Synology usage series 3 – Setup Squid HTTP Proxy Server


Installing squid to DS207+ using ipkg

  1. ipkg install squid
  2. Edit the configuration /opt/etc/squid/squid.conf
  3. - http_port <port number that you want squid to listen for incoming proxy connection (default 3129) >
    - visible_hostname <hostname of your ds207p, it could also be the host name from your dynamic DNS service provider, cannot be emptied!>
    - cache_mgr <email address of administrator>
    
  4. squid -k parse
  5. squid -z
  6. ln -s /opt/etc/init.d/S80squid /usr/syno/etc/rc.d/

Setup ACL – the access control of your proxy server

We want to restrict access to our squid proxy server.

To restrict a particular IP and network to access the squid proxy, adding following lines in squid.conf


acl my_machine src 192.168.1.10
acl our_networks src 192.168.1.0/255.255.255.0
http_access allow my_machine
http_access allow our_networks
http_access deny all

Access from remote location

However, if your remote location do not have a static ip (say your ISP give you dynamic IP) there is nothing much you can do with the ip filtering. You may want to allow access from all networks for such case


http_access allow all

That’s not sound good. Yes. So I suggest to use some uncommon port number rather than the default port number. You can also setup the password authorization as mentioned below.

Setup password authorization

Luckily, instead of filtering by IP address, we could also setup password authorization to restrict access to our proxy server.

Firstly, we need to create the user/password database for the proxy server. I suggest to create the database here

/opt/etc/squid/passwd

What we need is using the htpasswd command to generate the password file.

/usr/syno/apache/bin/htpasswd -cm /opt/etc/squid/passwd <username>

The htpasswd utility is pretty common and available in most of the linux/unix liked system.

You may also generate it using some web based service like

online htpasswd generator.

After editing the passwd file, setup file permission as below

chmod o+r /opt/etc/squid/passwd

Once the password database is ready, edit the squid.conf again and tell squid to use password authorization.

Append following configration directive:


auth_param basic program /opt/libexec/ncsa_auth /opt/etc/squid/passwd
auth_param basic children 5
auth_param basic realm <Your welcome text>
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

Also modify the ACL section again:


acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
http_access deny all
#http_access allow all

To ensure password authorization for all incoming request, we probably want to comment out the line below.

#http_access allow all

Ok now the configuration is done. Start the proxy using the command line:

/opt/etc/init.d/S80squid restart

You can now setup your browser, simply input the DDNS domain name of your ds207 and the port number of the squid proxy we defined in the configuration file.

IE setting for Squid Proxy

IE setting for Squid Proxy

To allow external access to the squid proxy server, add a new port forwarding rule to your broadband router

Linksys - Port forwarding for Squid with default port 3129

Linksys - Port forwarding for Squid with default port 3129

Update: Jan 22, 2010

For firmware 2.2 user, a firewall rule is required for external access of the squid server.

Network Services > Firewall > Click ‘Create’ button

Ports > Check ‘Custom’ radio button > Click ‘Custom’ button

Synology: Adding a new firewall rule with custom port

To add a new custom port:

Ports: Type: Destination Port
Protocol: TCP
Ports: 3129

Synology: Adding new firewall rule for Squid Proxy : Port 3129 : TCP

Synology: Adding new firewall rule for Squid Proxy : Port 3129 : TCP

Source IP: ALL (or any other permitted IP address)

DiskStation: Firewall: Assign 'ALL' for source IP

Action : Access : Allow

DiskStation: Firewall: Allow an firewall rule

Other useful links

Update Nov 10 2011 Hiding the proxy hostname

Since the squid is running on the NAS, which is most of my private files hosted. I don’t want my NAS host name being disclosed while using the squid server. Here is a few config changes to hide some information from the world.

# vi /opt/etc/squid/squid.conf

visible_hostname fake.domain
via off

Refer to the comments for details for these setting.

I don’t think it is a good practice doing these though.





13 thoughts


  1. Pingback: Synology DS207+ usage series 4 – Setup Socks 5 Proxy | BLoG of R@y

  2. Pingback: Synology DS207+ usage series 6 – Securing Squid and Socks5 connection using Bitvise Tunnelier | BLoG of R@y

  3. Hi m8, let me give you thousand of thanx!!! What a great work you did on your synology and the time you took for sharing the experience. I play with my ds207+ for 2 years ago and never found a such great source like your blog. Follow the good work. I’m tired with trying to install and compile mpd with icecast for streaming music from my nas. Hope you will fight with this project soon 😉
    Thx

  4. hi great work but iam stupid

    i get this error

    Diskstation> /opt/etc/init.d/S80squid restart
    Restarting proxy server: 2010/07/26 12:18:19| ACL name ‘ncsa_users’ not defined!
    FATAL: Bungled squid.conf line 635: http_access allow ncsa_users
    Squid Cache (Version 2.6.STABLE23): Terminated abnormally.
    2010/07/26 12:18:21| ACL name ‘ncsa_users’ not defined!
    FATAL: Bungled squid.conf line 635: http_access allow ncsa_users
    Squid Cache (Version 2.6.STABLE23): Terminated abnormally.
    done.
    Diskstation> acl ncsa_users proxy_auth REQUIRED
    -ash: acl: not found
    Diskstation> http_access allow ncsa_users
    -ash: http_access: not found
    Diskstation> http_access deny all
    -ash: http_access: not found
    Diskstation> #http_access allow all
    Diskstation>

  5. i got it working thx

    but i cant connect

    with squid -z i dont get an error

    here is my file maybe someone can help me?
    rapidshare.com/files/409435826/squid.conf.html

  6. I am trying to install squid 3 with squid_ldap_auth to authenticate with my synology directory server…squid3 on ipkg does not come preconfigure with squid_ldap_auth. Can you help me ? Using a synology ds411+II with dsm 5.x

      • Hi do you want to try freeradius instead? been working fine here for couple years… squid ==> freeradius ==> openldap

        Synology usage series 21 – Install FreeRadius Server and integrate with OpenLDAP Server
        Synology usage series 30 – Integrate Squid with Freeradius

Leave a Reply

Your email address will not be published. Required fields are marked *