Install and configure private anonymous proxy server using Squid in Debian 6

Spread the love

private-anoymous-proxy-server-using-Squid-in-Debian-6

The following article is all about how to install and configure a private proxy server using Squid in your Debian 6 VPS.

Before we proceed any further, you might be asking yourself what exactly is Squid?

 

It is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and many more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. It also give you the ability to hide your identity and surf the web anonymously.

As always, the first step is to make sure your Debian Virtual Server is fully up-to-date by executing the following command:

# apt-get update && apt-get upgrade --show-upgraded -y

Next, install the ‘squid’ server by issuing:

# apt-get install squid3 squid3-common -y

once the installation is completed you may want to run:

# apt-get autoremove -y

in order to clean the packages that are no longer required. Once that’s completed, run the below command to find out the location of ‘ncsa_auth’ helper which we will be using it for authentication purposes.

# dpkg -L squid3 | grep -w ncsa_auth
/usr/lib/squid3/ncsa_auth

ok, this indicates that the auth helper is located in ‘/usr/lib/squid3/ncsa_auth’ so the next thing is to setup our Squid’s configuration file (/etc/squid3/squid.conf). Make sure you replace ‘XXX.XX.XX.XXX’ with your server’s IP address.

# cp /etc/squid3/squid.conf{,.old} && \
cat > /etc/squid3/squid.conf <<EOF
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
auth_param basic children 5
auth_param basic realm please login to the squid server?
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # SWAT
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access allow localhost
http_access deny all
http_port 2222
coredump_dir /var/cache/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

icp_access allow localnet
icp_access deny all
acl ip1 myip XXX.XX.XX.XXX
tcp_outgoing_address XXX.XX.XX.XXX ip1
cache_mgr example@example.net
cache_mem 64 MB
visible_hostname example.com
maximum_object_size 10 MB

forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

shutdown_lifetime 3 seconds
EOF

In order to have authentication for your Squid you need to create the authentication file (/etc/squid3/passwd) and add your initial user using:

# htpasswd -c /etc/squid3/passwd your_user

you do not need to use the -c switch when adding additional user(s)

finally with all that in place, we’re ready to start the Squid Proxy Server using:

# /etc/init.d/squid3 restart

Feedback

  Comments: 5


  1. Very helpful article, worked for like a charm. Only problem is, given settings do not work with https traffic. Adding iptables rules and https support will make this article more useful.
    I am using following iptables rules:
    # Allows SQUID connection from anywhere
    -A INPUT -p tcp –dport 2222 -j ACCEPT
    -A OUTPUT -p tcp –sport 2222 -j ACCEPT


  2. Nice tutorial. But how the result proxy server is “Anonymous Proxy” when Requests is not encrypted?!
    (refer to this: http://en.wikipedia.org/wiki/HTTP_proxying#Anonymous_HTTPS_proxy)

    I’m trying to implement such https anonymous proxy, where connection between client and server is encrypted, could please tell me how could I configure the proxy server for this purpose?!


    • It doesn’t have to be encrypted to be anonymous. Unfortunately, you would have to figure out how to make it HTTPS ready.

      Thanks.


  3. I am getting the following error when trying to run the server:
    Restarting Squid HTTP proxy: squid2014/08/07 09:56:25| aclParseIpData: Bad host/IP: ‘::1’
    2014/08/07 09:56:25| aclParseIpData: Bad host/IP: ‘::1’
    2014/08/07 09:56:25| decode_addr: Invalid IP address ‘fc00::’
    2014/08/07 09:56:25| squid.conf line 15: acl localnet src fc00::/7 # RFC 4193 local private network range
    2014/08/07 09:56:25| aclParseIpData: Ignoring invalid IP acl entry: unknown first address ‘fc00::’
    2014/08/07 09:56:25| decode_addr: Invalid IP address ‘fe80::’
    2014/08/07 09:56:25| squid.conf line 16: acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
    2014/08/07 09:56:25| aclParseIpData: Ignoring invalid IP acl entry: unknown first address ‘fe80::’
    2014/08/07 09:56:25| ACL name ‘all’ not defined!
    2014 Aug 7 09:56:25 vps27357 Bungled squid.conf line 37: http_access deny all
    FATAL: Bungled squid.conf line 37: http_access deny all
    Squid Cache (Version 2.7.STABLE9): Terminated abnormally.

Your feedback