Guide: Installing and Using Squid Proxy with Pi-hole on Debian 12
Introduction
Combining Squid Proxy and Pi-hole on a Debian 12 system offers enhanced privacy, ad-blocking, and content filtering. Squid acts as a proxy to conceal your identity, while Pi-hole provides DNS-level ad-blocking.
Prerequisites
- Debian 12 system with root or sudo privileges
- Basic command-line knowledge
- Stable internet connection
Step-by-Step Instructions
Step 1: Update Your System
sudo apt update && sudo apt upgrade -y
Step 2: Install Pi-hole
curl -sSL https://install.pi-hole.net | bash
- Configuration during installation:
- Choose network interface
- Select upstream DNS providers
- Enable blocklists
- Set static IP address
Step 3: Verify Pi-hole Installation
pihole status
Step 4: Install and Configure Squid Proxy
Install Squid:
sudo apt install squid -y
Configure Squid:
sudo nano /etc/squid/squid.conf
Delete everything then add the following lines:
# Allow local network sources
acl localnet src 0.0.0.1-0.255.255.255
acl localnet src 10.0.0.0/8
acl localnet src 100.64.0.0/10
acl localnet src 169.254.0.0/16
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10
# Define SSL ports
acl SSL_ports port 443
# Define safe ports
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
# Allow CONNECT method only to SSL ports
acl CONNECT method CONNECT
# Deny access to unsafe ports
http_access deny !Safe_ports
# Deny CONNECT method to non-SSL ports
http_access deny CONNECT !SSL_ports
# Allow localhost access to manager
http_access allow localhost manager
# Deny all other manager access
http_access deny manager
# Include additional configuration files
include /etc/squid/conf.d/*
# Allow specific external IP address
acl external src 192.192.192.192 # Add your public IP to allow connection to your machine
# Allow access for the external IP
http_access allow external
# Allow following of X-Forwarded-For headers for the external IP
follow_x_forwarded_for allow external
# Allow access for local network
http_access allow localnet
# Deny all other access
http_access deny all
# Define the HTTP port
http_port 3128
# Set DNS server to Pi-hole
dns_nameservers 127.0.0.1
# Set core dump directory
coredump_dir /var/spool/squid
# Define refresh patterns for different protocols
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Disable caching
cache deny all
# Set the memory cache size to 0
cache_mem 0 MB
# Set the maximum object size to 0 to prevent caching
maximum_object_size 0 KB
# No cache directories
cache_dir null /tmp
Restart Squid:
sudo systemctl restart squid
Restart Pi-hole:
pihole restartdns
Step 5: Configure Clients to Use Squid and Pi-hole
- Web Browsers Proxy Settings:
- Proxy IP: Your Pi-hole/Squid server IP (e.g., 192.168.1.2)
- Port: 3128
- Windows: Change proxy setting to Your-VPS-IP:3128
Step 6: Testing and Verification
- Verify Pi-hole Ad-blocking:
- Visit ad-heavy websites or (Can you block it) or check Pi-hole dashboard logs.
Verify Squid Proxy:
curl -x http://localhost:3128 http://ifconfig.me
Step 7 (Optional): Secure and Optimize Your Setup
Enable Squid Authentication (Optional):
sudo apt install apache2-utils -y
sudo htpasswd -c /etc/squid/passwords yourusername
Update Squid configuration:
sudo nano /etc/squid/squid.conf
Add:
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
Restart Squid:
sudo systemctl restart squid
Regular Maintenance:
Keep Pi-hole and Squid updated:
sudo apt update && sudo apt upgrade -y
pihole -g
Conclusion
By following this guide, you have set up Squid Proxy and Pi-hole on your Debian 12 system, enhancing privacy, blocking ads, and providing robust content filtering.
If you have any questions don't hesitate to comment!
If you want to get your own high performance and cheap VPS visit here: