Squid is a proxy service for HTTP and other requests. This article covers installing it and configuring it to run on Ubuntu as a transparent proxy. This documentation includes configuring Web Proxy Auto-Discovery (WPAD) via DHCP and DNS.
I run a heterogeneous configuration. This provided a number of challenges as various implementations of WPAD were encountered. Each seems to require something different. The final configuration works for Ubuntu, Windows X/P, and Windows Vista. Both Internet Explorer and Firefox configured correctly.
Installation and Setup
Squid is a proxy server that can be run transparently. It is already packaged for Ubuntu and can be installed with any package manager. The command sudo aptitude installs squid will install Squid and its dependencies. The supplied default squid.conf file has a lot of comments. If you want to work with a configuration file without these comments use these commands as root after installation.
cd /etc/squid cp squid.conf squid.conf.orig grep -v '^#' squid.conf.orig > squid.conf echo USER=proxy >> /etc/default/squid chmod 640 /etc/squid/squid.conf chgrp proxy /etc/squid/suid.conf
The default configuration file limits transparent access to the localhost and does not configure a cache. It does define a localnet source acl which includes all the private DNS ranges. This simplifies configuration. Enabling access from the local network consists of adding the line http_access allow localnet just after the line http_access allow localhost.
Enabling disk caching requires a cache directory. Edit the following section for your site and add it to the end of squid.conf. This will configure Squid to use a 100 Mb cache located in the /var/cache hierarchy.
# Cache configuration cache_dir ufs /var/cache/squid 100 16 256 cache_mgr you@example.com cache_effective_user proxy visible_hostname yourhost.example.com
Create the cache and start Squid using the following commands.
sudo mkdir /var/cache/squid sudo chown proxy /var/cache/squid sudo -u proxy squid -z sudo start squid
Configuring firewalls for Squid
The following section outlines rules for Shorewall, which is my firewall of choice. It should be fairly easy to translate the rules to another firewall. These rules assume the Squid proxy is in the DMZ and the client proxy configuration does not use Squid for connections on the LAN (loc). Reload the firewalls after their configuration is changed.
Configure the Squid server to accept proxy requests and enable it to access the desirable Internet ports. I limit it to Web and FTP services. WebX is a macro that allows extra Web ports and streaming media. You may want to explicitly enable them in your configuration or create your own macro.
REJECT:info net $FW tcp 3128 ACCEPT all $FW tcp 3128 Web/ACCEPT $FW net Webx/ACCEPT $FW net FTP/ACCEPT $FW net
Configure internal servers to all access to our Squid server. The parameter $SQUID contains the address of the squid server. Consider dropping existing rules permitting access to services that now use Squid. It may be best to prepare the changes, but defer them until Squid is fully implemented.
ACCEPT $FW dmz:$SQUID tcp 3128 # squid
Configure the firewall to permit access to the Squid proxy, and allow it to access the desired Internet services. Any services permitted on the Squid server’s firewall should be repeated here with the source address adjusted accordingly. Replace the $FW parameter with an appropriate definition for the squid proxy (dmz:$SQUID). These rules include an explicit block for the Internet (net), and allows access for a separate WiFi (wifi) zone.
DROP:info net dmz:$SQUID tcp 3128 ACCEPT loc dmz:$SQUID tcp 3128 ACCEPT wifi dmz:$SQUID tcp 3128 Web/ACCEPT dmz:$SQUID net WebX/ACCEPT dmz:$SQUID net FTP/ACCEPT dmz:$SQUID net
Web Proxy Auto-Discovery
Most modern browsers will configure their proxies on startup from a PAC (Proxy Auto-Config) file. Some browsers can get this information from DHCP. However, using WPAD (Web Proxy Auto-Discovery) via DNS entries works with more browsers. This uses a file called wpad.dat served from a wpad host somewhere up the DNS hierarchy.
For this documentation, I am using example values. The squid server’s address is 192.0.2.10 and the file wpad.dat is served for example.com. It also hosts the apache server for the configuration. If you copy these examples, please adjust them for your network.
Creating a wpad.dat file
The PAC file wpad.dat is a simple javascript file supplying the function FindProxyForURL(url, host). This may return a list of entries. This sample script will use direct access for sites on the private address range and use the squid proxy at 192.0.2.10 for other sites. HTTPS requests are not proxied, but other protocols are. FindProxyForURL.com has additional information and examples.
