rm -rf /etc/squid/users.pwd
htpasswd -cbd /etc/squid/users.pwd proxy proxy
echo "Create service executable file"
wget --no-check-certificate -O /etc/init.d/squid https://gist.github.com/e7d/1f784339df82c57a43bf/raw/squid.sh
chmod +x /etc/init.d/squid
echo "Register service to startup entries"
update-rc.d squid defaults
echo "Prepare environment for first start"
mkdir /var/log/squid
mkdir /var/cache/squid
mkdir /var/spool/squid
chown -cR proxy /var/log/squid
chown -cR proxy /var/cache/squid
chown -cR proxy /var/spool/squid
squid -z
echo "Start service"
service squid start
echo "Cleanup temporary files"
rm -rf /etc/apt/sources.list.d/squid.list
rm -rf /usr/src/squid-${SQUID_VERSION}.tar.gz
rm -rf /usr/src/squid-${SQUID_VERSION}
rm -rf /usr/lib/squid-lib.tar.gz
exit 0
Raw
squid.conf
# General
http_port 3128
visible_hostname Proxy
forwarded_for delete
via off
# Log
logformat squid %tg.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
access_log /var/log/squid/access.log squid
# Cache
cache_dir aufs /var/cache/squid 1024 16 256
coredump_dir /var/spool/squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Network ACL
acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
# Port ACL
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rync
acl Safe_ports port 80 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl purge method PURGE
acl CONNECT method CONNECT
# Authentication
# Uncomment the following lines to enable file based authentication BUT:
# The following section requires to have squid libs installed, especially `nsca_auth`, to be working.
# This sections uses a Htpasswd file named `users.pwd` file to store eligible accounts.
# You can generate yours using the htpasswd command from "apache2-utils" aptitude package, using "-d" flag to use system CRYPT.
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/users.pwd
auth_param basic children 5
auth_param basic realm Proxy
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive on
#acl Users proxy_auth REQUIRED
#http_access allow Users
# Access Restrictions
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_reply_access allow all
htcp_access deny all
icp_access allow all
always_direct allow all
# Request Headers Forcing
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
# Response Headers Spoofing
reply_header_access Via deny all
reply_header_access X-Cache deny all
reply_header_access X-Cache-Lookup deny all
Raw
squid.sh
#! /bin/sh
#
# squid3 Startup script for the SQUID HTTP proxy-cache.
#
# Version: @(#)squid3.rc 1.0 07-Jul-2006 [email protected]
#
### BEGIN INIT INFO
# Provides: squid
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $network $remote_fs $syslog
# Should-Start: $named
# Should-Stop: $named
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Squid HTTP Proxy version 3.x
### END INIT INFO
NAME=squid
DESC="Squid HTTP Proxy 3.x"
DAEMON=/usr/sbin/squid
PIDFILE=/var/run/$NAME.pid
CONFIG=/etc/squid/squid.conf
SQUID_ARGS="-YC -f $CONFIG"
[ ! -f /etc/default/squid ] || . /etc/default/squid
. /lib/lsb/init-functions
PATH=/bin:/usr/bin:/sbin:/usr/sbin
[ -x $DAEMON ] || exit 0
ulimit -n 65535
find_cache_dir () {
w=" " # space tab
res=`sed -ne '
s/^'$1'['"$w"']\+[^'"$w"']\+['"$w"']\+\([^'"$w"']\+\).*$/\1/p;
t end;
d;
:end q' < $CONFIG`
[ -n "$res" ] || res=$2
echo "$res"
}
find_cache_type () {
w=" " # space tab
res=`sed -ne '
s/^'$1'['"$w"']\+\([^'"$w"']\+\).*$/\1/p;
t end;
d;
:end q' < $CONFIG`
[ -n "$res" ] || res=$2
echo "$res"
}
start () {
cache_dir=`find_cache_dir cache_dir`
cache_type=`find_cache_type cache_dir`
#
# Create spool dirs if they don't exist.
#
if [ "$cache_type" = "coss" -a -d "$cache_dir" -a ! -f "$cache_dir/stripe" ] || [ "$cache_type" != "coss" -a -d "$cache_dir" -a ! -d "$cache_dir/00" ]
then
log_warning_msg "Creating $DESC cache structure"
$DAEMON -z -f $CONFIG
fi
umask 027
ulimit -n 65535
cd $cache_dir
start-stop-daemon --quiet --start \
--pidfile $PIDFILE \
--exec $DAEMON -- $SQUID_ARGS < /dev/null
return $?
}
stop () {
PID=`cat $PIDFILE 2>/dev/null`
start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
#
# Now we have to wait until squid has _really_ stopped.
#
sleep 2
if test -n "$PID" && kill -0 $PID 2>/dev/null
then
log_action_begin_msg " Waiting"
cnt=0
while kill -0 $PID 2>/dev/null
do
cnt=`expr $cnt + 1`
if [ $cnt -gt 24 ]
then
log_action_end_msg 1
return 1
fi
sleep 5
log_action_cont_msg ""
done
log_action_end_msg 0
return 0
else
return 0
fi
}
case "$1" in
start)
log_daemon_msg "Starting $DESC" "$NAME"
if start ; then
log_end_msg $?
else
log_end_msg $?
fi
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
if stop ; then
log_end_msg $?
else
log_end_msg $?
fi
;;
reload|force-reload)
log_action_msg "Reloading $DESC configuration files"
start-stop-daemon --stop --signal 1 \
--pidfile $PIDFILE --quiet --exec $DAEMON
log_action_end_msg 0
;;
restart)
log_daemon_msg "Restarting $DESC" "$NAME"
stop
if start ; then
log_end_msg $?
else
log_end_msg $?
fi
;;
status)
status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit 3
;;
*)
echo "Usage: /etc/init.d/$NAME {start|stop|reload|force-reload|restart|status}"
exit 3
;;
esac
exit 0
Raw
users.pwd
proxy:V3SumwH0Poabk
@kedenya
Copy link

kedenya commented Apr 29, 2015

authentication not working
it work for transparent proxy?
many time try.. still get error request pass
thank you

@suardika
Copy link

suardika commented May 9, 2015

how can see the log ?

@suardika
Copy link

finally I can see the access.log.. thank you so much!

@e7d
Copy link
Author

e7d commented May 29, 2015
edited
Loading

I just updated the gist to fix this.

The authentication file was not valid anymore since the crypted hash generated by http://www.htaccesstools.com/htpasswd-generator/ is not reliable on all environment. Consider using "htpasswd" from "apache-utils" package, as does now the installation script.

For example, using
htpasswd -cbd /etc/squid/users.pwd proxy proxy
you would create a /etc/squid/users.pwd password file with a user "proxy" and the pasword "proxy" encrypted using system supported libraries.

@onekuyak
Copy link

how to setup this proxy full transparent without setting anything at client browser using 1 NIC in proxy machine?

@lawrencep1989
Copy link

Hi,

Is this still working? I tried running this as a startup script on vultr and didnt have any luck..

Willing to pay for help if needed..

@e7d
Copy link
Author

e7d commented Jan 4, 2017

Yes it is, made some improvements. I also updated references to the latest version of Squid sources.

@pratikbin
Copy link

Hey @e7d where can I get these https://gist.github.com/e7d/1f784339df82c57a43bf#file-squid-install-sh-L49

@ydsilvag
Copy link

Hola, me funcionó perfecto, ahora como hago para autenticar los usuarios a un ldap externo? Gracias!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment