Squid Proxy - Configuring as an External Proxy?



  • I am setting up a Squid proxy server on Fedora 29 (via Vultr). The goal is to allow access only from a certain range of IP addresses (our corporate office WAN IP range).

    My first question involves the ACLs. In the squid.conf file, it has numerous default ACL entries for "localnet". As this is not going to be used locally, I want to make sure that I don't have to somehow specify/designate another type of source for external/public ranges somewhere else. Also, if I comment out all the internal network lines for private IPs, will it cause any issues?

    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
    acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
    acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
    acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
    acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
    acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
    acl localnet src fc00::/7               # RFC 4193 local private network range
    acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines
    
    


  • Without reading more about this, I would guess you add your Office WAN IP acl localnet src 1.2.3.4/30, save and restart squid. Add a firewall rule to allow access to 3128.



  • Updating this thread. I ended up setting up the squid.conf file with the following config to get it to work.

    First, at the top of the localnet lines-

    acl localnet src 205.205.205.1/32
    

    Then, I added the only domains that I wanted to provide access to. This whitelisted them.

    acl GOOD dstdomain .google.com
    acl Good dstdomain .domain.ca
    

    Followed by, the allow and deny lines

    http_access allow GOOD
    http_access deny all
    

    Finally, "uncommenting" the Safe ports/services for 80 and 443.