Tutorial set up an anonymous HTTP proxy with Squid
These days I found the need to configure an anonymous HTTP proxy with Squid for some colleagues. The objective, in addition to hiding the IP, was that everyone could access a web page with the same IP to avoid blockages.
The solution chosen was Squid 3, which is nothing more than a cache proxy server. In previous articles we talked about how to configure SOCKS proxy , which are more flexible but in this case I needed an HTTP proxy.
Also in this tutorial we will learn to configure Squid 3 not only so that the proxy is anonymous but also we will protect it with username and password so that it cannot access unauthorized people and we will also learn to limit access to certain pages through the proxy.
How always the tutorial is tested under Ubuntu, in this case it was the 12.04 x64 version but I think it is applicable in any higher version of Ubuntu and even other Linux distributions such as CentOS or Debian. I recommend using an affordable and cheap VPS server to test before putting the proxy to work for the public.
What is squid?
Squid is a cross-platform cache proxy that helps reduce response times. It is open source and free.
With what has been said so far it seems something very similar to Varnish Cache that we have already talked about, but there are substantial differences between both of them that I am not going to talk about now, but to say that for the purpose of this article it is to create an anonymous HTTP proxy With authentication , Squid is the best option (with Varnish you could not).
Install Squid 3 on Ubuntu step by step
The installation of Squid in Ubuntu is very simple, we execute the following command:
apt-get install squid3 apache2-utils
We need the
apache2-utils package because we use the
htdigest tool to create users for our anonymous proxy with Squid.
With this we already have Squid 3 installed and working, now comes the most feared step, the Squid configuration. We will show it in a simple and step-by-step way, but we still have Squid documentation at hand.
Configure Squid 3 as an anonymous proxy easily
The Squid 3 default configuration file comes with a lot of text and even its reading becomes endless. I do not recommend deleting it, but if we keep it with another name in case we need to consult it, for this we execute the command:
mv /etc/squid3/squid.conf /etc/squid3/squid.conf.bak
Once this is done we stop Squid with the command:
service squid3 stop
Now we will create a new configuration file for our anonymous proxy that will also require a username and password to be used. The first thing is to run
nano to create the file with the following command:
The content of the configuration file is as follows:
auth_param digest program /usr/lib/squid3/digest_pw_auth -c /etc/squid3/password auth_param digest realm proxy acl authenticated proxy_auth REQUIRED acl whitelist dstdomain .google.com .googleapis.com .geotrust.com http_access allow authenticated whitelist http_access deny all http_port 3528 #Safe ports acl SSL_ports port 443 # https acl SSL_ports port 563 # snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT #Anonymous proxy via off forwarded_for off request_header_access Allow allow all request_header_access Authorization allow all request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all request_header_access Proxy-Authenticate allow all request_header_access Cache-Control allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all request_header_access Proxy-Connection allow all request_header_access User-Agent allow all request_header_access Cookie allow all request_header_access All deny all
Now we will comment carefully on the different parts. The first line:
auth_param digest program /usr/lib/squid3/digest_pw_auth -c /etc/squid3/password
It indicates the authentication program and with the
-c parameter the location of the file containing the user passwords is indicated.
The second line:
auth_param digest realm proxy
It indicates the name that will be sent to the client for the authentication of the proxy, in our case I have chosen the name proxy.
The third line:
acl authenticated proxy_auth REQUIRED
It is a directive that requires the user to be authenticated to use the proxy.
Now come three lines that form the section of restricting websites:
acl whitelist dstdomain .google.com .googleapis.com .geotrust.com http_access allow authenticated whitelist http_access deny all
We see that in the first line we create the list of allowed domains with the
dstdomain option and call this list
whitelist . The following line indicates that it allows access to
authenticated (this comes from the previous lines where we were talking about user authentication) and
And the last line indicates that the rest that does not meet the previous conditions will not have access.
Within this group of configurations we find the line :
We define the port of our HTTP proxy.
#Safe ports section is descriptive, it simply indicates which ports are safe for proxy use. The
#Anonymous proxy section is already more interesting, it establishes that headers send the proxy. It is very important to pay attention to those that are specified as inactive with off or those that are denied use with All deny all, in our case they are the lines:
via off forwarded_for off ... request_header_access All deny all
We have to disable these headers because they show our real IP and we want the proxy to be anonymous. The other headers remain active because they do not reveal our IP.
How to add users to the anonymous HTTP proxy with Squid
The proxy is configured, but we need to add at least one user to use it. The procedure is very simple, we execute the command:
htdigest -c /etc/squid3/passwords proxy usuario1
In this command where it says “proxy” refers to the name
realm , which we talked about in the second line of the configuration file. As we use the name “proxy”, when adding users, the name “proxy”
realm also be used. Where you put
usuario1 , there we put the username. After executing the command it will ask us to enter the password twice .
How to configure an anonymous HTTP proxy in FireFox
Many of you will wonder how to configure this HTTP proxy with username and password in FireFox, because in the FireFox network options it only allows us to use HTTP proxies that do not need authentication. The simplest solution is to use a FireFox plugin called FoxyProxy , this if you can use HTTP proxy with user authentication and password.