SQUID PROXY SETUP FOR REMOTE COMPUTERS TO ACCESS
##################################################

If you read my article/notes on Proxys: HERE. Realize that we are setting up a Forward Proxy here. Reverse Proxys are used for the servers (not for the clients) more info on SQUID Reverse Proxy here: http://wiki.squid-cache.org/SquidFaq/ReverseProxy

NOTE ON SSH PROXYS: You can also proxy with SSH Socks proxy, but thats another article just google “How to SSH Socks Proxy” you will need an ssh server (that will be the proxy server, all communication will go thru it). Also you need Putty (or an SSH client like “ssh”)

HTTP SQUID PROXY: squid proxy is considered to be an http proxy although it can proxy more then just http.

FIRST STEP NETWORKING AT THE FIREWALL:
You will need to port forward a random port number of your choosing (higher then 1024 and lower then the maximum 65535 – or whatever it is), like 54231 to port 3128 on your homeserver/proxyserver. OR you can just portforward 3128 to 3128 with a typical simple port forward. With my method of 54321, computers from the outside will access the proxyserver by using my homenetworks/proxyserver public ip and port number 54321 (that will get port forwarded to the proxy server port 3128, which is what squid is listening to). So basically the address: my public ip on port 54231 is a direct access socket to squid.

By the way all ports talked about above are TCP.
NOTE: for this config I will assume you port forwarded 54231 to your Linux Server (Im using debian)

# apt-get update
# apt-get install squid

 

NOTE: I know there is squid3, but I used just squid, and Im sure this config will work on both (but not tested on squid3)

Read these links as bonus great info:
http://www.squid-cache.org/Doc/config/acl/
http://www.linuxsecurity.com/resource_files/server_security/squid/FAQ/FAQ-10.html
http://www.packtpub.com/article/how-configure-squid-proxy-server
http://www.squid-cache.org/Doc/config/forwarded_for/

PREPARE CONFIG FILES
######################

First get in the directory

cd /etc/squid/

 

And look at the giant file (try not to get intimidated)

cat squid.conf

 

First look at the 5000 line config but dont look too hard we only need the uncommented lines(the comments take up like 4980 of the lines):

Lets just back that file up:

cp /etc/squid/squid.conf /etc/squid.conf.bak

 

And make a commentless squid.conf:

cat /etc/squid/squid.conf | egrep ^[^#] > /etc/squid.conf.new

 

Now make the commmentless one the main one:

cp /etc/squid/squid.new /etc/squid/squid.conf

 

EXAMPLE
#########

Example:
Lets say my proxy server/homeserver(on port 54321) is behind public ip 1.1.1.1 and Im sitting at a friends PC (3.3.3.3 or friends.com) or at startbucks behind (2.2.2.2 or starbucks.com) trying to access www.yahoo.com (or any site). So lets pretend starbucks and your friends house dont allow to go to facebook.com but you can go to facebook from your home. So by setting up squid on your home server you can access the web from your friends or from starbucks while proxying – your sitting at startbucks and your telling your proxy server in your home network to do the actual talking with facebook, and its just relaying messages back and forth between you and facebook, acting as a sort of middleman for you. With this you can access websites that are blocked by your friends network or starbucks network but are allowed in your network. (hopefully they allow access to your home network, which they probably dont have blocked, because they didnt know its ip or name before hand – also they will need to allow access on that port 54321 outbound, most firewalls allow all outbound communication, but in strict networks they might not, but they will allow some of the common ports like 80,443 or 8080)

/etc/squid/mynetworks.conf: Make this file, in this file will go the networks or IP addresses from which you will access this proxy.
/etc/squid/squid.conf: we will edit some configs here to let it know about mynetworks.conf and the domain names that will be accessing it (friends.com and starbucks.com)
MYNETWORKS.CONF
###################

Make sure the file looks like this, here is a cat (read of it) – of course you can change the numbers and note that you can have comments inline or on new lines with hash # mark:

# cat /etc/squid/mynetworks.conf
2.2.2.2 # friends
3.3.3.3 # starbucks

 

