Squid 3 proxy server
Squid 3 proxy server with ssl interception running on raspberry pi.
We present here a proxy server for your home (at least) with ssl interception that is making ad blocking and other custom domain blocking easy for all your devices (pcs, tablets, smartphones).
Blocking ads for applications running on your smartphone and effective control of your web access (for kids etc...) is probably impossible without a proxy running between you and the web.
In addition to blocking, the central caching functionality ensures great improvements in speed on browsing the web.
Last but not least, proxy's access logs provide usefull information and statistics about web access for analysing later.
In this installation the server is running on raspberry pi 2 (raspbian) consumming almost no power for 24/7 use.
Please note that in order to use ssl interception functionality you need to built the squid package adding the following configuration options:
–enable-ssl –enable-ssl-crtd –disable-arch-native
Built configuration for ssl interception
Confirm that your built is done with the required options running:
~# squid3 -v
Squid Cache: Version 3.4.8
Debian linux
configure options: {...} '--enable-ssl' '--enable-ssl-crtd' '--disable-arch-native' {...}
You can generate your key-CA certifications with the following commands:
openssl genrsa -out squid.key 2048
openssl req -new -key squid.key -out squid.csr
openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out squid.crt
cat squid.key squid.crt > /etc/squid3/ssl_cert/myCA.pem
Of course, if you are using self-signed certificate like this, you have to add your CA to your browser's/devices's trusted CAs. Check android's, ios's etc documentation on how to do that.
Ad blocking
You can configure - built your ad domains with a script like that (use it with crontab):
#!/bin/bash wget -O /tmp/temp_ad_file http://pgl.yoyo.org/adservers/serverlist.php?hostformat=squid-dstdom-regex;showintro=0 >/dev/null cat /tmp/temp_ad_file | grep "(^|" > /etc/squid3/ad_sites.txt rm -rf /tmp/temp_ad_file service squid3 reload
Squid configuration example (squid.conf)
acl localnet src 192.168.16.0/24 # Internal Network 1 acl localnet src 192.168.25.0/24 # Internal Network 2 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 8080 # cloudstack management acl skatosites dstdom_regex "/etc/squid3/banned_sites.txt" acl ad_sites dstdom_regex "/etc/squid3/ad_sites.txt" acl bypass-domains dstdomain images.linuxcontainers.org:8443 # Domains you want to bypass acl CONNECT method CONNECT always_direct allow bypass-domains http_access deny skatosites !localhost http_access deny ad_sites !localhost http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all ssl_bump none localhost http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/myCA.pem sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB sslcrtd_children 5 sslproxy_capath /usr/lib/ssl/certs always_direct allow all ssl_bump server-first all # the following two options are unsafe and not always necessary: #sslproxy_flags DONT_VERIFY_PEER forward_max_tries 25 cache_mem 192 MB maximum_object_size_in_memory 8192 KB maximum_object_size 128000 KB logformat squid %tl %6tr %>A %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt #logformat common %>a %>A [%tl] "%rm %ru HTTP/%rv" %>Hs %<st HTTP/%mt %Ss logformat common %>a %>A [%tl] "%rm %ru HTTP/%rv" %>Hs %<st HTTP/%mt %Ss access_log daemon:/var/log/squid3/access.log common coredump_dir /var/spool/squid3 cache_dir aufs /mnt/a300/squid3cache 12000 14 256 cache_mgr thundercost@benini.com memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA cache_swap_low 95 cache_swap_high 99 quick_abort_min 0 KB quick_abort_max 0 KB quick_abort_pct 100 store_avg_object_size 13 KB refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 #refresh patterns for caching static files refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private refresh_pattern -i \.index.(html|htm)$ 0 40% 10080 refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320 refresh_pattern . 0 40% 40320 shutdown_lifetime 5 dns_v4_first on error_default_language el # I am using greek for my error pages #anonymize squid via off visible_hostname example.com forwarded_for off log_mime_hdrs on
- Posted by Kostas Koutsogiannopoulos · Oct. 26, 2015
