Proxy Servers

Proxy Servers

A proxy server sits between clients and the internet, forwarding requests on their behalf. In enterprise environments, a forward proxy (Squid) controls outbound internet access from servers — restricting which websites servers can reach, logging all outbound connections, and caching frequently accessed content to reduce bandwidth. This is particularly important for internal servers that need controlled internet access for package updates, API calls, or cloud service connections.

Proxy types and use cases

Squid proxy installation

sudo apt update
sudo apt install -y squid

# Main config file:
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.backup
sudo nano /etc/squid/squid.conf

/etc/squid/squid.conf — key configuration sections

# Port Squid listens on:
http_port 3128

# Cache size and directory:
cache_dir ufs /var/spool/squid 10000 16 256
# 10000 MB cache, 16 first-level dirs, 256 second-level dirs

# Log format:
access_log /var/log/squid/access.log squid

# DNS servers to use:
dns_nameservers 8.8.8.8 8.8.4.4

# Initialize cache directory:
sudo squid -z

# Start Squid:
sudo systemctl enable --now squid

# Check status and logs:
sudo systemctl status squid
sudo tail -f /var/log/squid/access.log

Access control and filtering

# Squid ACLs control who can access what:
# Add to /etc/squid/squid.conf:

# Define who can use the proxy:
acl internal_network src 10.0.0.0/24
acl allowed_sites dstdomain .ubuntu.com .canonical.com .amazonaws.com

# Define blocked sites:
acl blocked_sites dstdomain .gambling.com .streaming.com /etc/squid/blocked_sites.txt

# Rules (order matters — first match wins):
http_access deny blocked_sites              # Block first
http_access allow internal_network          # Allow internal network
http_access deny all                        # Deny everything else

# Allow only specific URLs (whitelist mode for servers):
acl allowed_servers src 10.0.0.100 10.0.0.101
acl needed_urls dstdomain .pypi.org .github.com .registry.npmjs.org
http_access allow allowed_servers needed_urls
http_access deny allowed_servers    # Block all other URLs for these servers

Client configuration

# Configure Ubuntu clients to use the proxy:

# Set for current session:
export http_proxy="http://10.0.0.5:3128"
export https_proxy="http://10.0.0.5:3128"
export no_proxy="localhost,127.0.0.1,10.0.0.0/24"

# Persist for all users:
sudo nano /etc/environment

/etc/environment — system-wide proxy settings

http_proxy="http://10.0.0.5:3128"
https_proxy="http://10.0.0.5:3128"
no_proxy="localhost,127.0.0.1,10.0.0.0/24"

# Configure apt to use proxy (apt has its own proxy config):
sudo nano /etc/apt/apt.conf.d/01proxy

/etc/apt/apt.conf.d/01proxy

Acquire::http::Proxy "http://10.0.0.5:3128";
Acquire::https::Proxy "http://10.0.0.5:3128";

Conclusion

The no_proxy variable is critical — always include your internal network ranges and localhost. Without it, applications attempt to proxy connections to other internal servers, which fails because the proxy may not have access to internal routes. Set no_proxy for all internal IP ranges, hostnames, and localhost. Squid's access log (/var/log/squid/access.log) is an excellent security tool — it provides a complete record of all outbound HTTP/HTTPS connections made by your servers, making it easy to detect unexpected external communications.