// proxy configuration script for wpad
function FindProxyForURL(url, host) {
// If IP address is internal or hostname resolves to internal IP, send direct.
var resolved_ip = dnsResolve(host);
if (isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||
isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
return "DIRECT";
// Bypass proxy for https:
if (shExpMatch(url, "https://*")) return "DIRECT";
// Default use a proxy.
return "PROXY 192.0.2.10:3128";
}Configuring Apache
Placed the wpad.dat file in the root of the host or virtual host which will be serving the file. Ensure this file will be served up when requested from wpad, wpad.example.com, and 192.0.2.10. This file should have a mime type of x-ns-proxy- autoconfig. For apache place the following line in your configuration. I placed the mime type definition in the directory specification for the virtual host’s root directory. However, you may want to place it with the rest of the mime type definitions.
AddType application/x-ns-proxy-autoconfig .dat
If you are redirecting all traffic to the canonical host, you may want to exempt wpad.dat from this rewrite. Otherwise, all autoconfiguration requests will be redirected. This is done by adding the following RewriteCond line just before your RewriteRule.
RewriteCond %{REQUEST_FILENAME} !^/wpad.dat$
Configuring DNS
Browsers using WPAD to locate their proxy will search up the domain hierarchy. As a result host frodo.gandalf.middle.earth.example.com should try wpad.gandalf.middle.earth.example.com, wpad.middle.earth.example.com, wpad.earth.example.com, and wpad.example.com searching for a wpad.dat file. It will use the first file it finds. Unfortunately, if frodo does not know its domain, it won’t find its configuration. Some clients don’t walk the directory path and will require an entry for their domain. If you only have one squid cache, you likely want to access the file as wpad.example.com. If you are using DNSMasq add the following line to your hosts file.
192.0.2.10 wpad.example.com
The equivalent entry for bind is:
IN A 192.0.2.10
After making the change reload the configuration. DNSMasq will reread /etc/hosts after being sent a HUP signal. The rndc command can be used to cause bind to reload its configuration.
Configuring DHCP
DHCP option 252 is used to send the URL of the proxy server configuration file. This is most useful for Microsoft tools on Microsoft platforms. It should only work for those hosts which receive their IP address via DHCP. Fortunately, DNS also works for Microsoft. Although DHCP allows you to use any server and file name you choose, it is best to use the same URL that is used by DNS. If you using DNSMasq to provide DHCP add the following to your dnsmasq.conf file.
dhcp-option=252,http://wpad.example.com/wpad.conf
Configuring Clients
Most clients should work out of the box. The default configurations usually specify proxy auto-discovery. These clients will start to use the proxy after their next reboot or restart.
Clients that have auto-discovery turned off will need to have their configuration adjusted. The preferred option is to turn on auto-discovery. Some tools will offer two options: Auto-detect proxy settings for this network; and Use system proxy settings. If one does not work you may have to try the other.
Using a system proxy setting may give more consistent results between tools. As long as your DHCP and DNS configurations point to the same configuration there should be no difference which you choose. However, if the system does not do proxy auto-discovery, you will not get any access to the proxy.
Manual configuration is usually possible. This can be either direct specification of the proxy, or specification of the URL for the PAC file (wpad.dat). This should be a last resort, as it may break if you change your setup, or the computer is mobile.
Problems Encountered
During my setup I encountered the following problems.
- My default Apache virtual domain is not the one I originally used for WPAD. As a result each
wpadhostname needed to be added as aServerAlias. I movedwpad.datto the default virtual host, and added aFilessection to restrict access to the local network. - Firefox on Ubuntu does not walk the domain tree, so I needed to specify a
wpadhostname in DNS for each sub-domain. - Firefox on Windows XP specified the hostname as
wpadin the HTTP request. This required the virtual host to have aServerAliasforwpad. - Ubuntu does not appear to do auto-discovery for the system proxy settings. It appears the URL needs to be specified manually. However, Firefox will auto-discover using WPAD on all of the domains that the host belongs to.
- Firefox on Vista appears not to get the system proxy configurations. It does autodetect settings correctly.
- Vista continues to look for
wpad.datfrom the old URL long after it has moved. - Redirecting hostnames to the canonical name caused redirects on all wpad.dat accesses. The workaround has been documented.
I’m extremely impressed together with your writing skills as well as with the layout on your weblog. Is that this a paid theme or did you modify it your self? Anyway keep up the nice quality writing, it’s rare to look a nice blog like this one today..