in , ,

Install And Configure High Anonymous Squid Proxy Server In Simple 4 Steps

Install And Configure Elite Squid Proxy Server

In this tutorial, we will install the Squid proxy server on Ubuntu/Debian Linux, and try to configure it as a simple high anonymous proxy with basic authentication. 

Our Configuration policy is

1- Allow all traffic

2- Harden Proxy Server using basic authentication username and password.

3- Apply anonymous configs by denying specific headers requests and replies.

Install Squid Proxy Server

1- Update your Ubuntu Linux server

# apt update
# apt upgrade

2- Install Squid Proxy Server

# apt install squid

After the installation process is complete, Squid will start automatically and listen to port 3128 as you can check for squid is running

root@localhost:~# netstat -puntl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      455/systemd-resolve
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      708/sshd: /usr/sbin
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      778/sshd: root@pts/
tcp6       0      0 :::22                   :::*                    LISTEN      708/sshd: /usr/sbin
tcp6       0      0 :::3128                 :::*                    LISTEN      22483/(squid-1)
tcp6       0      0 ::1:6010                :::*                    LISTEN      778/sshd: root@pts/
udp        0      0 127.0.0.53:53           0.0.0.0:*                           455/systemd-resolve
udp        0      0 0.0.0.0:47353           0.0.0.0:*                           22483/(squid-1)
udp6       0      0 :::41989                :::*                                22483/(squid-1)
root@localhost:~# systemctl status squid
● squid.service - Squid Web Proxy Server
     Loaded: loaded (/lib/systemd/system/squid.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2022-02-20 20:30:38 UTC; 1min 46s ago
       Docs: man:squid(8)
   Main PID: 22481 (squid)
      Tasks: 4 (limit: 1066)
     Memory: 15.8M
     CGroup: /system.slice/squid.service
             ├─22481 /usr/sbin/squid -sYC
             ├─22483 (squid-1) --kid squid-1 -sYC
             ├─22486 (logfile-daemon) /var/log/squid/access.log
             └─22487 (pinger)

Feb 20 20:30:38 localhost squid[22483]: Max Swap size: 0 KB
Feb 20 20:30:38 localhost squid[22483]: Using Least Load store dir selection
Feb 20 20:30:38 localhost squid[22483]: Set Current Directory to /var/spool/squid
Feb 20 20:30:38 localhost squid[22483]: Finished loading MIME types and icons.
Feb 20 20:30:38 localhost squid[22483]: HTCP Disabled.
Feb 20 20:30:38 localhost squid[22483]: Pinger socket opened on FD 14
Feb 20 20:30:38 localhost squid[22483]: Squid plugin modules loaded: 0
Feb 20 20:30:38 localhost squid[22483]: Adaptation support is off.
Feb 20 20:30:38 localhost squid[22483]: Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 12 flags=9
Feb 20 20:30:39 localhost squid[22483]: storeLateRelease: released 0 objects

You can use netstat command if you have installed the net-tools package as

# apt install net-tools

And you can Enable, and start Squid service by apply

# systemctl enable squid
# systemctl start squid

Configure Elite Squid Proxy Server

Set Proxy Authentication

3- Install apache2-utils utility package

# apt install apache2-utils

Using htpasswd command to create a basic authentication file squid_passwd which stores your username and password in MD5 algorithm hashed format.

# htpasswd -b -c /etc/squid/squid_passwd proxy_username proxy_password

4- configure Squid

We will try to configure Squid proxy to a high anonymous level. and will start to write our configuration file /etc/squid/squid.conf as the following…

But first, you may backup the current config file, then create a new one with our settings.

# mv /etc/squid/squid.conf /etc/squid/squid.conf_bk 
# touch /etc/squid/squid.conf

Squid Configure file

# Define allowable Networks or IPs.
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
# Define Your Secure VPN
acl vpn src 192.1.1.0/24

# Do not show client IP address
forwarded_for off
via off
# Prefer IPv4
dns_v4_first on
dns_nameservers 8.8.8.8 1.1.1.1
# Bypass all validation errors, and do not verify
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

# Apply authentcation
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/squid_passwd
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access allow manager localhost
http_access allow vpn
http_access deny manager
http_access deny all
cache deny all
# Set port number to listen to
http_port 8080
coredump_dir /var/spool/squid

# Request Headers
## Deny follwoing requests for anonymous config
request_header_access Via deny all
request_header_access Forwarded-For deny all
request_header_access X-Forwarded-For deny all
request_header_access Referer deny all
request_header_access From deny all
request_header_access Cookie deny all
## Allow all Others
request_header_access All allow all

# Replace User-agent string
request_header_replace User-Agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36'

# Reply Headers
## Deny follwoing replies for anonymous config
reply_header_access Via deny all
reply_header_access Server deny all
reply_header_access WWW-Authenticate deny all
reply_header_access Link deny all
reply_header_access Cookie deny all
## Allow all others 
reply_header_access All allow all

What do you think?

Leave a Reply

Your email address will not be published.

Install Deb Package On Ubuntu Linux

How To CLI Install Local DEB Debian Package On Ubuntu Linux

Curl Cli Emulate Web Browser With User-Agent Proxy Cookies And Custom Headers

cURL CLI Emulate Web Browser With User-Agent Proxy Cookies And Custom Headers