Tag: proxy server

How to edit the Access denied page in Squid? How to insert custom pictures and mail?

The custom Access denied page can only be shown if the user connects via HTTP. For HTTPS connections (which are currently the vast majority), it is impossible to change the displayed page (that is, display the configured Access denied page) due to the very nature of HTTPS, which is precisely designed to ensure that the transmitted data cannot be modified.

That is, you can edit the Access denied page in Squid, but it will only show up on the few occasions when an HTTP connection is made.

For HTTPS connections, a standard web browser page will be displayed with a message like “The proxy server is refusing connections”.

That is, it can be stated that the custom Access denied page in Squid will be used quite rarely and its setting can be attributed rather to outdated functionality.

Squid has page templates with various messages, including denied access, in various languages. For example: /usr/share/squid/errors/en/ERR_ACCESS_DENIED (“ERROR: The requested URL could not be retrieved”).

You can edit this page like a regular HTML file.

This page uses codes to insert into the template, for example:

  • %U
  • %c
  • %w
  • %W

The meaning of these codes, as well as many other codes, can be found on the following page: https://wiki.squid-cache.org/Features/CustomErrors

How to set Squid cache manager e-mail?

If you only want to specify the e-mail address of the Squid cache manager, then you do not need to edit the template files. You can use the following directives:

  • cache_mgr is email-address of local cache manager who will receive mail if the cache dies. The default is “webmaster”.
  • email_err_data – if enabled, information about the occurred error will be included in the mailto links of the ERR pages (if %W is set) so that the email body contains the data. Syntax is <A HREF="mailto:%w%W">%w</A>. It is already enabled by default, so no further configuration is required.

See also the complete guide: How to create and configure a Squid proxy server

How to configure Squid proxy to work with multiple users

For example, the task is to organize the work of Squid with several users, each of which received an IP address (the same for all) and a port number (individual for each user) as proxy settings. Also, users have an individual username and password. The server has several external IP (in this case, IPv6) addresses, you need to make sure that each of the users goes to an individual IP address.

Let's say at the input we have, and at the output 2a02:f680:1:1100::3d60.

And at the input and at the output 2a02:f680:1:1100::3d61.


We start by filling in user credentials (see also “How to configure HTTP Digest Authentication in Squid”):

sudo htpasswd -c /etc/squid/passwd test1
sudo htpasswd /etc/squid/passwd test2

In the following config file, you need to replace:

  • usernames to names of your choice
  • indicate the desired ports
  • indicate the desired IPv6 or IPv4 addresses both for listening and as outgoing addresses
  • duplicate similar entries for each username (port, IP address)

Content of my /etc/squid/squid.conf file:

# Authentication settings
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive on
auth_param basic realm Squid proxy for HackWare.ru
Listening ports
# For each port, create an acl with the localport type
acl portA localport 1000
acl portB localport 1001
# Link ports and IP addresses
tcp_outgoing_address 2a02:f680:1:1100::3d60 portA
tcp_outgoing_address 2a02:f680:1:1100::3d61 portB

# For each user, create an acl with the proxy_auth type
acl test1_user proxy_auth test1
acl test2_user proxy_auth test2

# Allow two acl bindings to access:
# user test1 and port 1000
# user test2 and port 1001
http_access allow test1_user portA
http_access allow test2_user portB

Continue reading:

How to configure HTTP Digest Authentication in Squid

Basic authentication is bad because the password is actually transmitted in plain text (encoded in Base64). See the article “How to hack HTTP Basic and Digest Authentication” for details.

Therefore, it is preferable to use Digest authentication on the Squid proxy server.

Let's start by creating a file with a password hash, this is done with a command like:

sudo htdigest -c /etc/squid/passwd_digest REALM USER

REALM is a field of application. Any string can be used as a REALM, but remember that this same string will subsequently be shown in the form for entering a username and password.

