Debian 12 Linux proxy Server (Squid, SARG, Apache)
The corporate proxy server is designed to provide access to corporate resources that are blocked from access from the public Internet for security reasons. As a rule, these are internal services and systems of the company with which its employees interact daily. A proxy server can serve as a more convenient alternative than a remote desktop, as employees get access in the usual way without having to switch between virtual desktops. You can set up one browser for a proxy server, such as FireFox or WaterFox for a proxy, and the rest of the browsers will use the standard Internet. This configuration will make the work convenient and safe. |
The apps server configuration is available on the order form.
As a proxy server, we will use the squid service, which has proven itself well and has the ability to fine-tune and convenient settings.
1. Install Squid.
apt update
apt install squid
Check the status of the service
systemctl status squid
● squid.service - Squid Web Proxy Server
Loaded: loaded (/lib/systemd/system/squid.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2023-03-25 18:16:48 UTC; 20h ago
By default, all connections are disabled in the squid settings. Let's make changes to the settings:
/etc/squid/squid.conf
include /etc/squid/conf.d/*
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
You can allow access for a specific ip address or subnet. To do this, uncomment the line http_access allow localnet and add the rule
acl localnet src remote_ip_address
The rule contains the following parameters:
- acl - Root access rule.
- localnet - The group to which the rule applies.
- src - IP address included in the rule group.
Set up access.
Since we have a corporate proxy, we need to add login and password authorization for each user. Use the following command to add the users you want to grant access to:
htpasswd -c /etc/squid/passwords user_name
After we check the presence of the user and password in the file with the command:
more /etc/squid/passwords
user_name:$apr1$zEyMac8p$yZ04bfdMJugpXvzMVTig60
Now let's add authorization by users from the created file to the configuration file:
/etc/squid/squid.conf
include /etc/squid/conf.d/*
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
# Example rule allowing access from your local networks.
acl localnet src remote_ip_address
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost
http_access allow authenticated
# And finally deny all other access to this proxy
http_access deny all
In this example, we allow access from all ip addresses and only by login and password from the access file. Since the rule #http_access allow localnet is inactive.
Now you need to specify in the browser settings the IP address of this proxy server and the port specified in the default settings: 3128.
In some cases, when corporate resources are running on special ports, it will be necessary to add them to the configuration file, since basic ones are allowed by default. For example, we need to add an additional port that works via https.
/etc/squid/squid.conf
acl SSL_ports port 4643
acl Safe_ports port 4643 # https CRM
After the changes have been made, restart the squid service to apply the settings:
systemctl restart squid
The Debain 12 Linux Enterprise Proxy Server is ready to go, the build also includes the configuration of the services and options listed below: