A complete and practical guide to setting up a web proxy on Ubuntu 24.04

How to set up a secure and efficient web proxy on Ubuntu 24.04?

In this operational guide, we will walk you through the step-by-step process of installing, configuring, and securing a web proxy on a server. Ubuntu 24.04 Explained. Examples based on Squid (HTTP/HTTPS forward proxy), Dante (SOCKS5) and Nginx (reverse proxy and TLS termination) and include firewall configuration, authentication, logging, and performance optimization.

Why use a web proxy?

Web proxy has advantages such as: Access control, Content caching To reduce bandwidth, IP hiding The client, and Traffic distribution For sensitive applications such as trading or gaming, placing the proxy closer to the destination can be Latency (ping) Reduce.

Proxy types and uses

The most common types of proxies include:

• Forward Proxy (e.g. Squid): For clients to access the Internet; suitable for control, caching, and monitoring.
• Reverse Proxy (e.g. Nginx): Sits in front of web servers to perform TLS, load balancing, and caching.
• SOCKS5 (Dante or SSH -D): Lower layer, suitable for various applications and TCP/UDP traffic.
• Transparent Proxy: To intercept network traffic (requires NAT/fwd changes).

Server requirements and preparation

First, update the system and install the basic packages. The packages should be selected based on the requirement; for SOCKS5, use dante-server And for TLS from certbot We use.

sudo apt update && sudo apt upgrade -y
sudo apt install squid apache2-utils dante-server nginx certbot nftables fail2ban -y

Installing and configuring Squid (HTTP/HTTPS forward proxy)

This section explains basic configuration, enabling HTTPS (CONNECT), authentication, ACLs, and caching.

Basic configuration

To install Squid:

sudo apt install squid -y

Before changing the configuration file, make a backup:

sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.bak

Example of a basic configuration file (/etc/squid/squid.conf):

http_port 3128
# limit logging size
access_log /var/log/squid/access.log squid

# ACLs
acl localhost src 127.0.0.1/32
acl localnet src 10.0.0.0/8    # internal network
acl allowed_ips src 203.0.113.0/24  # example allowed client range

# permissions
http_access allow localhost
http_access allow allowed_ips
http_access deny all

# caching
cache_mem 256 MB
maximum_object_size_in_memory 512 KB
cache_dir ufs /var/spool/squid 10000 16 256
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern . 0 20% 4320

# DNS
dns_v4_first on

After saving the configuration:

sudo systemctl restart squid
sudo systemctl enable squid

Enabling HTTPS (CONNECT) and TLS

For HTTPS tunneling, Squid uses CONNECT. Example ACL to allow CONNECT:

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
http_access allow SSL_ports

Authentication (Basic/LDAP)

For Basic auth using htpasswd:

sudo apt install apache2-utils -y
sudo htpasswd -c /etc/squid/passwords username

In squid.conf add:

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

ACL and access restrictions

Common examples:

• Restrict by IP: acl allowed_ips src xxxx/xx
• Restricting domains: acl blocked_sites dstdomain .example.com
• Limit time: acl office_hours time MF 08:00-18:00

Example of rejecting sites:

acl blocked_sites dstdomain .youtube.com .facebook.com
http_access deny blocked_sites

Caching and performance optimization

Important settings for cache:

• cache_mem: RAM memory for caching small objects.
• cache_dir: Disk location for large content cache.
• maximum_object_size: Maximum size of object that can be stored.
• refresh_pattern: Cache validity control.

Example for higher traffic:

cache_mem 512 MB
maximum_object_size 20 MB
cache_dir ufs /var/spool/squid 50000 16 256

For high traffic, use NVMe and high IOPS disks or LVM.

Logging and log management

Squid logs in /var/log/squid/ Example logrotate configuration:

sudo nano /etc/logrotate.d/squid
/var/log/squid/*.log {
    weekly
    rotate 4
    compress
    delaycompress
    missingok
    notifempty
    create 640 proxy proxy
    sharedscripts
    postrotate
        systemctl reload squid >/dev/null 2>&1 || true
    endscript
}

Use tools like ELK or Grafana+Prometheus to analyze logs.

Setting up SOCKS5 with Dante

For applications that require SOCKS, Dante It is a good option.

Installation and setup:

sudo apt install dante-server -y

Example /etc/danted.conf:

logoutput: syslog
internal: 0.0.0.0 port = 1080
external: eth0
method: username none
user.privileged: proxy
user.notprivileged: nobody
client pass {
    from: 203.0.113.0/24 to: 0.0.0.0/0
    log: connect disconnect error
}
pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    protocol: tcp udp
    log: connect disconnect error
}

sudo systemctl restart danted
sudo systemctl enable danted

Example test with curl:

curl --socks5-hostname 127.0.0.1:1080 https://checkip.amazonaws.com

Configuring Nginx as a reverse proxy and TLS termination

Nginx can be used to host the proxy administration page or TLS termination for applications behind the proxy.

Example server block:

server {
    listen 80;
    server_name proxy.example.com;
    location / {
        proxy_pass http://127.0.0.1:3128;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

To obtain a TLS certificate with Certbot:

sudo certbot --nginx -d proxy.example.com

Firewall, security and monitoring

For security, use nftables or ufw, fail2ban, and logging and monitoring.

Example of basic nftables rules:

sudo nft add table inet filter
sudo nft 'add chain inet filter input { type filter hook input priority 0 ; policy drop; }'
sudo nft add rule inet filter input ct state established,related accept
sudo nft add rule inet filter input iif lo accept
sudo nft add rule inet filter input tcp dport 22 accept
sudo nft add rule inet filter input tcp dport 3128 accept # squid
sudo nft add rule inet filter input tcp dport 1080 accept # dante
sudo nft add rule inet filter input icmp type echo-request accept

Implement performance monitoring and attack detection with appropriate tools.

Practical tips for specific applications (trading, gaming, AI, rendering)

For traders: Choose a server with a location close to the broker server; use a fixed outgoing IP for whitelisting, and enable Anti-DDoS if the connection is critical.

For gamers: Choose a VPS with a fast network and a location close to the game server and enable BBR:

sudo sysctl -w net.core.default_qdisc=fq
sudo sysctl -w net.ipv4.tcp_congestion_control=bbr

To make the settings permanent, set the values to /etc/sysctl.conf Add.

For AI and rendering: Use larger cache and NVMe disks to download datasets and leverage cloud GPUs for distributed inference.

Operational and maintenance operations

Key maintenance tips:

• Regular package updates: sudo apt update && sudo apt upgrade -y
• Security patch, log review, and configuration backup.
• Use automation tools like Ansible for quick configuration and rollback.
• Periodically test the service with curl/wget and set up Uptime monitoring.

Why use cloud infrastructure with multiple locations?

Deploying proxies closer to users or destination servers reduces ping and provides better geographical control. Using CDN, BGP, and Anti-DDoS can improve performance and security.

Final security recommendations

Important security tips:

• Never leave a public proxy open without authentication.
• Apply IP and time-based restrictions.
• Monitoring and alerting are essential to detect abuse.
• Use Anti-DDoS and private networking for sensitive applications.

Conclusion

In this guide, installation and configuration Squid For HTTP/HTTPS, setup Dante For SOCKS5 and setup Nginx It covered reverse proxy and TLS. It also covered firewalls, logs, and practical tips for trading, gaming, and AI.

Frequently Asked Questions