An example of a command that creates a file with a password hash for the mial user:

sudo htdigest -c /etc/squid/passwd_digest 'Squid proxy for HackWare.ru' mial

Example configuration file for HTTP Digest authentication in Squid:

http_port 4080
via off
cache deny all

auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwd_digest
auth_param digest children 5
auth_param digest credentialsttl 2 hours
auth_param digest casesensitive on
auth_param digest realm Squid proxy for HackWare.ru
acl auth_users proxy_auth REQUIRED

http_access allow auth_users
http_access deny all

Pay attention to the line “auth_param digest realm Squid proxy for HackWare.ru”, in it, instead of “Squid proxy for HackWare.ru”, enter the same line that you specified when using the htdigest command.

For an explanation of the directives, see the section “Configuring HTTP Basic Authentication in Squid” above.

Note that not only has the helper program (digest_file_auth) been changed, but also the -c option is used after it, followed by the path to the file with the user's password hash. All other directives are similar to HTTP Basic authentication, except that the word “basic” is replaced with the word “digest”.

See also the Squid setup guide: How to create and configure a Squid proxy server

Configuring Squid Proxy with Multiple IP Addresses

Suppose the server has several IP addresses – on the same interface or on different ones – it doesn't matter.

Objective: make Squid use different external IP addresses depending on which port of the proxy server is being accessed.

So, as you can see, my test server has 5 IP addresses, 1 IPv4 address and 4 IPv6 addresses:

  • 2a02:f680:1:1100::3d5f
  • 2a02:f680:1:1100::3d60
  • 2a02:f680:1:1100::3d61
  • 2a02:f680:1:1100::3d62

See also:

To solve this problem, the contents of the /etc/squid/squid.conf file are as follows:

# The proxy server will only use local utilities, so only access from localhost is allowed.
# If you want to connect to the proxy server from outside, then add the corresponding IPs to the allowed ones,
# or configure password authentication.
http_access allow localhost
http_access deny all

# To connect to the proxy server, ports 24000-24004 are selected, the following lines enable listening on these ports
# Please note that the proxy server does not listen to external IP addresses, in addition to the port, the IP address of localhost is specified

# For each port, create an acl with the localport type
acl portA localport 24000
acl portB localport 24001
acl portC localport 24002
acl portD localport 24003
acl portE localport 24004

# Map ports and IP addresses
tcp_outgoing_address 2a02:f680:1:1100::3d5f portA
tcp_outgoing_address 2a02:f680:1:1100::3d60 portB
tcp_outgoing_address 2a02:f680:1:1100::3d61 portC
tcp_outgoing_address 2a02:f680:1:1100::3d62 portD
tcp_outgoing_address portE

# We don't need a cache
cache deny all

When accessing the page https://w-e-b.site/ip/, the IP address of the client who made the request is shown. Let's check:

curl https://w-e-b.site/ip/

The result is:


Let's remember this.

Now let's request the specified page through the proxy server ports from 24000 to 24003:

curl --proxy localhost:24000 https://w-e-b.site/ip/
curl --proxy localhost:24001 https://w-e-b.site/ip/
curl --proxy localhost:24002 https://w-e-b.site/ip/
curl --proxy localhost:24003 https://w-e-b.site/ip/

As you can see, each time a different IPv6 address is displayed – in accordance with which one is bound to a specific port of the proxy server.

What IP address do you think the following command will print?

curl --proxy localhost:24004 https://w-e-b.site/ip/

Let me remind you that IPv4 is bound to port 24004. If your answer is “”, then you are wrong.

Let's check:

curl --proxy localhost:24004 https://w-e-b.site/ip/

Outputted: 2a02:f680:1:1100::3d6 is the same default IPv6 address.

The reason is that, in fact, the binding does not occur to the IP address as such, but to the network interface on which this IP is configured. By the way, therefore, you can also bind by MAC address. At the same time, Squid works as follows: if there is a technical possibility (the local server and the remote host have IPv6 addresses), then IPv6 is used by default.

The site w-e-b.site has IPv4 and IPv6 addresses, Squid makes DNS lookups trying to get A and AAAA records, and if the remote host has an IPv6 address, then that one is used. To connect to IPv6, the server must also be using IPv6, so one of the available IPv6 is selected, not IPv4 which is actually bound to the port.

