Setting up a Squid proxy with authentication

Do you know the feeling: you’re traveling out of the country, and suddenly you cannot access some websites? I recently hit this when I traveled to Europe, and some US websites I wanted to access threw me the GDPR block. I had once setup a proxy server to do some geo-timing tests, and decided to set one up again so I could access what I wanted to access.

Setting up Squid on Azure

Squid is an open source proxy and cache that is fairly simple to configure (but has a lot of configuration capabilities). For our simple proxy, we’ll set this one up on an Azure VM in West US 2. Be mindful of the Network Security Group you attach to that VM/subnet: squid by default runs over port 3128, so you’ll need to open that for the solution to work.

We’ll create a simple Ubuntu VM
Don’t forget to create a NSG that will allow port 3128 inbound.

Once we have that, we can connect to our VM, and install squid.

sudo apt-get update && sudo apt-get install squid

With that done, we’ll have to dive into the squid configuration. There’s a lot to squid configuration. The default configuration file located at /etc/squid/squid.conf contains 7980 lines. We wont be editing 7980 lines for our basic proxy though. What we will be doing is the following:

  • Configure an ACL.
  • Allow access for that ACL.

For this, we’ll be editing the default config file – because this allows basic proxy functionality by default – and we’ll add our configuration to it.

For the first part (configuring the ACL) – look for an ACL section around line 980 in the squid.conf file, and add your own line to it. You don’t have to remove anything:

acl nills-from-internet src                                                                                   acl SSL_ports port 443                                                                                                  acl Safe_ports port 80          # http                                                                                  acl Safe_ports port 21          # ftp  

For the second part, we’ll configure http_access to allow our ACL to use the proxy. Look for the following line around line 1188, and add your own http_access to it.

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS                                                        #                                                                                                                       http_access allow nills-from-internet

Next, we’ll restart our squid service:

sudo service squid restart

And then we should be able to connect using our proxy service. Easy peasy.

Let’s add a little bit of security

As I was writing this blog, I started thinking I don’t want to host a public proxy service. I just want to be able to read my web-pages without GDPR block. This can also be done – fairly easily – so why won’t we do this together as well?

First things first, we need to create a password file. We will use the htpasswd utility to create that. To get htpasswd, you need apache2 installed, which we’ll do first:

sudo apt-get install apache2 -y
sudo htpasswd -c /etc/squid/passwd nilfranadmin
#enter and confirm your password now

With that done, we’ll dive into the squid configuration file (remember, /etc/squid/squid.conf) to configure our authentication:

First thing, look for the auth_param section around line 427, and add the following line in there:

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd

Afterwards, look for your ACL you created earlier, and then add the following line referencing the authentication:

acl nills-from-internet src                                                      acl auth_users proxy_auth REQUIRED 

And then finally, we’ll change our http_access, around line 1190:

http_access allow auth_users                                                               http_access allow nills-from-internet

And after that’s done, let’s go ahead and restart our squid service, and see if we get an authentication request:

sudo service squid restart

And what that done, all my apps suddenly needed proxy authentication information. Now, in all honesty and transparency, I’m not using SSL – which is not best practice for sending credentials. But as I’m using a fairly useless password, I can live with that to be able to browse the American internet.

Edge asking for proxy information. Preview Edge, Chromium based that is. Just for the record.
Even Teams asked for proxy information.


If you are ever geo-blocked and need to browse the web quickly – please just go ahead and use a free or paid VPN/proxy solution. They will be a lot easier to setup than what I just did (and probably be cheaper as well). However, if you like playing around and figuring out stuff, please follow along and setup your own Squid proxy server. Have fun!

Leave a Reply