By Alex Garnett
Senior DevOps Technical Writer
Proxy servers are a useful way of caching or obfuscating web traffic. This means that web requests can be served from different inbound or outbound addresses than they appear to be, by offloading the connection to intermediaries. For regular end users, this usually means allowing you to make web requests from a different IP address than your own. This can serve many purposes, such as researching how the web is served differently from one jurisdiction to the next, or avoiding some methods of surveillance or web traffic throttling.
There are many third-party proxy service providers, but they can be unreliable – especially if your primary goal in using a proxy is to route traffic away from your internet service provider, there may be cases when a commercial proxy provider is actually less secure or less legally bound in practice.
Squid is a stable, popular, open-source HTTP proxy. In this tutorial, you will be installing and configuring Squid to provide an HTTP proxy on a Rocky Linux 9.
To complete this guide, you will need:
You will use the domain name your_domain in this tutorial, but you should substitute this with your own domain name, or IP address.
Squid has many use cases beyond routing an individual user’s outbound traffic. In the context of large-scale server deployments, it can be used as a distributed caching mechanism, a load balancer, or another component of a routing stack. However, some methods of horizontally scaling server traffic that would typically have involved a proxy server have been surpassed in popularity by containerization frameworks such as Kubernetes, which distribute more components of an application. At the same time, using proxy servers to redirect web requests as an individual user has become increasingly popular for protecting your privacy. This is helpful to keep in mind when working with open-source proxy servers which may appear to have many dozens of features in a lower-priority maintenance mode. The use cases for a proxy have changed over time, but the fundamental technology has not.
squid package is not available in Rocky Linux’s default package sources. Instead, you can install Squid through the EPEL repository. EPEL is the most popular additional package repository on RHEL-based distributions like Rocky Linux, and contains a number of trusted, third party packages that are not provided by official sources.
To add the Rocky Linux EPEL repository, use the
dnf package manager to run
dnf install epel-release
- sudo dnf install epel-release
Next, you can proceed to install Squid using
- sudo dnf install squid
On Rocky Linux, Squid will not start automatically after being installed. You can check that a service was created, but is inactive, using
- systemctl status squid.service
Output● squid.service - Squid caching proxy Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; vendor preset: disa> Active: inactive (dead) Docs: man:squid(8)
Before enabling Squid, you’ll need to make some changes to its configuration file, which is stored in
/etc/squid/squid.conf. The default text editor that comes with Rocky Linux 9 is
vi is an extremely powerful text editor, but it can be somewhat obtuse for users who lack experience with it. You might want to install a more user-friendly editor such as
nano to facilitate editing configuration files on your Rocky Linux 9 server:
- sudo dnf install nano
Open the Squid configuration file in
nano or your favorite text editor:
- sudo nano /etc/squid/squid.conf
Begin by navigating to the line containing the phrase
http_access deny all. You should see a block of text explaining Squid’s default access rules:
. . . # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all . . .
From this, you can see the current behavior –
localhost is allowed; other connections are not. Note that these rules are parsed sequentially, so it’s a good idea to keep the
deny all rule at the bottom of this configuration block. You could change that rule to
allow all, enabling anyone to connect to your proxy server, but you probably don’t want to do that. Instead, you can add a line above
http_access allow localhost that includes your own IP address, like so:
# # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # include /etc/squid/conf.d/* # Example rule allowing access from your local networks. acl localnet src your_ip_address # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed #http_access allow localnet http_access allow localhost
If you don’t know your local IP address, it’s quickest to go to a site like What’s my IP which can tell you where you accessed it from. After making that change, save and close the file. If you are using
Ctrl+X, and then when prompted,
Y and then
At this point, you could restart Squid and connect to it, but there’s more you can do in order to secure it first.
Most proxies, and most client-side apps that connect to proxies (e.g., web browsers) support multiple methods of authentication. These can include shared keys, or separate authentication servers, but most commonly entail regular username-password pairs. Squid allows you to create username-password pairs using built-in Linux functionality, as an additional or an alternative step to restricting access to your proxy by IP address. To do that, you’ll create a file called
/etc/squid/passwords and point Squid’s configuration to it.
First, you’ll need to install some utilities from the Apache project in order to have access to a password generator that Squid likes.