MY CONF
#########

Make sure the file looks like this, here is a cat (read of it) – of course you can change the config to match your needs, and note that you can have comments inline or on new lines with hash # mark:

# cat /etc/squid/squid.conf
# ADDED BY KOSSBOSS THESE ACL ENTERIES ARE LIKE THIS:
# acl NAME_OF_YOUR_CHOICE TYPE_HAS_TO_BE_CORRECT_TYPE_LOOK_AT_LINKS IP-OR-PORT-OR-FILE-OR-ETC
# ACLS SETUP OUR "SELECTION ALGORITHM" BUT THEY DONT DO MUCH, WE NEED ACTION LINES TO DO STUFF WITH THEM, AND THEY ARE MENTIONED BELOW THE "ACL" ENTERIES

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

# BELOW 2 LINES ADDED BY KOSSBOSS TO ADD REMOTE COMPUTERS

acl myips src "/etc/squid/mynetworks.conf"

# KOSSBOSS ADDED ABOVE LINE TO INCLUDED IPS IN THE SELECTION PROCESS, NOTE WE POINT TO A FILE INSTEAD WE COULD OF JUST DONE THIS:
# acl myips src 2.2.2.2 3.3.3.3

acl mydomain srcdomain starbucks.com friends.com

# KOSSBOSS ADDED ABOVE LINE TO INCLUDE DOMAIN NAMES THAT WILL ACCESS (THIS CAN BE starbuck.com OR friends.com) SO CAN HAVE MULTIPLE DOMAINS ON A LINE JUST USE SPACE TO SEPERATE (ALSO THIS APPLIES TO IP ADDRESSES IF WE DECIDED TO NOT POINT IPS TO A FILE)
# THIS WILL WORK AS WELL "acl mydomain srcdomain starbucks.com" SINGLE ENTRIES WORK AS WELL, NOTE YOU CAN MAKE A FILE LIKE WITH "src" FROM ABOVE, JUST I WANTED TO SHOW THAT YOU DIDNT NEED A FILE
# FINALLY ITS NOT BAD TO HAVE REDUNDANCY TO HAVE IPS AND SRCDOMAINS, BECAUSE SOMETIMES IPS CHANGE BUT SRCDOMAINS DONT (HOSTNAMES STAY THE SAME BUT THE IP CHANGES, OR VICE VERSA - SO ITS GOOD TO HAVE BOTH IN MY OPINION)
# NOTE WE WILL THEN USE THE "myips" AND "mydomain" ENTERIES WE JUST MADE TO WORK WITH SQUIDS HTTP_PROXY "http_access" AND CACHING PROCESS "icp_access"

acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

# ACL ENTERIES ARE USELESS WITHOUT AN HTTP_ACCESS (FOR ACCESS) OR ICP_ACCESS (FOR CACHED ACCESS) ENTERIES. THE BELOW ENTERIES PUT THE ACL ENTERIES TO USE. THINK OF THE "ACL" ENTERIES ABOVE AS SIMPLE "SELECTION ALGROTHIMS" AND THE ENTERIES BELOW AS "WHAT YOU WILL DO WITH WHAT THE SELECTION ALGORITHM SELECTED"

http_access allow manager localhost
http_access allow manager myips # ADDED BY KOSSBOSS SO THAT MYIPS & DOMAINS ARE ADDED
http_access allow manager mydomain # ADDED BY KOSSBOSS SO THAT MYIPS & DOMAINS ARE ADDED
http_access deny manager
http_access allow purge localhost
http_access allow purge myips # ADDED BY KOSSBOSS SO THAT MYIPS & DOMAINS ARE ADDED
http_access allow purge mydomain # ADDED BY KOSSBOSS SO THAT MYIPS & DOMAINS ARE ADDED
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow myips # ADDED BY KOSSBOSS SO THAT MYIPS & DOMAINS ARE ADDED
http_access allow mydomain # ADDED BY KOSSBOSS SO THAT MYIPS & DOMAINS ARE ADDED
http_access deny all

icp_access allow localnet
icp_access allow myips # ADDED BY KOSSBOSS SO THAT MYIPS & DOMAINS ARE ADDED
icp_access allow mydomain # ADDED BY KOSSBOSS SO THAT MYIPS & DOMAINS ARE ADDED
icp_access deny all

