Proxy server
A proxy server acts as a gateway to external networks for instances without a public IP address. When a proxy server is used as a single internet access point, traffic can be controlled efficiently, which enhances security and protects back-end servers from intrusions and attacks.
Contents
There are different ways to provide an instance with internet access: through a floating IP, a virtual IP or a proxy server. The latter has the advantage of being the most consistent and secure method, and the only solution in situations where a floating IP cannot be used.
In this scenario, there is a compute instance with a floating IP assigned, called the proxy server, and another instance without any floating IP, but connected to the same network, called the remote server. The port on the remote server can be a parent port of a trunk, for example.
Install Squid
Squid is an open source proxy server with cashing capabilities. On the proxy server machine, install Squid with
sudo apt update sudo apt install squid
Two additional utilities are useful for testing of a modified configuration: netstat (in the APT installation package net-tools) and squidclient:
sudo apt install net-tools squidclient
The proxy server starts automatically after installation, which can be verified with
sudo systemctl status squid
To set the Squid service to start automatically whenever the server starts, do
sudo systemctl enable squid
Configure proxy
Squid uses access control lists (ACL) to filter out source IP addresses and ports from which requests will be allowed. The order of ACL declarations acl are important. This, together with the http_access rules and http_port directives, define the basic access control.
Access control lists
The Squid configuration file /etc/squid/squid.conf is a long text file, but only a few declarations are needed for a basic proxy server. By default, Squid denies all external requests, and trusted hosts have to be explicitly declared as allowed.
Make a copy of the file before editing withsudo cp /etc/squid/squid.conf{,.bak}
The acl directive is used to define IP ranges (as localnet) from which requests are accepted and ports allowed for outgoing connections (Figure 1):
Safe_ports- defined ports to which Squid is allowed to establish a connection. For example, to configure the proxy so that clients only can make requests on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), only these three declarations should remain in the configuration file together withhttp_access deny !Safe_portsto block traffic on other ports.SSL_ports- by default this is port 443 only, but other ports can be declared as SSL ports as well. Together with the CONNECT ACL, the directive prevents misuse of SSL on safe ports which do not need it.
The rule http_access sets the policy (allow/deny) on ACL. When the local IP range is covered by the acl definitions, the rule http_access allow localnet needs to be uncommented to allow requests.
The http_port defines the port (and optionally, the source IP) the proxy should listen to. The default is port 3128 given in the directive
http_port 3128
Squid can be instructed to listen to multiple ports by adding http_port lines. The directive can also be used to to specify IP addresses Squid should listen to. When the proxy has an external and an local interface, it should probably only accept requests from the local network. Squid can be restricted to listen only on an private IP address (the address of the remote server) by placing it in front of the port number, for example
http_port 192.168.0.100:3128
Alternatively, a list of allowed IP addresses can be put in a separate file, say /etc/squid/allowed_ips.txt, with the following structure:
192.168.0.100 # All other allowed IPs
The ACL directive to use this file is
acl allowed_ips src "/etc/squid/allowed_ips.txt"
Custom access controls (such as http_access allow allowed_ips) should usually be placed between the port declarations and the deny all.
http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports ... http_access allow allowed_ips ... http_access deny all
Warning: do NOT add port 25 to Safe_ports, as this can be a severe security risk.
Test configuration
The netstat command is used to display details about network connections and protocol-specific networking statistics. The command
netstat -tnlp
shows TCP connections - specifically the IP addresses and ports that the Squid is listening to (Figure 2).
The utility squidclient takes a URL and can be used similarly to curl to test HTTP connectivity, with the option to specify the source IP address and port to verify the Squid configuration. The switches -h and -p are used to modify the IP address and the port of the incoming request. Figure 3 shows a request from an unauthorized and an authorized IP address.
Security groups and firewall
The proxy server has to have a security group which allows requests from remote servers, that is, TCP on the the subnet IP range.
If uncomplicated firewall UFW is enabled on the proxy server, its Squid profile needs to be enabled with
sudo ufw allow ‘Squid’
Log files
Squid uses two log files,
/var/log/squid/access.log/var/log/squid/cache.log
The more informative of the two is access.log, which shows all sites accessed through the proxy. Note that the log files must be accessed as superuser (with sudo).
The access log contains, in addition to the accessed site URLs, a result code indicating how Squid handled a request (Figure 4). See Table 1 for some common result codes.
Squid result code | Description |
|---|---|
MISS | The requested document was not in cache, but could be fetched from the web server. |
REFRESH_MODIFIED | A revalidation request was sent to the server, and a modified (new) object was returned. |
REFRESH_UNMODIFIED | A revalidation request was sent to the server, and a 304 status (Not Modified) was returned. |
MEM_HIT | The response delivered from memory cache. |
TUNNEL | A binary tunnel was established for this transaction. |
Table 1. Some common Squid result codes in the access log.
Configure remote server
Utilities on the remote server have to be configured to use the proxy server for external access. Note that this access is protocol-specific, so the ping utility cannot be used to test connectivity in general. HTTP connectivity can easily be tested with curl, which shows the HTML source code (Figure 5).
Access from terminal
Provided that the proxy server is configured to accept requests from the remote server, and its security group and firewall are set accordingly, internet access through the proxy from a terminal console is enabled by setting the environment variable
export http_proxy=”http://<proxy-ip>:<proxy-port>”
(when no password authentication is used). Here, <proxy-ip> is the private IP address of the proxy server, and <proxy-port> the port it is listening to (number 3128 by default).
To make variables persistent (loading at every new terminal session), the same lines are added to the .bashrc script, as shown in Figure 6.
For SSL connections (encrypted data) between the remote and the proxy, the variable
export https_proxy=”http://<proxy-ip>:<proxy-port>”
is used. This variable is usually not needed: both http_proxy and https_proxy support proxy connections for either HTTP or HTTPS requests, and encryption is in general not required on the local network.
Other services supported by Squid are declared similarly, such as
export ftp_proxy="http://<proxy-ip>:<proxy-port>"
The variable declaring that localhost should not go through the proxy is expressed as
export no_proxy="localhost,127.0.0.1,::1"
Configure APT
Create a file proxy.conf for the APT proxy settings with
sudo nano /etc/apt/apt.conf.d/proxy.conf
and add the line (when no password authentication is used)
Acquire::http::Proxy "http://<proxy-ip>:<port>/";
The alternative format shown in Figure 7 can also be used
Security best practices
It is vital to strengthen the security of the proxy server adequately. For some recommendations, some of which are applicable to HTTP as well, see https://pannet.atlassian.net/wiki/spaces/DocEng/pages/1428914372/Bastion+host#Security-best-practices
Additional resources
See squid-cache wiki for further details on Squid proxy configuration.