Setting up Squid Proxy on Ubuntu

Squid is a proxy service for HTTP and other requests. This article covers installing it and configuring it to run on Ubuntu as a transparent proxy. This documentation includes configuring Web Proxy Auto-Discovery (WPAD) via DHCP and DNS.

I run a heterogeneous configuration. This provided a number of challenges as various implementations of WPAD were encountered. Each seems to require something different. The final configuration works for Ubuntu, Windows X/P, and Windows Vista. Both Internet Explorer and Firefox configured correctly.

Installation and Setup

Squid is a proxy server that can be run transparently. It is already packaged for Ubuntu and can be installed with any package manager. The command sudo aptitude installs squid will install Squid and its dependencies. The supplied default squid.conf file has a lot of comments. If you want to work with a configuration file without these comments use these commands as root after installation.

cd /etc/squid
cp squid.conf squid.conf.orig
grep -v '^#' squid.conf.orig > squid.conf
echo USER=proxy >> /etc/default/squid
chmod 640 /etc/squid/squid.conf
chgrp proxy /etc/squid/suid.conf

The default configuration file limits transparent access to the localhost and does not configure a cache.   It does define a localnet source acl which includes all the private DNS ranges. This simplifies configuration. Enabling access from the local network consists of adding  the line http_access allow localnet just after the line http_access allow localhost.

Enabling disk caching requires a cache directory. Edit the following section for your site and add it to the end of squid.conf. This will configure Squid to use a 100 Mb cache located in the /var/cache hierarchy.

# Cache configuration
cache_dir ufs /var/cache/squid 100 16 256
cache_mgr you@example.com
cache_effective_user proxy
visible_hostname yourhost.example.com

Create the cache and start Squid using the following commands.

sudo mkdir /var/cache/squid
sudo chown proxy /var/cache/squid
sudo -u proxy squid -z
sudo start squid

Configuring firewalls for Squid

The following section outlines rules for Shorewall, which is my firewall of choice. It should be fairly easy to translate the rules to another firewall. These rules assume the Squid proxy is in the DMZ and the client proxy configuration does not use Squid for connections on the LAN (loc). Reload the firewalls after their configuration is changed.

Configure the Squid server to accept proxy requests and enable it to access the desirable Internet ports. I limit it to Web and FTP services. WebX is a macro that allows extra Web ports and streaming media. You may want to explicitly enable them in your configuration or create your own macro.

REJECT:info     net     $FW     tcp     3128
ACCEPT          all     $FW     tcp     3128
Web/ACCEPT      $FW     net
Webx/ACCEPT     $FW     net
FTP/ACCEPT      $FW     net

Configure internal servers to all access to our Squid server. The parameter $SQUID contains the address of the squid server. Consider dropping existing rules permitting access to services that now use Squid. It may be best to prepare the changes, but defer them until Squid is fully implemented.

ACCEPT          $FW             dmz:$SQUID      tcp     3128    # squid

Configure the firewall to permit access to the Squid proxy, and allow it to access the desired Internet services. Any services permitted on the Squid server’s firewall should be repeated here with the source address adjusted accordingly.  Replace the $FW parameter with an appropriate definition for the squid proxy (dmz:$SQUID). These rules include an explicit block for the Internet (net), and allows access for a separate WiFi (wifi) zone.

DROP:info       net             dmz:$SQUID      tcp     3128
ACCEPT          loc             dmz:$SQUID      tcp     3128
ACCEPT          wifi            dmz:$SQUID      tcp     3128
Web/ACCEPT      dmz:$SQUID      net
WebX/ACCEPT     dmz:$SQUID      net
FTP/ACCEPT      dmz:$SQUID      net

Web Proxy Auto-Discovery

Most modern browsers will configure their proxies on startup from a PAC (Proxy Auto-Config) file. Some browsers can get this information from DHCP. However, using WPAD (Web Proxy Auto-Discovery) via DNS entries works with more browsers. This uses a file called wpad.dat served from a wpad host somewhere up the DNS hierarchy.

For this documentation, I am using example values. The squid server’s address is 192.0.2.10 and the file wpad.dat is served for example.com. It also hosts the apache server for the configuration. If you copy these examples, please adjust them for your network.

Creating a wpad.dat file

The PAC file wpad.dat is a simple javascript file supplying the function FindProxyForURL(url, host). This may return a list of entries. This sample script will use direct access for sites on the private address range and use the squid proxy at 192.0.2.10 for other sites.  HTTPS requests are not proxied, but other protocols are.  FindProxyForURL.com has additional information and examples.