# ADDED BY KOSSBOSS, WELL BELOW IT USUALLY HAS ANOTHER PORT NUMBER BUT AS WE PICKED OUR PORT NUMBER TO BE 54321 THEN WE HAVE TO USE 54321 HERE
http_port 54231

hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid

# ADDED BELOW LINE BY KOSSBOSS
# BY DEFAULT ITS ON AND LOOKS LIKE THIS "forwarded_for on" (IF YOU DONT SEE "forwarded_for" THEN BY DEFAULT ITS "on")
# WITH DEFAULT "on" SETTING: REMOTE PCS PUBLIC IP WILL BE SHOWN TO WHATEVER WEBSITE YOUR ACCESSING SO THAT WWW.YAHOO.COM WILL KNOW 2.2.2.2 OR 3.3.3.3 WAS ACCESSING IT
# WITH SPECIFIED "off" SETTING: WWW.YAHOO.COM DOESNT KNOW ABOUT 2.2.2.2 OR 3.3.3.3 IT ONLY KNOWS ABOUT 1.1.1.1 (THE PROXY SERVER)
# FOR MORE INFO ON HOW IT DOES IT: http://www.squid-cache.org/Doc/config/forwarded_for/
forwarded_for off

 

RESTART THE SQUID
##################

If your not using systemd, but using sysvinit:

/etc/init.d/squid stop
/etc/init.d/squid start

 

or:

service stop squid
service start squid

To restart:

/etc/init.d/squid restart
or:
service restart squid

 

If you are using systemd:

systemctl stop squid.service
systemctl start squid.service

 

To restart:

systemctl status squid.service

 

ON REMOTE PC (FROM EXAMPLE: AT FRIENDS HOUSE OR AT STARBUCKS)
##############################################################

Open up Internet Explorer (IE for short) and change the internet settings, or properties, anyhow get into the famous proxy settings
IE->Internet Options->Connections Tab->LAN Settings

Automatic Configuration (leave as default: which is just the top check mark “Automatically detect settings” is ON, and “Use automatic config script” is OFF)

Proxy Server (Check the check box “Use a proxy server…” to ON Then go to Advanced(click the button), at least I do the advanced options, you can just configure it right there without Advanced – You can also check, highly recommended for remote proxies, “Bypass proxy server for local address” if you dont want to proxy out to local addresses, which makes sense if your proxy server is remote like in this example so check it to ON, by default its OFF, anyways you want it ON because your proxy doesnt know about these local addresses and has no special ways to get there without network magic – which is definitely not covered in this article)

Advanced Proxy Server Settings:
HTTP: this is where you will put 1.1.1.1 and 54321
Secure: leave this blank
FTP: leave this blank
Socks: this is for SSH leave it blank

Exceptions: you can put whatever addresses, you dont need to put local addresses as there is a local proxy bypass option on the options window before this, that I just talked about.

Then just OK out of everything and test the proxy like this:

TEST
#####

On remote PC (friends or starbucks)
go to

www.icanhazip.com

instead of seeing 2.2.2.2 or 3.3.3.3 you should see 1.1.1.1

Note on google going to “what is my ip address” for some reason showed 2.2.2.2 or 3.3.3.3 (the real public ip) it could of been cached on the local box for me, anyhow just know that if icanhazip.com is showing your stuff then its correct. (If at least one box is showing it for you its working)

TEST2
######

Another test, on squid server (so from 1.1.1.1)

Make sure squid is listening to your port (on tcp):

netstat -ntlp
netstat -ntlp | grep squid

 

You should see squid listeninig on your port (54321 in the example)

Check for fun what its doing with udp

netstat -nulp | grep squid

 

Dont ask me what its doing google it

watch -n0.1 "netstat -an | grep tcp"

 

If its listening and your proxy is not working try clearing cache of the browser your on (The remote browser), make sure your networking (port forwarding at the router is setup correctly so that port 54231 is forwarded to port 54321 on the squid server)