Squid caching proxy server: purpose, functions, capabilities
The situation when a large number of users from different personal devices use the Internet — this is the norm for most corporate networks. And one of the important tasks at this stage — provide each of these devices with the required level of security. But the solution to this problem is not as simple as it might seem at first glance. But it is still very difficult to force each of the users in the workflow to comply with regulated corporate standards, in particular the restriction of network use. We are talking about prohibiting access to certain sites or addresses.
One of the simplest, but at the same time effective ways to restrict access to the Internet — provide the ability to access certain protocols (for example, HTTP and FTP). You can also define the access rights of subscribers on a specific server so that they can connect to it using a special proxy protocol that is supported by all modern browsers. After the server determines the access rights, it will proxy the bed for all HTTP requests that come to it and redirect to the destination. So smoothly we approached the main topic of our review — Squid caching proxy server. Now let's dwell in more detail on what it is, as well as on its functionality.
What is Squid?
Squid — is a full-featured caching proxy server software product that provides proxy services and data caching for HTTP, FTP and other popular network protocols today. This application works with SSL requests, DNS lookup results, performs normal and transparent caching, proxying. It also supports a large set of caching protocols, including ICP (Internet Data Caching Protocol), WCCP (Content Redirection Caching Protocol), CARP (Routing Caching Protocol), HTCP (Hypertext Caching Protocol).
Having your own Squid proxy server, you get a universal solution that scales for corporate networks from the level of a regional office to the entire corporation. It implements a shared and extensible mechanism for access control and tracking key parameters. All this is implemented using the SNMP protocol. But, when forming a computer system for using Squid as a caching server or a proxy, it is important to provide a sufficient amount of RAM. The fact is that the application will keep the cache in memory, which as a result will increase performance.
Organizing access with Squid
Using this application, you can organize several options for accessing the network:
Let's look at these options in more detail.
Normal network access via Squid
After installing the Squid application, it will support proxy server functions. But the connection will be accepted only from the computer on which it is loaded. If we are talking about corporate networks and, accordingly, the need to use this program by other computers, then it is necessary to make adjustments to the ACL (Access Control Lists), that is, to the access control tables. They are stored in a file along with other settings. It will not be difficult to understand this, since additional comments and examples are provided in each of the settings blocks, including a description of all the default values. So, in order to configure it to accept connections coming from all computers on the local network, you need to write in the corresponding lines the real address range of your network.
Please note that it is very important to follow the order of the http_access lines when setting parameters. When processing an access request, the application will go through all the lines of the file sequentially, starting from the top and down to the first line.
Anonymizing network access via Squid
Even if your local network uses a proxy server, there is still a certain security risk. The fact is that the topology of the local network, in combination with the activity of its users, is not masked. As an example, the HTTP protocol uses value headers. Their value is filled in by browsers directly when sending a request.
Squid's functionality includes removing dangerous header fields from the request, or replacing them with others specified in advance. And you, the implementation of these settings are given in the boot file. We would like to draw your attention to the fact that removing or replacing header fields may adversely affect communication with a number of systems that use these parameters for authorization and organizing interaction between different users. That is why the settings must be approached as carefully and comprehensively as possible.
Transparent network access via Squid
The fact that the network uses a proxy server — it is not necessary to notify users of the corporate network. To implement the task, transparent proxies are used. This is both a server and a router, so network traffic will not pass by anyway. Additionally, using firewall tools, you can redirect all HTTP requests to remote servers to the Squid input (requires special settings). As a result, for the outside, everything will look like a normal proxy server, while the inside (LAN users) will not notice the proxification at all.
Reverse proxying is provided in the settings of the installation file.
Access filtering and authorization
Another distinctive feature of Squid — the presence of a flexible system for filtering external links. Using it, you can open and close access to certain resources or individual pages on them, disable ads, links containing 18+ category content, etc. Access control tables are used to filter content. The installation file contains examples of their settings.
We would like to draw your attention to the fact that at the time of specifying the URL address or domain name of the server on which you want to apply filters, you can use regular expressions. This way you can set a filter for the full class of domain names or addresses in one line.
As for access authorization, Squid has the ability to define different ACL control tables for a particular user, or an entire category of persons. So, using the TAG: auth_param tag, you can configure the identification of users who connect to the server (in the case of local networks, the computer's IP-address will not be enough). For a complete set of authorization configurations, take a look at the /usr/lib/squid directory.
Squid and data caching
Another equally important feature of the Squid application is that all the data that the Internet sends to the server in response to user requests is stored in the — cached. In the event that repeated requests are sent on the same topic, the server will provide a response not from the Internet, but from a saved copy. Thanks to this, the time to receive a response is significantly reduced, and the load on the network is minimized. Data will be cached until it is forced out by other, more frequent requests, or the so-called “best before date” expires. That is, if a large number of people from your local network simultaneously work with the same resource, then the flow of requests that will go into the system will be much less than that sent by users from their devices. This is because most of the information from this site is already cached.
