A caching proxy server (in this case: http://www.squid-cache.org/) can be used to reduce bandwidth and as the proxy will cache frequently-requested pages, can also help to improve response times. My use-case is a bit different as I need a way to test mobile devices to connect to the web-server running in Azure, but the web-server has access rules based on IP-whitelisting. And the problem with the mobile devices used, there is no fixed IP-address associated with mobile devices. But if I force the mobile devices to use the proxy server, I can use the Proxy Servers IP-address for the whitelisting.
The Steps needed
The following steps are need to get the Squid Porxy server running on Ubuntu 18.04 LTS in Azure.
- Setup a Azure VM running Ubuntu
- Install and configure squid proxy server
- Add the Azure Ubuntu VM IP-address to the whitelisting rules of the web-server running in Azure
- Setup your mobile devices to use the Squid Proxy Server
The first 3 steps I will explain, step four I leave to the reader and test this in your on environment.
install the Azure VM
Open your Azure portal and first setup a Resource group which will “hold” the Ubuntu VM. This is not really needed to install and run the Ubuntu VM, but it is just good practice. So in the portal home-page, open the menu and select Resource groups.
Resource Group creation
The Resource groups menu will open. Select Create
In most cases you can leave Subscription and Region to the default provided. But feel free to choose the options you/need want.
I added a new, for me logical, Resource group name; WE-proxy-TST_RG. When you are happy with the name you created, click the “Review + create” button. You will be presented a Validation screen, click the “Create” button to finalize the creations process.
When all went well you should see your Recourse group listed in the Resource groups overview.
Azure VM creation
Now we move on to preparing the Ubuntu VM to run our squid Proxy Server. Open the portal-menu on the left of the browser window and select Virtual machines.
This will give you the Virtual machines page, which in my case already has an VM created.
Click Add and select Virtual Machine. You are presented the “Create a virtual machine” page. There are many options and tabs, but in our case we keep it as simple as possible. make sure you change the Size to something which is good enough for you. In this case for some simple testing, just select; Standard_B1s – 1 vcpu, 1 GiB memory (€7,39/month)
Select the resource group you have previously created, give your Virtaul machine a clear name, select you image type (For this blog you need Ubuntu Server 18.04 LTS – Gen 1). Create a username and you are done. Click “review + create”. A validation screen is presented, this will include the PRODUCT DETAILS. Review and if you agree click the “Create” button.
A pop-up will ask for creating a new key pair. Select “Download private key and create resource” Azure will now build and deploy your new VM. After a few seconds this should be ready and present the following screen.
Click the “Go to resource” button for an overview of your newly created Ubuntu Virtual Machine on Azure.
Accessing your AZURE Virtual Machine
We now have deployed our Virtual Machine with Ubuntu in the Cloud. And we need to be able to access the Virtual Machine, we will be using an ssh-connection and need an ssh-client. Setting up an ssh-client like putty on Windows is pretty easy. Just download and install putty, as we will be using key authentication we need convert the private key-file ( *.pem ), we downloaded from Azure during the Virtual Machine creation, in a Putty Private Key File ( *.ppk ). Open the Putty Key Generator (PuTTYgen), which you can find in the Windows start menu. Load an existing private key file, click the “Load” button.
Make sure to change File-extension selection to “All Files (*.*)”.
The final step is to save the generated key. Click the “Save private key” to a secure location. For example; C:\Users\your-name\.ssh If you want you can add a passphrase to protect it.
Final step is to configure Putty. Provide the public IP address of the Virtual Machine, type a logical name in the “Saved Sessions” field. Now open the Connection / SSH / Auth tab in the Putty Category listing and add the path to the private-key-file.
To save this, go back to the Session tab in the Putty Category and click the “Save” button. When click the “Open” button. And you should now be presented a putty screen with a login prompt. Login with the account you set during the Virtual Machine creation. If all went well you should end up in Ubuntu.
Install the Squid Proxy Server
Run the following command’s to install squid.
sudo apt-get update sudo apt-get install squid apache2-utils
We need to install apache2-utils as without it we will not have the htpasswd executable available on our Ubuntu VM. And a final check all went well. Check the processes and check the status of the systemctl setup.
Configure the Squid Proxy Server
The squid configuration files can be found in /etc/squid/.. In a fresh install it will only have two files; squid.conf and errorpage.css. First thing to do is to add a file forbidden_domains and add a list of domains to prevent the proxy to be used as the default connection to the open internet. Again not really needed for this simple test configuration, but nice to have it as it shows how you can block access from the proxy to some domain.
Next step is to setup the users allowed to use the proxy, for that we did install the apache2-utils which comes with the htpasswd executable. Run the following command to add the the passwd file in the /etc/squid/.. directory.
sudo htpasswd -c /etc/squid/squid_passwd [user-name]
Set the password as requested and if needed you can add more users using the same command, just omit the -c option. (The -c is only needed when you create the passwd file.) The final step is to do some configuration in the squid.conf file. This is a rather large and complex file and I have no intention to explain all the details. But the minimum you should add is the following.
For user authentication add the following after the line: auth_param basic program
## Extra config << auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd auth_param basic children 5 startup=5 idle=1 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours ## Extra config >>
For adding extra ACL’s based on user source-IP add the following after the lines: acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
## Extra config << acl [user1] src xxx.xxx.xxx.xxx acl [user2] src xxx.xxx.xxx.xxx acl [user3] src xxx.xxx.xxx.xxx .. .. acl passwdaccess proxy_auth REQUIRED acl forbidden dstdomain "/etc/squid/forbidden_domains" acl business_hours time M T W H F 7:00-20:00 ## Extra config >>
And finally add the rules to allow access from your clients. Add the following after the line: #http_access allow localhost.
## Extra config << http_access allow [user1] !forbidden business_hours http_access allow [user2] !forbidden business_hours http_access allow [user3] !forbidden business_hours .. .. http_access allow passwdaccess ## Extra config >>
And that is it. Well almost. On Azure there is one thing left to do. We need to allow inbound and outbound traffic for the Ubuntu Virtual Machine. Go back to the Azure portal and open your Virtual Machine and select Settings -> Networking.
Add the inbound port for the squid proxy server default port is 3128. (Which you can also change in the squid.conf, search for http_port 3128. But for this test the default is fine.)
Add the inbound ports for the squid proxy server, which are the target ports on the webserver. http (80) and https (443).
Now you are ready to test, setup your mobile devices to use the proxy. As this might be different per device I leave that to the reader.
2 thoughts on “Deploy a simple Squid Proxy Server on Azure”
This guide is not correct . acl [user1] src xxx.xxx.xxx.xxx is not valid setting
This is an example, you need to replace the xxx.xxx.xxx.xxx by the source IP-address of the specific user. Your should also add something like “http access deny [user1]” There are many option, so make sure you read the documentation for all the details. This guide never had the intention to be a complete guide, it is just a simple guide to get started with Squid.