Would it be possible to use the IPv4 connection when binding the port to IPv4, even if IPv6 is available? Technically, there is no limit to this, but the authors of Squid did not make such an option. But there is also an option to use IPv4, though not so convenient.

Related: How to configure Squid to use IPv4

See also the Squid setup guide: How to create and configure a Squid proxy server

How to configure Squid to use IPv4

Because the IPv6 Internet is as fast or faster than the IPv4 Internet for most networks, Squid prefers to connect to websites over IPv6.

The “dns_v4_first on” option changes the order of preference so that Squid will first bind to dual-stack websites over IPv4. Squid will still do both IPv6 and IPv4 DNS queries before connecting.

A WARNING. This parameter limits the situations in which IPv6 connectivity is used (and tested). This hides network problems that would otherwise have been detected and warned about.

So, to switch to IPv4, add the following option to the config file:

dns_v4_first on

Now the request on port 24004 will print the IPv4 address:

curl --proxy localhost:24004 https://w-e-b.site/ip/

But the fact is that requests to ports 24000-24003 will also display IPv4 addresses, since the remote host uses both of them, and IPv4 is now selected by default.

That is, in essence, this option is a switch between IPv4 and IPv6. This is not very convenient and a little illogical. You need to remember this, because using different IP addresses on the same proxy server, you can get confused about which one is actually used.

Starting with version 5 of Squid, the dns_v4_first option will be removed. Instead of obeying the dns_v4_first setting, the IP family is now largely controlled by the DNS response time: if the AAAA DNS response comes first while Squid is waiting for IP addresses, then Squid will use the first received IPv6 addresses. For previously cached IP addresses, Squid tries IPv6 addresses first. To manage the family of IP addresses used by Squid, administrators must use firewalls, recursive DNS resolver configuration, and/or --disable-ipv6. When planning configuration changes, keep in mind that the upcoming improvements to Happy Eyeballs will facilitate faster TCP connections while reducing the impact of DNS resolution times.

The fifth version implements the “Happy Eyeballs” algorithm, which uses the received IP as soon as it is needed. Firewall rules that deny IPv6 TCP connections remain the preferred configuration method for “disconnecting” IPv6 connections, with a recursive DNS resolver configuration.

See also the Squid setup guide: How to create and configure a Squid proxy server

How Squid ACL works

Squid ACL Basics

Let's now dwell on how exactly ACLs work.

The Squid web proxy access control scheme consists of two different components:

  • ACL entries are directive strings that begin with the word “acl” and represent the types of tests that are performed on any request transaction.
  • Access list rules consist of an allow or deny action followed by a series of ACL entries and are used to specify which action or restriction should be applied to a given request. They are checked in order, and the list search stops as soon as one of the rules matches. If a rule has multiple ACL entries, it is implemented as a logical AND operation (all ACL entries of the rule must be met for the rule to be considered a match).

Acl syntax:



acl localnet src
acl Safe_ports port 80
acl accesses_to_google dstdomain .google.com
acl accesses_to_search_engines dstdomain .yahoo.com .google.com .vivisimo.com
acl accesses_from_marketing_department src
acl need_to_authenticate proxy_auth

You can also use definition lists, which are stored in files on your hard drive. Let's say you have a list of search engine URLs that you want to allow:

cat /etc/squid/search-engines-urls.txt:

Then the ACL for this file will look like this:

acl accessess_to_search_engines dstdomain "/etc/squid/search-engines-urls.txt"

The quotes are needed here to tell Squid to look for definitions in this file.

In addition to the already mentioned types src, port, dstdomain, proxy_auth, there are dozens of other types, for example:

  • localip
  • localport
  • proto
  • method
  • url_regex
  • arp
  • browser
  • http_status
  • req_header
  • rep_mime_type
  • time
  • referer_regex

For a complete list, see the squid documentation.