Using Squid, you can implement 2 caching options:
- Normal. As soon as you install the server, it will immediately begin to perform its function of caching data. This reduces the time of access to network resources, there is a significant savings on traffic charges. But you need to understand that a decrease in external traffic will occur only if requests from several users were sent to the same site over a certain period of time. If the requests of users of the local network practically do not intersect, then the decrease in traffic will be hardly noticeable. The low efficiency of caching will also be observed in the case when a repeated request is sent after the corresponding stored objects have already been evicted from the cache by new ones. The unique feature of Squid — increase in the volume of copied information. If we talk about paying for traffic, then the one who sends the first requests will pay for it. As soon as the relevant information is already in the cache, requests will not leave the server and will not be charged for them either.
- Custom. It is far from always advisable to cache all the information from a particular site, even if it is used quite often. This applies to automatically modified WWW pages, large files, sounds. Here "expiration date" rather low, and the percentage of displacement, on the contrary, is high. Along with this, there are some pages that, on the contrary, must be cached, mainly in order to speed up access. It will be enough to make a number of settings using the ACL tables, setting them to "mandatory caching" settings; (always_direct) or "no caching" (never_direct).
We would also like to draw your attention to such a moment as the hierarchy of servers. In the event that the requested resource is not found in the local Squid cache, the application will automatically request it from the "neighbors". or servers that are next in the chain before accessing the network. So, "neighbor" there may be another user's server connected to the same provider, and the provider's server itself can be the upstream server. The Squid installation documentation describes in detail all the rules for passing cache objects, as well as the specifics of building a hierarchy. But you need to understand that only those who pass access authorization between servers will be able to exchange the contents of the cache. Only in this way it will be possible to avoid various attacks, forgeries. When setting connection parameters between servers, it is imperative to restrict access to the base configuration file.
Reverse proxying and caching
We have already discussed that the Squid application can cache and proxy both forward and reverse connections. That is, both outgoing requests and those that go to internal servers are processed. This makes it possible to hide the real location and structure of the server hardware, significantly reducing the load on it.
There are also 2 options for settings:
- The usual reverse. Goes to one server. It itself accepts external HTTP requests leading mainly to port 80. Here it is mandatory to specify both the server name and the port to which requests will be sent. It is also possible to restrict access to the internal server. To do this, you also need to make the appropriate settings in the ACL tables.
- Plural. It is used when it is necessary to perform proxying of several internal servers. When it is necessary to organize the entry of all external requests to sites with different domain names to the Squid input. In this case, the application will give each name a valid server address from the internal network and send a request to it. This is implemented using the virtual host mechanism. But you need to understand that multiple reverse proxying has one significant drawback. The fact is that there are often situations when unscrupulous administrators of internal sites register them on third-party domains in order to use them as hosting platforms. Often this is done to distribute obscene or illegal documents. In this case, reverse proxying is generally not possible without prior agreement with the Squid administrator.
Additional features of Squid
We have already covered all the main features of the Squid application above. Now let's highlight 3 more important points:
- Collecting statistics and setting bandwidth limits. Squid includes an additional utility – cache manager that is able to display server statistics and load. This is a cgi application that runs under a specific configuration HTTP server. Also, using Squid, you can limit the bandwidth for users, thereby reducing the load on the channel. So, as an option, you can limit the transfer of large media files, thereby allocating most of the bandwidth to higher priority traffic.
- Security. We have already said that Squid supports proxying of various protocols that require additional control at the level of access rights. So attackers can use an anonymizing proxy server to hide the return address when trying to access certain data or attack servers. If you make mistakes in the proxy settings, you can make the system vulnerable to spam, which will cause network users or server administrators to refuse to accept mail from a specific domain.
- DNS query caching. Squid implements a mini DNS query server that is used as an intermediary between the application itself and an external DNS server. Initially, the availability of DNS and the Internet as a whole is tested. If you don't need this option, you can easily turn it off.
As you can see, Squid — quite functional, simple and easy-to-use solution for local networks. But still, to ensure the most stable and functional of its work, it is optimal to organize interaction through reliable servers. The best solution in this situation would be mobile proxies from the MobileProxy.Space service. Follow the link https://mobileproxy.space/en/user.html?buyproxy to get to know the functionality in as much detail as possible, study tariffs, work features. It is also possible to take advantage of a free two-hour test before purchasing a product. We also suggest paying attention to additional online tools from the MobileProxy.Space service. Using them, you can check the connection speed, ports for availability, your IP-address. Also, users of the service have access to a proxy checker and anticloaking.