Installing squid to DS207+ using ipkg
- ipkg install squid
- Edit the configuration /opt/etc/squid/squid.conf
- squid -k parse
- squid -z
- ln -s /opt/etc/init.d/S80squid /usr/syno/etc/rc.d/
- http_port <port number that you want squid to listen for incoming proxy connection (default 3129) > - visible_hostname <hostname of your ds207p, it could also be the host name from your dynamic DNS service provider, cannot be emptied!> - cache_mgr <email address of administrator>
Setup ACL – the access control of your proxy server
We want to restrict access to our squid proxy server.
To restrict a particular IP and network to access the squid proxy, adding following lines in squid.conf
acl my_machine src 192.168.1.10 acl our_networks src 192.168.1.0/255.255.255.0 http_access allow my_machine http_access allow our_networks http_access deny all
Access from remote location
However, if your remote location do not have a static ip (say your ISP give you dynamic IP) there is nothing much you can do with the ip filtering. You may want to allow access from all networks for such case
http_access allow all
That’s not sound good. Yes. So I suggest to use some uncommon port number rather than the default port number. You can also setup the password authorization as mentioned below.
Setup password authorization
Luckily, instead of filtering by IP address, we could also setup password authorization to restrict access to our proxy server.
Firstly, we need to create the user/password database for the proxy server. I suggest to create the database here
What we need is using the htpasswd command to generate the password file.
/usr/syno/apache/bin/htpasswd -cm /opt/etc/squid/passwd <username>
The htpasswd utility is pretty common and available in most of the linux/unix liked system.
You may also generate it using some web based service like
After editing the passwd file, setup file permission as below
chmod o+r /opt/etc/squid/passwd
Once the password database is ready, edit the squid.conf again and tell squid to use password authorization.
Append following configration directive:
auth_param basic program /opt/libexec/ncsa_auth /opt/etc/squid/passwd auth_param basic children 5 auth_param basic realm <Your welcome text> auth_param basic credentialsttl 2 hours auth_param basic casesensitive off
Also modify the ACL section again:
acl ncsa_users proxy_auth REQUIRED http_access allow ncsa_users http_access deny all #http_access allow all
To ensure password authorization for all incoming request, we probably want to comment out the line below.
#http_access allow all
Ok now the configuration is done. Start the proxy using the command line:
You can now setup your browser, simply input the DDNS domain name of your ds207 and the port number of the squid proxy we defined in the configuration file.
To allow external access to the squid proxy server, add a new port forwarding rule to your broadband router
Update: Jan 22, 2010
For firmware 2.2 user, a firewall rule is required for external access of the squid server.
Network Services > Firewall > Click ‘Create’ button
Ports > Check ‘Custom’ radio button > Click ‘Custom’ button
To add a new custom port:
Ports: Type: Destination Port
Source IP: ALL (or any other permitted IP address)
Action : Access : Allow
Other useful links
Update Nov 10 2011 Hiding the proxy hostname
Since the squid is running on the NAS, which is most of my private files hosted. I don’t want my NAS host name being disclosed while using the squid server. Here is a few config changes to hide some information from the world.
# vi /opt/etc/squid/squid.conf
Refer to the comments for details for these setting.
I don’t think it is a good practice doing these though.