Synology DS207+ usage series 3 - Setup Squid HTTP Proxy Server

Installing squid to DS207+ using ipkg

1. ipkg install squid
2. Edit the configuration /opt/etc/squid/squid.conf

- http_port <port number that you want squid to listen for incoming proxy connection (default 3129) >
- visible_hostname <hostname of your ds207p, it could also be the host name from your dynamic DNS service provider, cannot be emptied!>
- cache_mgr <email address of administrator>

3. squid -k parse
4. squid -z
5. ln -s /opt/etc/init.d/S80squid /usr/syno/etc/rc.d/

Setup ACL – the access control of your proxy server

We want to restrict access to our squid proxy server.

To restrict a particular IP and network to access the squid proxy, adding following lines in squid.conf

acl my_machine src 192.168.1.10
acl our_networks src 192.168.1.0/255.255.255.0
http_access allow my_machine
http_access allow our_networks
http_access deny all

Access from remote location

However, if your remote location do not have a static ip (say your ISP give you dynamic IP) there is nothing much you can do with the ip filtering. You may want to allow access from all networks for such case

http_access allow all

That’s not sound good. Yes. So I suggest to use some uncommon port number rather than the default port number. You can also setup the password authorization as mentioned below.

Setup password authorization

Luckily, instead of filtering by IP address, we could also setup password authorization to restrict access to our proxy server.

Firstly, we need to create the user/password database for the proxy server. I suggest to create the database here

/opt/etc/squid/passwd

What we need is using the htpasswd command to generate the password file.

/usr/syno/apache/bin/htpasswd -cm /opt/etc/squid/passwd <username>

The htpasswd utility is pretty common and available in most of the linux/unix liked system.

You may also generate it using some web based service like

online htpasswd generator.

After editing the passwd file, setup file permission as below

chmod o+r /opt/etc/squid/passwd

Once the password database is ready, edit the squid.conf again and tell squid to use password authorization.

Append following configration directive:

auth_param basic program /opt/libexec/ncsa_auth /opt/etc/squid/passwd
auth_param basic children 5
auth_param basic realm <Your welcome text>
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

Also modify the ACL section again:

acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
http_access deny all
#http_access allow all

To ensure password authorization for all incoming request, we probably want to comment out the line below.

#http_access allow all

Ok now the configuration is done. Start the proxy using the command line:

/opt/etc/init.d/S80squid restart

You can now setup your browser, simply input the DDNS domain name of your ds207 and the port number of the squid proxy we defined in the configuration file.

To allow external access to the squid proxy server, add a new port forwarding rule to your broadband router

Update: Jan 22, 2010

For firmware 2.2 user, a firewall rule is required for external access of the squid server.

Network Services > Firewall > Click ‘Create’ button

Ports > Check ‘Custom’ radio button > Click ‘Custom’ button

To add a new custom port:

Ports: Type: Destination Port
Protocol: TCP
Ports: 3129

Source IP: ALL (or any other permitted IP address)

Action : Access : Allow

Other useful links

• SquidFaq/SquidAcl – Squid Web Proxy Wiki

Update Nov 10 2011 Hiding the proxy hostname

Since the squid is running on the NAS, which is most of my private files hosted. I don’t want my NAS host name being disclosed while using the squid server. Here is a few config changes to hide some information from the world.

# vi /opt/etc/squid/squid.conf

visible_hostname fake.domain
via off

Refer to the comments for details for these setting.

I don’t think it is a good practice doing these though.