By themselves, acl elements do not change anything in the behavior of the proxy server, they are only lists for further use with Access List Rules. As the documentation quirky says, these tests themselves do nothing, for example, the word “Sunday” corresponds to the day of the week, but does not indicate what day of the week you are reading it.

Using ACL: http_access

If you only wrote down ACLs, then nothing is actually blocked – these are just definitions. ACLs can be used in various places in your squid.conf. The most useful function they can be paired with is the http_access instruction. It works in a similar way to how a firewall handles rules. For every request that Squid receives, it will look through all http_access statements in order until it finds a matching string. It then either accepts or rejects the request depending on your settings. The rest of the rules following the triggered one are ignored.

The general syntax for http_access is as follows:

http_access (allow|deny) acl1 acl2 acl3 ...


http_access allow localnet
http_access allow localhost
http_access deny !Safe_ports
http_access deny all
http_access allow auth_users
http_access allow all

The next set will allow admin access (no matter what this ACL looks like; the src ACL probably points to the subnet on which the administrator workstations are located). For everyone else, it will deny access to porn urls. The third rule will allow everyone to access the websites at lunchtime (except for porn sites). And finally, in all other cases, there will be a ban on connecting to the Internet.

http_access allow accesses_from_admins
http_access deny accesses_to_porn_urls
http_access allow accesses_during_lunchtime
http_access deny all

That is, administrators have access to all sites (even porn) at any time, while other users have access to the network only during lunchtime.

Combining ACLs (AND/OR)

You often need to combine ACLs. Let's say you want to allow only back office access to google.com. To do this, you need to combine two ACLs using a logical AND. It would look like this:

http_access allow accesses_to_google.com accesses_from_back_office

If you want to use OR and say that either access from back office or access to google.com is allowed, the rule would look like this:

http_access allow accesses_to_google.com
http_access allow accesses_from_back_office

To summarize: for AND, you need to place conditions on one line. OR requires separate lines.

The following set of rules is wrong, it will never work:

acl ME src
acl YOU src
http_access allow ME YOU

To allow access through a proxy to IP addresses and, the rule must be written as follows:

acl ME src
acl YOU src
http_access allow ME
http_access allow YOU

Other access list rules

Besides http_access, there are a couple of dozen other types, for example:

  • http_reply_access
  • icp_access
  • miss_access
  • cache
  • url_rewrite_access

Full list in the documentation: http://www.squid-cache.org/Doc/config/

Default http_access rule

If there are no lines with “http_access” in the entire configuration file, the request is rejected by default.

If none of the “http_access” lines match, the default is the opposite of the last line in the list. If the last line was deny, the default is allow. Conversely, if the last line is allow, deny will be applied by default. Tricky, right? For these reasons, it is recommended that you have a “deny all” entry at the end of your access lists to avoid possible confusion. That is, after all the rules, just add the line:

http_access deny all

So, back to our combination of rules “blocking sites + authorization on a proxy server”, why is the following set incorrect?

http_port 4080
via off

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive on
auth_param basic realm Squid proxy for HackWare.ru
acl auth_users proxy_auth REQUIRED
http_access allow auth_users

acl bad_urls dstdomain "/etc/squid/blacklisted_sites.acl"
http_access deny bad_urls

The fact is that first the rule that requires authorization on the server is triggered, namely “http_access allow auth_users”. All subsequent http_access directives are simply skipped, so sites are not blocked.

http_access usage mistakes

Consider the following example:

http_port 4080
via off

# Site blocking here
acl bad_urls dstdomain "/etc/squid/blacklisted_sites.acl"
http_access deny bad_urls

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive on
auth_param basic realm Squid proxy for HackWare.ru
acl auth_users proxy_auth REQUIRED
http_access allow auth_users

The site-blocking directive moved up is the first to fire. Moreover, this happens even before authorization on the proxy.

Another variant:

http_port 4080
via off

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive on
auth_param basic realm Squid proxy for HackWare.ru
acl auth_users proxy_auth REQUIRED

acl bad_urls dstdomain "/etc/squid/blacklisted_sites.acl"

http_access allow auth_users !bad_urls

In this case, the rule is triggered if two conditions are met: authentication and the site is not included in the blocked list. An exclamation point means logical NOT. The last option is the best, it is logically more understandable and it performs any actions (blocking the site) only after the user has entered the proxy server login and password.

