From Manjaro Linux
Jump to: navigation, search
Warning: This page is out of date and needs updating

What is this Squid?

From the Squid site: [1]

Squid: Optimising Web Delivery

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows and is licensed under the GNU GPL.

Read the rest here: [2]

Installation & Configuration

Enter the following in the Terminal:

$ sudo pacman -S squid lsof
$ sudo systemctl enable squid
$ sudo squid -z
$ sudo systemctl start squid

This installs the Squid daemon & gets it up & running. Now we want it to only make the headers we authorize available. Headers give away an enormous amount of identifying information, ranging from your name to MAC to OS & more. It is also really cool to surf around disguised as a Googlebot. When admins check their server logs & see a Googlebot they move right along...


We need to make some changes to /etc/squid/squid.conf . The easiest way for most users would be to replace yours with a copy of mine, which follows:

# Recommended minimum configuration:

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed:
#acl localnet src	# RFC1918 possible internal network
#acl localnet src	# RFC1918 possible internal network
acl localnet src	# RFC1918 possible internal network
#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http

# Recommended minimum Access Permission configuration:
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost


# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all


# Check user agent at http://proxydetect.com/
		request_header_access Allow deny all
		request_header_replace User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
		request_header_access User-Agent deny all
		request_header_access Authorization allow all
		request_header_access WWW-Authenticate allow all
		request_header_access Proxy-Authorization allow all
		request_header_access Proxy-Authenticate allow all
		request_header_access Cache-Control allow all
		request_header_access Content-Encoding allow all
		request_header_access Content-Length allow all
		request_header_access Content-Type allow all
		request_header_access Transfer-Encoding allow all
		request_header_access Set-Cookie allow all
		request_header_access Cookie allow all
		request_header_access Proxy-Connection allow all
		request_header_access User-Agent allow all
		request_header_replace X-Forwarded-For
#		request_header_access X-Forwarded-For deny all
		request_header_access Via deny all
		request_header_access Server deny all

		request_header_access Date allow all
		request_header_access Expires allow all
		request_header_access Host allow all
		request_header_access If-Modified-Since allow all
		request_header_access Last-Modified allow all
		request_header_access Pragma allow all
		request_header_access Accept allow all
		request_header_access Accept-Charset allow all
		request_header_access Accept-Encoding allow all
		request_header_access Accept-Language allow all
		request_header_access Content-Language allow all
		request_header_access Mime-Version allow all
		request_header_access Retry-After allow all
		request_header_access Title allow all
		request_header_access Connection allow all
		request_header_access All deny all

# Disable cache on any page that uses cgi scripts or has a query parameter or
# is a css file. Furthermore, we can add domains to
# /etc/squid/list/not-to-cache.conf – one domain per line – which will not be
# cached by Squid afterwards.
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \? \.css
no_cache deny QUERY
#acl NOT_TO_CACHE dstdomain "/etc/squid/list/not-to-cache.conf"
#no_cache deny NOT_TO_CACHE

#	although many of those are HTTP reply headers, and so should be
#	controlled with the reply_header_access directive.
#	By default, all headers are allowed (no anonymizing is
#	performed).
# none

#  TAG: reply_header_access
#	Usage: reply_header_access header_name allow|deny [!]aclname ...
#	WARNING: Doing this VIOLATES the HTTP standard.  Enabling
#	this feature could make you liable for problems which it
#	causes.
#	This option only applies to reply headers, i.e., from the
#	server to the client.
#	This is the same as request_header_access, but in the other
#	direction. Please see request_header_access for detailed
#	documentation.
#	For example, to achieve the same behavior as the old
#	'http_anonymizer standard' option, you should use:
#		reply_header_access From deny all
#		reply_header_access Referer deny all
#		reply_header_access Server deny all
#		reply_header_access User-Agent deny all
#		reply_header_access WWW-Authenticate deny all
#		reply_header_access Link deny all
#	Or, to reproduce the old 'http_anonymizer paranoid' feature
#	you should use:
		reply_header_access Allow allow all
		reply_header_access Authorization allow all
		reply_header_access WWW-Authenticate allow all
		reply_header_access Proxy-Authorization allow all
		reply_header_access Proxy-Authenticate allow all
		reply_header_access Cache-Control allow all
		reply_header_access Content-Encoding allow all
		reply_header_access Content-Length allow all
		reply_header_access Content-Type allow all