// proxy configuration script for wpad
function FindProxyForURL(url, host) {
     // If IP address is internal or hostname resolves to internal IP, send  direct.
     var resolved_ip = dnsResolve(host);
     if (isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
          isInNet(resolved_ip, "172.16.0.0",  "255.240.0.0") ||
          isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
          isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
              return "DIRECT";

     // Bypass proxy for https:
      if (shExpMatch(url, "https://*")) return "DIRECT";

     // Default use a proxy.
     return "PROXY 192.0.2.10:3128";
}

Configuring Apache

Placed the wpad.dat file in the root of the host or virtual host which will be serving the file. Ensure this file will be served up when requested from wpad, wpad.example.com, and 192.0.2.10. This file should have  a mime type of x-ns-proxy- autoconfig. For apache place the following line in your configuration. I placed the mime type definition in the directory specification for the virtual host’s root directory. However, you may want to place it with the rest of the mime type definitions.

    AddType application/x-ns-proxy-autoconfig .dat

If you are redirecting all traffic to the canonical host,  you may want to exempt wpad.dat from this rewrite.  Otherwise, all autoconfiguration requests will be redirected.  This is done by adding the following RewriteCond line just before your RewriteRule.

    RewriteCond %{REQUEST_FILENAME} !^/wpad.dat$

Configuring DNS

Browsers using WPAD to locate their proxy will search up the domain hierarchy. As a result host frodo.gandalf.middle.earth.example.com should try wpad.gandalf.middle.earth.example.com, wpad.middle.earth.example.com, wpad.earth.example.com, and wpad.example.com searching for a wpad.dat file. It will use the first file it finds.  Unfortunately, if frodo does not know its domain, it won’t find its configuration.  Some clients don’t walk the directory path and will require an entry for their domain. If you only have one squid cache, you likely want to access the file as wpad.example.com.  If you are using DNSMasq add the following line to your hosts file.

192.0.2.10    wpad.example.com

The equivalent entry for bind is:

        IN      A       192.0.2.10

After making the change reload the configuration. DNSMasq will reread /etc/hosts after being sent a HUP signal. The rndc command can be used to cause bind to reload its configuration.

Configuring DHCP

DHCP option 252 is used to send the URL of the proxy server configuration file. This is most useful for Microsoft tools on Microsoft platforms. It should only work for those hosts which receive their IP address via DHCP. Fortunately, DNS also works for Microsoft. Although DHCP allows you to use any server and file name you choose, it is best to use the same URL that is used by DNS. If you using DNSMasq to provide DHCP add the following to your dnsmasq.conf file.

dhcp-option=252,http://wpad.example.com/wpad.conf

Configuring Clients

Most clients should work out of the box. The default configurations usually specify proxy auto-discovery. These clients will start to use the proxy after their next reboot or restart.

Clients that have auto-discovery turned off will need to have their configuration adjusted. The preferred option is to turn on auto-discovery. Some tools will offer two options: Auto-detect proxy settings for this network; and Use system proxy settings. If one does not work you may have to try the other.

Using a system proxy setting may give more consistent results between tools. As long as your DHCP and DNS configurations point to the same configuration there should be no difference which you choose. However, if the system does not do proxy auto-discovery, you will not get any access to the proxy.

Manual configuration is usually possible. This can be either direct specification of the proxy, or specification of the URL for the PAC file (wpad.dat). This should be a last resort, as it may break if you change your setup, or the computer is mobile.

Problems Encountered

During my setup I encountered the following problems.

  • My default Apache virtual domain is not the one I originally used for WPAD.  As a result each wpad hostname needed to be added as a ServerAlias.  I moved wpad.dat to the default virtual host, and added a Files section to restrict access to the local network.
  • Firefox on Ubuntu does not walk the domain tree, so  I needed to specify a wpad hostname in DNS for each sub-domain.
  • Firefox on Windows XP specified the hostname as wpad in the HTTP request. This required the virtual host to have a ServerAlias for wpad.
  • Ubuntu does not appear to do auto-discovery for the system proxy settings. It appears the URL needs to be specified manually. However, Firefox will auto-discover using WPAD on all of the domains that the host belongs to.
  • Firefox on Vista appears not to get the system proxy configurations. It does autodetect settings correctly.
  • Vista continues to look for wpad.dat from the old URL long after it has moved.
  • Redirecting hostnames to the canonical name caused redirects on all wpad.dat accesses.  The workaround has been documented.

1 comment

  1. I’m extremely impressed together with your writing skills as well as with the layout on your weblog. Is that this a paid theme or did you modify it your self? Anyway keep up the nice quality writing, it’s rare to look a nice blog like this one today..

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Cookie Consent with Real Cookie Banner