In this tutorial, we will install the Squid proxy server on Ubuntu/Debian Linux, and try to configure it as a simple high anonymous proxy with basic authentication.
Our Configuration policy is
1- Allow all traffic
2- Harden Proxy Server using basic authentication username and password.
3- Apply anonymous configs by denying specific headers requests and replies.
Install Squid Proxy Server
1- Update your Ubuntu Linux server
# apt update # apt upgrade
2- Install Squid Proxy Server
# apt install squid
After the installation process is complete, Squid will start automatically and listen to port 3128 as you can check for squid is running
root@localhost:~# netstat -puntl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 455/systemd-resolve tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 708/sshd: /usr/sbin tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 778/sshd: root@pts/ tcp6 0 0 :::22 :::* LISTEN 708/sshd: /usr/sbin tcp6 0 0 :::3128 :::* LISTEN 22483/(squid-1) tcp6 0 0 ::1:6010 :::* LISTEN 778/sshd: root@pts/ udp 0 0 127.0.0.53:53 0.0.0.0:* 455/systemd-resolve udp 0 0 0.0.0.0:47353 0.0.0.0:* 22483/(squid-1) udp6 0 0 :::41989 :::* 22483/(squid-1) root@localhost:~# systemctl status squid ● squid.service - Squid Web Proxy Server Loaded: loaded (/lib/systemd/system/squid.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2022-02-20 20:30:38 UTC; 1min 46s ago Docs: man:squid(8) Main PID: 22481 (squid) Tasks: 4 (limit: 1066) Memory: 15.8M CGroup: /system.slice/squid.service ├─22481 /usr/sbin/squid -sYC ├─22483 (squid-1) --kid squid-1 -sYC ├─22486 (logfile-daemon) /var/log/squid/access.log └─22487 (pinger) Feb 20 20:30:38 localhost squid[22483]: Max Swap size: 0 KB Feb 20 20:30:38 localhost squid[22483]: Using Least Load store dir selection Feb 20 20:30:38 localhost squid[22483]: Set Current Directory to /var/spool/squid Feb 20 20:30:38 localhost squid[22483]: Finished loading MIME types and icons. Feb 20 20:30:38 localhost squid[22483]: HTCP Disabled. Feb 20 20:30:38 localhost squid[22483]: Pinger socket opened on FD 14 Feb 20 20:30:38 localhost squid[22483]: Squid plugin modules loaded: 0 Feb 20 20:30:38 localhost squid[22483]: Adaptation support is off. Feb 20 20:30:38 localhost squid[22483]: Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 12 flags=9 Feb 20 20:30:39 localhost squid[22483]: storeLateRelease: released 0 objects
You can use netstat
command if you have installed the net-tools
package as
# apt install net-tools
And you can Enable, and start Squid service by apply
# systemctl enable squid # systemctl start squid
Configure Elite Squid Proxy Server
Set Proxy Authentication
3- Install apache2-utils
utility package
# apt install apache2-utils
Using htpasswd
command to create a basic authentication file squid_passwd
which stores your username and password in MD5 algorithm hashed format.
# htpasswd -b -c /etc/squid/squid_passwd proxy_username proxy_password
4- configure Squid
We will try to configure Squid proxy to a high anonymous level. and will start to write our configuration file /etc/squid/squid.conf
as the following…
But first, you may backup the current config file, then create a new one with our settings.
# mv /etc/squid/squid.conf /etc/squid/squid.conf_bk # touch /etc/squid/squid.conf
Squid Configure file
# Define allowable Networks or IPs. acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 # Define Your Secure VPN acl vpn src 192.1.1.0/24 # Do not show client IP address forwarded_for off via off # Prefer IPv4 dns_v4_first on dns_nameservers 8.8.8.8 1.1.1.1 # Bypass all validation errors, and do not verify sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER # Apply authentcation auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/squid_passwd auth_param basic realm proxy acl authenticated proxy_auth REQUIRED http_access allow authenticated http_access allow manager localhost http_access allow vpn http_access deny manager http_access deny all cache deny all # Set port number to listen to http_port 8080 coredump_dir /var/spool/squid # Request Headers ## Deny follwoing requests for anonymous config request_header_access Via deny all request_header_access Forwarded-For deny all request_header_access X-Forwarded-For deny all request_header_access Referer deny all request_header_access From deny all request_header_access Cookie deny all ## Allow all Others request_header_access All allow all # Replace User-agent string request_header_replace User-Agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36' # Reply Headers ## Deny follwoing replies for anonymous config reply_header_access Via deny all reply_header_access Server deny all reply_header_access WWW-Authenticate deny all reply_header_access Link deny all reply_header_access Cookie deny all
## Allow all others
reply_header_access All allow all