See also the Squid setup guide: How to create and configure a Squid proxy server

Error “Authentication helper program /usr/lib64/squid/basic_ncsa_auth: (2) No such file or directory” (SOLVED)

Squid is a popular web proxy server. It has rich functionality and, in addition to changing the IP address, it is often used as a caching proxy for websites, as a result of which the load on the web server is significantly reduced.

When used as a proxy server to change IP or bypass restrictions, system administrators usually configure authentication by login and password. For various types of authentication, so-called helper are used – these are auxiliary utilities responsible for one or another type of authentication. For details, see “Configuring a connection to the Squid proxy server by login and password”.

When configuring basic authentication, an error may occur:

Authentication helper program /usr/lib64/squid/basic_ncsa_auth: (2) No such file or directory

Service status on unsuccessful start due to this error:

Squid Web Proxy Server
     Loaded: loaded (/lib/systemd/system/squid.service; disabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Tue 2021-04-27 08:39:55 UTC; 2h 4min ago
       Docs: man:squid(8)
    Process: 1650317 ExecStartPre=/usr/sbin/squid --foreground -z (code=exited, status=1/FAILURE)
        CPU: 15ms

Apr 27 08:39:55 w-e-b squid[1650317]: 2021/04/27 08:39:55| ERROR: Authentication helper program /usr/lib64/squid/basic_ncsa_auth: (2) No such file or directory
Apr 27 08:39:55 w-e-b squid[1650317]: 2021/04/27 08:39:55| FATAL: Authentication helper program /usr/lib64/squid/basic_ncsa_auth: (2) No such file or directory
Apr 27 08:39:55 w-e-b squid[1650317]: FATAL: Authentication helper program /usr/lib64/squid/basic_ncsa_auth: (2) No such file or directory
Apr 27 08:39:55 w-e-b squid[1650317]: 2021/04/27 08:39:55| Squid Cache (Version 4.13): Terminated abnormally.
Apr 27 08:39:55 w-e-b squid[1650317]: CPU Usage: 0.015 seconds = 0.010 user + 0.005 sys
Apr 27 08:39:55 w-e-b squid[1650317]: Maximum Resident Size: 50560 KB
Apr 27 08:39:55 w-e-b squid[1650317]: Page faults with physical i/o: 42
Apr 27 08:39:55 w-e-b systemd[1]: squid.service: Control process exited, code=exited, status=1/FAILURE
Apr 27 08:39:55 w-e-b systemd[1]: squid.service: Failed with result 'exit-code'.
Apr 27 08:39:55 w-e-b systemd[1]: Failed to start Squid Web Proxy Server.

In this case, you need to check the path to the basic_ncsa_auth.

Instead of the path /usr/lib64/squid/basic_ncsa_auth you should use /usr/lib/squid/basic_ncsa_auth.

Error “Authentication helper program /usr/lib/squid/basic_ncsa_auth: (2) No such file or directory”

The error is similar to the previous one, but instead of the path /usr/lib/squid/basic_ncsa_auth try using /usr/lib64/squid/basic_ncsa_auth.

Please note that the path to the basic_ncsa_auth file may differ slightly on different Linux distributions:

  • /usr/lib64/squid/basic_ncsa_auth (Arch Linux, CentOS)
  • /usr/lib/squid/basic_ncsa_auth (Debian, Linux Mint, Ubuntu, Kali Linux)

On some systems the file is located in both directories (Arch Linux).

You can check where exactly the file is located on your system:

ls -l /usr/lib64/squid/basic_ncsa_auth
ls -l /usr/lib/squid/basic_ncsa_auth

See also the Squid setup guide: How to create and configure a Squid proxy server

How to install Squid proxy on Windows

Squid is a high performance caching proxy for web clients supporting FTP, gopher, ICAP, ICP, HTCP and HTTP data objects. Squid reduces network bandwidth, data transfer and improves response times by caching and reusing frequently requested web pages. Squid has extensive access control and is a great server accelerator. It runs on most of the available operating systems, including Windows, and is licensed under the GNU GPL.