- sudo dnf install httpd-tools
This package provides the
htpasswd command, which you can use in order to generate a password for a new Squid user. Squid’s usernames won’t overlap with system usernames in any way, so you can use the same name you’ve logged in with if you want. You’ll be prompted to add a password as well:
- sudo htpasswd -c /etc/squid/passwords your_squid_username
This will store your username along with a hash of your new password in
/etc/squid/passwords, which will be used as an authentication source by Squid. You can
cat the file afterward to see what that looks like:
- sudo cat /etc/squid/passwords
After verifying that your username and password have been stored, you can update Squid’s configuration to use your new
/etc/squid/passwords file. Using
nano or your favorite text editor, reopen the Squid configuration file and add the following highlighted lines:
- sudo nano /etc/squid/squid.conf
… # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # include /etc/squid/conf.d/* auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwords auth_param basic realm proxy acl authenticated proxy_auth REQUIRED # Example rule allowing access from your local networks. acl localnet src your_ip_address # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed #http_access allow localnet http_access allow localhost http_access allow authenticated # And finally deny all other access to this proxy http_access deny all …
These additional directives tell Squid to check in your new
passwords file for password hashes that can be parsed using the
basic_ncsa_auth mechanism, and to require authentication for access to your proxy. You can review Squid’s documentation for more information on this or other authentication methods. After that, you can finally start Squid with your configuration changes. This might take a moment to complete.
- sudo systemctl start squid.service
You can use
systemctl status again to verify that it started properly:
- sudo systemctl status squid.service
Output● squid.service - Squid caching proxy Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; vendor preset: disa> Active: active (running) since Fri 2022-10-28 19:17:04 UTC; 21s ago Docs: man:squid(8) Process: 263480 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/> Main PID: 263485 (squid) Tasks: 3 (limit: 11152) Memory: 15.7M CGroup: /system.slice/squid.service ├─263485 /usr/sbin/squid --foreground -f /etc/squid/squid.conf ├─263489 (squid-1) --kid squid-1 --foreground -f /etc/squid/squid.conf └─263490 (logfile-daemon) /var/log/squid/access.log Oct 28 19:17:03 rocky systemd: Starting Squid caching proxy... Oct 28 19:17:04 rocky squid: Squid Parent: will start 1 kids Oct 28 19:17:04 rocky squid: Squid Parent: (squid-1) process 263489 star> Oct 28 19:17:04 rocky systemd: Started Squid caching proxy.
And don’t forget to allow Squid through your firewall if you’re using
firewalld by adding a rule for port 3128:
- sudo firewall-cmd --permanent --add-port=3128/tcp
- firewall-cmd --reload
In the next step, you’ll connect to your proxy at last.
In order to demonstrate your Squid server, you’ll use a command line program called
curl, which is popular for making different types of web requests. In general, if you want to verify whether a given connection should be working in a browser under ideal circumstances, you should always test first with
curl. You’ll be using curl on your local machine in order to do this – it’s installed by default on all modern Windows, Mac, and Linux environments, so you can open any local shell to run this command:
- curl -v -x http://your_squid_username:your_squid_password@your_server_ip:3128 http://www.google.com/
-x argument passes a proxy server to curl, and in this case you’re using the
http:// protocol this time, specifying your username and password to this server, and then connecting to a known-working website like
google.com. If the command was successful, you should see the following output:
Output* Trying 22.214.171.124:3128... * Connected to 126.96.36.199 (188.8.131.52) port 3128 (#0) * Proxy auth using Basic with user 'squid' > GET http://www.google.com/ HTTP/1.1
It is also possible to access
https:// websites with your Squid proxy without making any further configuration changes. These make use of a separate proxy directive called
CONNECT in order to preserve SSL between the client and the server:
- curl -v -x http://your_squid_username:your_squid_password@your_server_ip:3128 https://www.google.com/
Output* Trying 184.108.40.206:3128... * Connected to 220.127.116.11 (18.104.22.168) port 3128 (#0) * allocate connect buffer * Establish HTTP proxy tunnel to www.google.com:443 * Proxy auth using Basic with user 'squid' > CONNECT www.google.com:443 HTTP/1.1 > Host: www.google.com:443 > Proxy-Authorization: Basic c3F1aWQ6c3F1aWQ= > User-Agent: curl/7.83.1 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established < * Proxy replied 200 to CONNECT request * CONNECT phase completed
The credentials that you used for
curl should now work anywhere else you might want to use your new proxy server.
In this tutorial, you learned to deploy a popular, open-source API endpoint for proxying traffic with little to no overhead. Many applications have built-in proxy support (often at the OS level) going back decades, making this proxy stack highly reusable.
Because one of the most common use cases for proxy servers is proxying traffic to and from different global regions, you may want to review how to use Ansible to automate server deployments next, in case you find yourself wanting to duplicate this configuration in other data centers.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Click below to sign up and get $200 of credit to try our products over 60 days!