		reply_header_access Transfer-Encoding allow all
		reply_header_access Set-Cookie allow all
		reply_header_access Cookie allow all
		reply_header_access Proxy-Connection allow all
		reply_header_access User-Agent allow all
		reply_header_access X-Forwarded-For deny all
		reply_header_access Via deny all
		reply_header_access Server deny all

		reply_header_access Date allow all
		reply_header_access Expires allow all
		reply_header_access Host allow all
		reply_header_access If-Modified-Since allow all
		reply_header_access Last-Modified allow all
		reply_header_access Location allow all
		reply_header_access Pragma allow all
		reply_header_access Accept allow all
		reply_header_access Accept-Charset allow all
		reply_header_access Accept-Encoding allow all
		reply_header_access Accept-Language allow all
		reply_header_access Content-Language allow all
		reply_header_access Mime-Version allow all
		reply_header_access Retry-After allow all
		reply_header_access Title allow all
		reply_header_access Connection allow all
		reply_header_access All deny all


# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

Note: Be sure to change acl localnet src found
in the first section of the squid.conf file, to 
match your LAN's class C: [3] IP address range(s).

In the above squid.conf, Header denial starts by denying all, & then selectively allowing.

Save any changes that you have made to the squid.conf file.

Restart & Test Squid

Enter the following two commands in the Terminal:

$ sudo systemctl restart squid
$ sudo lsof -i -n -P |grep 3128
squid       4236 proxy    4u  IPv4  49302      0t0  TCP (LISTEN)

If you see a similar output as line three above, then Squid is running. (If not, check /var/log/squid3/cache.log)

Testing your Squid

Start your browser & go to the following link: [4] where you will find that from reading your headers, the site knows who you are & what you are running...

Set Squid as your proxy

In Firefox do the following: Edit > Preferences > Advanced > Network > Settings then highlight Manual Proxy Configuration & enter the following;-

HTTP Proxy: Port: 3128
Check - Use this proxy server for all protocols
Hit <OK> 
Now reload the website & test your work: [5]

The results should be dramatically different now. Not only does it think you're a Google.bot spidering the web, it can't see many more headers that are being withheld in an effort to prevent information about you leaking to just about every server your machine hits on the internet.

Using Squid day to day, will improve your page load times as the cache optimizes itself.

We have the need to turn Squid ON/OFF

Note: It is highly recommended that you find a
      browser add-on that allows you to turn 
      Squid ON/OFF with the click of a mouse
      Some web sites will deny you access when
      Squid is running, due to the limited
      amount of data that they are given about 

If there is no add-on option for your browser, you could use two aliases in your ~/.bashrc that turn Squid on & off by entering a couple of letters (the alias) at the terminal prompt. These aliases (or the commands themselves) could also be added to the menu of your WM/DE, & or be made to work with a key combination on your keyboard. I'll create a couple of aliases later & add them to this page.

Easily Turn Squid ON/OFF in Firefox

Installing the Swap Proxy Firefox add-on: [6] Allows you to easily set Swap Proxy to swap between it & no proxy via the simple GUI.

To setup Squid after you have installed Swap Proxy:

Right click on the Swap Proxy icon which defaults to the bottom right corner on the add-on bar of the browser. This will bring up the preferences box, in which you:

Check - Manual Proxy Configuration
Manual Proxy:  Port: 3128
Check - Use this proxy server for all protocols 
Check - Automatically Switch ON Proxy (or your alternate choice)
Hit <OK> & you are done.


In the Terminal, if you check:

$ sudo systemctl status squid 

... and part of it is:

Jul 17 12:52:21 jarmano squid[4061]: Starting Squid Cache version 3.3.8 for x86_64-unknown-l...u...
Jul 17 12:52:21 jarmano squid[4061]: chdir: /var/spool/squid: (2) No such file or directory
Jul 17 12:52:21 jarmano systemd[1]: squid.service: Supervising process 4061 which is not our...its.

Your caching directory has not been created.

So enter the following in the Terminal:

$ sudo squid -z
$ sudo chown -R proxy:proxy /var/spool/squid
$ sudo systemctl restart squid
$ sudo systemctl -l status squid

& see how that looks.


Following is a link to this page's forum counterpart where you can post any related feedback: [7]