Install And Configure High Anonymous Squid Proxy Server In Simple 4 Steps

In this tutorial, we will install the Squid proxy server on Ubuntu/Debian Linux, and try to configure it as a simple high anonymous proxy with basic authentication. 

Our Configuration policy is

1- Allow all traffic

2- Harden Proxy Server using basic authentication username and password.

3- Apply anonymous configs by denying specific headers requests and replies.

Install Squid Proxy Server

1- Update your Ubuntu Linux server

# apt update
# apt upgrade

2- Install Squid Proxy Server

# apt install squid

After the installation process is complete, Squid will start automatically and listen to port 3128 as you can check for squid is running

root@localhost:~# netstat -puntl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      455/systemd-resolve
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      708/sshd: /usr/sbin
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      778/sshd: root@pts/
tcp6       0      0 :::22                   :::*                    LISTEN      708/sshd: /usr/sbin
tcp6       0      0 :::3128                 :::*                    LISTEN      22483/(squid-1)
tcp6       0      0 ::1:6010                :::*                    LISTEN      778/sshd: root@pts/
udp        0      0 127.0.0.53:53           0.0.0.0:*                           455/systemd-resolve
udp        0      0 0.0.0.0:47353           0.0.0.0:*                           22483/(squid-1)
udp6       0      0 :::41989                :::*                                22483/(squid-1)
root@localhost:~# systemctl status squid
● squid.service - Squid Web Proxy Server
     Loaded: loaded (/lib/systemd/system/squid.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2022-02-20 20:30:38 UTC; 1min 46s ago
       Docs: man:squid(8)
   Main PID: 22481 (squid)
      Tasks: 4 (limit: 1066)
     Memory: 15.8M
     CGroup: /system.slice/squid.service
             ├─22481 /usr/sbin/squid -sYC
             ├─22483 (squid-1) --kid squid-1 -sYC
             ├─22486 (logfile-daemon) /var/log/squid/access.log
             └─22487 (pinger)

Feb 20 20:30:38 localhost squid[22483]: Max Swap size: 0 KB
Feb 20 20:30:38 localhost squid[22483]: Using Least Load store dir selection
Feb 20 20:30:38 localhost squid[22483]: Set Current Directory to /var/spool/squid
Feb 20 20:30:38 localhost squid[22483]: Finished loading MIME types and icons.
Feb 20 20:30:38 localhost squid[22483]: HTCP Disabled.
Feb 20 20:30:38 localhost squid[22483]: Pinger socket opened on FD 14
Feb 20 20:30:38 localhost squid[22483]: Squid plugin modules loaded: 0
Feb 20 20:30:38 localhost squid[22483]: Adaptation support is off.
Feb 20 20:30:38 localhost squid[22483]: Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 12 flags=9
Feb 20 20:30:39 localhost squid[22483]: storeLateRelease: released 0 objects

You can use netstat command if you have installed the net-tools package as

# apt install net-tools

And you can Enable, and start Squid service by apply

# systemctl enable squid
# systemctl start squid

Configure Elite Squid Proxy Server

Set Proxy Authentication

3- Install apache2-utils utility package

# apt install apache2-utils

Using htpasswd command to create a basic authentication file squid_passwd which stores your username and password in MD5 algorithm hashed format.

# htpasswd -b -c /etc/squid/squid_passwd proxy_username proxy_password

4- configure Squid

We will try to configure Squid proxy to a high anonymous level. and will start to write our configuration file /etc/squid/squid.conf as the following…

But first, you may backup the current config file, then create a new one with our settings.

# mv /etc/squid/squid.conf /etc/squid/squid.conf_bk 
# touch /etc/squid/squid.conf

Squid Configure file

# Define allowable Networks or IPs.
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
# Define Your Secure VPN
acl vpn src 192.1.1.0/24

# Do not show client IP address
forwarded_for off
via off
# Prefer IPv4
dns_v4_first on
dns_nameservers 8.8.8.8 1.1.1.1
# Bypass all validation errors, and do not verify
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

# Apply authentcation
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/squid_passwd
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access allow manager localhost
http_access allow vpn
http_access deny manager
http_access deny all
cache deny all
# Set port number to listen to
http_port 8080
coredump_dir /var/spool/squid

# Request Headers
## Deny follwoing requests for anonymous config
request_header_access Via deny all
request_header_access Forwarded-For deny all
request_header_access X-Forwarded-For deny all
request_header_access Referer deny all
request_header_access From deny all
request_header_access Cookie deny all
## Allow all Others
request_header_access All allow all

# Replace User-agent string
request_header_replace User-Agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36'

# Reply Headers
## Deny follwoing replies for anonymous config
reply_header_access Via deny all
reply_header_access Server deny all
reply_header_access WWW-Authenticate deny all
reply_header_access Link deny all
reply_header_access Cookie deny all

## Allow all others 
reply_header_access All allow all