Configuring Squid on Debian as both a transparent and an usual proxy and allowing users to access only whitelisted domains and IP adresses
The instructions were tested with Debian 12 and Squid 5.9
install necessary packages
apt build-dep squid
download and unpack the source code
cd /root
curl -O -L http://www.squid-cache.org/Versions/v5/squid-5.9.tar.gz
tar -x -f squid-5.9.tar.gz
compile the source code
cd squid-5.9
./configure --prefix=/opt/squid --enable-ssl-crtd --with-openssl --with-systemd --with-default-user=proxy --enable-removal-policies=lru,heap
make
make install
create a self-signed certificate
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout /opt/squid/etc/bump.key -out /opt/squid/etc/bump.crt
generate DH parameters
openssl dhparam -outform PEM -out /opt/squid/etc/dhparam.pem 2048
initialize a DB for certificates
mkdir /opt/squid/var/db
/opt/squid/libexec/security_file_certgen -c -s /opt/squid/var/db/ssl_db -M 512MB
create the /opt/squid/etc/whitelisted_domains file
.microsoft.com
.google.com
create the /opt/squid/etc/whitelisted_ips file
104.16.0.0/13
104.24.0.0/14
create the /opt/squid/etc/squid.conf file
http_port 192.168.100.254:3128
http_port 192.168.100.254:80 intercept
https_port 192.168.100.254:443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB tls-cert=/opt/squid/etc/bump.crt tls-key=/opt/squid/etc/bump.key tls-dh=prime256v1:/opt/squid/etc/dhparam.pem
append_domain .domain.lan
cache_mgr [email protected]
httpd_suppress_version_string on
visible_hostname proxy.domain.lan
coredump_dir /opt/squid/var/spool
cache_mem 2048 MB
maximum_object_size_in_memory 50 MB
memory_replacement_policy heap LFUDA
maximum_object_size 50 MB
cache_replacement_policy heap LFUDA
refresh_pattern . 0 20% 4320
logfile_rotate 0
sleep_after_fork 100000
netdb_filename none
#####
acl whitelist_domains_exp dstdomain "/opt/squid/etc/whitelist_domains"
acl whitelist_domains_trans ssl::server_name "/opt/squid/etc/whitelist_domains"
acl whitelist_ips dst "/opt/squid/etc/whitelist_ips"
acl step1 at_step SslBump1
acl ssl_connections connections_encrypted
#####
sslcrtd_program /opt/squid/libexec/security_file_certgen -s /opt/squid/var/db/ssl_db -M 512MB
ssl_bump peek step1 all
ssl_bump bump whitelist_domains_trans
ssl_bump bump whitelist_ips
ssl_bump terminate all
#####
acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching
http_access allow whitelist_domains_exp
http_access allow whitelist_ips
http_access allow ssl_connections
http_access deny all
#####
http_reply_access allow
change ownership of files and folders
chown -R proxy:proxy /opt/squid
create the /usr/lib/systemd/system/squid.service file
[Unit]
Description=Squid Web Proxy Server
After=network.target network-online.target nss-lookup.target
[Service]
Type=notify
PIDFile=/opt/squid/var/run/squid.pid
ExecStartPre=/opt/squid/sbin/squid --foreground -z
ExecStart=/opt/squid/sbin/squid --foreground -sYC
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
NotifyAccess=all
[Install]
WantedBy=multi-user.target
start the service
systemctl start squid
configure a firewall to redirect unencrypted and encrypted traffic to 80/TCP and 443/TCP Squid ports respectively