Squid proxy official website: http://www.squid-cache.org

Squid can be compiled and run on Windows as a system service using the Cygwin emulation environment, or it can be compiled in Windows native mode using the MinGW + MSYS development environment. Windows NT 4 SP4 and later are supported.

Known Limitations

  • Squid features that don't work on Windows:
  • DISKD: still needs to be ported
  • Transparent proxy: missing non-commercial intercept driver for Windows
  • WCCP: These features have not been ported. Without transparent proxy support, this is not necessary.
  • SMP support: Windows equivalent of UDS sockets is not implemented
  • Certain sections of code can make blocking calls.
  • Some external helpers may not work.
  • The number of file descriptors is strictly limited to 2048 when building with MinGW.
  • Squid-3.x of all official releases has serious build problems.

Squid prebuilt binaries for Windows

This is the easiest way to get Squid on Windows: open source project https://github.com/diladele/squid-windows provides Windows MSI installer files for Squid Proxy Server. It makes it possible to install Squid in just a few clicks. The current build is based on the latest Squid 4.14 build for Cygwin under Windows 64 bit.

To download the installer, go to the website: https://squid.diladele.com/ and click the link “MSI installer for SQUID FOR WINDOWS”.

Run the downloaded file with a double click and follow the prompts of the installer.

Immediately after the installer completes, an icon will appear next to the clock to control the Squid service:

When you click on it, the following options will be available:

  • Open Squid Configuration
  • Open Squid Folder
  • Start Squid Service
  • Stop Squid Service
  • About
  • Exit

The path to the configuration file in Windows: C:\Squid\etc\squid\squid.conf. Keep this in mind, as all subsequent sections will show the setup using a Linux example.

For the changes made in the configuration file to take effect, you need to restart the Squid service, to do this, stop and start it again.

The Squid service will automatically start when the computer is turned on, and for the icon to appear in the tray for managing Squid, you need to run the file C:\Squid\bin\Diladele.Squid.Tray.exe.

In the config file you can see paths like this: “/cygdrive/d/squid/cache”. To understand them, see How to access disks in Cygwin. In this case /cygdrive/d/squid/cache is D:\squid\cache.

There will also be paths like this: /var/cache/squid – these are all directories inside the C:\Squid folder. That is, for example, /var/cache/squid is actually C:\Squid\var\cache\squid\.

To check if the Squid service is actually listening on a port to connect, you can do the following:

1. Press Win+x and select “Windows PowerShell (admin)” in the menu that opens.

2. Run the commands in sequence:

for /f "tokens=1,2,3,4,5*" %i in ('netstat -aon ^| findstr ":3128" ^| findstr /i listening') do echo %j %l & @tasklist | findstr %m

You will verify that Squid is indeed listening on port 3128.

Remember that if you are using a firewall, then you need to open the port that the proxy service is listening on, if you have not changed it, then by default it is 3128.

The following steps are shown using Linux as an example, since Squid is much more common on Linux, not Windows. However, you Windows users can use the following information to configure Squid on Windows. But you need to keep in mind the following nuances:

1. When the command to open a file is given, you must open your configuration file, the path to which is given just above.

2. When it is said that you need to restart the service and the command is given for this, you need to open the assistant in the tray and stop, and then start the service there.

If you are an advanced user, you can manage the service from the command line (open with administrator rights):

net stop squidsrv
net start squidsrv

See also: How to manage services on Windows

To control the autostart of a service, see the article “How to disable autostart of programs and services in Windows”.

3. Most likely (I did not check) you will not be able to configure authorization by login and password on the proxy server, since many (or all) helpers do not work in Windows.

4. In the configuration file, the paths to the files in Linux and Windows may be the same, since Cygwin emulates the Linux working environment, but double-check.

See also the Squid setup guide: How to create and configure a Squid proxy server