Squid 3 authenticating proxy chaining

My school uses an NTLM-authenticating proxy server, and this causes problems with lots of applications which don't support proxy servers. Many, many solutions have been proposed to this problem, but I'll focus on one that I find particularly appealing: setting up a non-authenticating personal proxy server which forwards requests to the main proxy server.

Update: use the new version of this config file - it works better.

Here's why this solution is optimal, or at least better than other currently-available solutions. Consider one method of forcing programs to use the proxy (under Linux), which is setting the http_proxy and ftp_proxy environment variables. Programs that support proxy servers and that support proxy authentication (because my school uses an authenticating proxy), notably apt-get, wget, and lynx, will use those environment variables to connect through the proxy server. Programs that don't, or those that don't read the environment variables (biggest offenders: most GNOME programs), won't.

The biggest problem with this method is its inconsistency - it's impossible to know necessarily which programs work, and which programs support proxy authentication; and in addition, one needs to re-enter one's proxy settings in the environment variables (bashrc, probably), in the GNOME settings, and probably individually for some programs too. On top of that, many GNOME programs don't (or didn't) support proxy authentication... finally, it is impossible in the environment variable to specify which connections (like those to the local network) should be direct, and which should be through the proxy.

Consider a slightly better method, which is proxychains. In order to use proxychains, one must type commands like so:

# Instead of writing
sudo apt-get install ubuntu-desktop
# One must write
sudo proxychains apt-get install ubuntu-desktop

Okay, so that's not too bad, if a little bit inconvenient. The good thing about this method is that proxychains can "proxify" programs that don't support proxy servers natively. The proxy authentication username and password are also stored in one place only: the proxychains configuration file. The only two problems with this method? 1. Typing proxychains before every command, and 2. The inability of proxychains (at least the most recent version) to make some connections direct (i.e. those on the local network) and some to go through the proxy, just like the previous method.

Fine, so those methods aren't ideal. What makes the Squid 3 method better? Well, on the surface it solves most, if not all, the problems that the previous methods had. It doesn't require authentication (that is handled transparently by the personal proxy) and authentication information is stored in one place only (the squid.conf). This alone makes many programs work much better. You can cache far more personalized web data (the school's proxy serving hundreds of students probably won't cache data that you, personally frequently use), and saving proxy information in many different places is okay, because if your username and password change, you don't need to change it in all those different places. Finally, one can still use proxychains to proxify misbehaving programs, because Squid can be configured to connect to some addresses directly instead of proxying through the parent proxy. Its biggest problem is that running Squid more or less requires Linux.

Okay, enough banter. Let's learn how to do this thing. I'm using Ubuntu 8.04 server (on a virtual machine), so these instructions may or may not be Ubuntu-specific. Here's my config file:

cache_effective_user proxy # Ubuntu-specific?
cache_effective_group proxy # Ubuntu-specific?

http_port 3128
http_access allow all

cache_peer prx1 parent 3128 3190 no-query login=username:pass
cache_peer prx2 parent 3128 3190 no-query login=username:pass
cache_peer_access prx1 allow all
cache_peer_access prx2 allow all

hierarchy_stoplist cgi-bin ?

cache_mem 64 MB # How much memory Squid uses for cache.
                # Make lower if you have less memory
maximum_object_size_in_memory 64 KB # Make lower if you have less memory

cache_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid3 6000 16 256
maximum_object_size 16384 KB

access_log /var/log/squid3/access.log squid

shutdown_lifetime 1 second

acl local-servers dst
never_direct deny local-servers
never_direct allow all

There are two "parent" proxies in this file which this personal proxy can access. Obviously, replace username and password with your own authentication information. Also, don't forget to change cache_effective_user and cache_effective_group to your liking or your distro. Change the cache_replacement_policy to fit your caching needs, and finally, make sure to edit the acl local-servers to specify which servers you do not want to proxy.

After doing this, you should be able to restart Squid and have everything working! Next up: transparent proxying with iptables.


comments powered by Disqus