Oct 132011
 

squidIn former articles i’ve talked about Tor and SSH to browse the net in a more secure (or at leat anonymous) way.
But sometimes it’s easier to do the configuration just one time on a server and setup a proxy there, and than use it as proxy for all your computers, or perhaps all your office or friends computers.

And with VPS this is a cheap way to browse the net starting from another part of the world.

So in this article we’ll see how to do a basic setup of Squid.




I’ll do the setup on a Debian 6, so some commands for installation of files, or the location of configuration file could change in your distribution.

As first thing, a small description of Squid:

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows and is licensed under the GNU GPL.

Installation

Squid it’s available on Debian, so we can install Version 3 with the command:

aptitude install squid3 squid3-common

This automatically install also all the requirements that we need.

Configuration

now we just need to change some parameter to allow only our IP or lan to use Squid and to change some parameters.

Allow the access to Squid only from your IP

You probably don’t want to create a public proxy Squid that everyone can use..and abuse.
So we’ll do a rule so that only your IP can connect to Squid.

Find the following line in the file /etc/squid3/squid.conf:

#acl localnet src 10.0.0.0/8

This line create an acl (access control list) with name localnet, declaring as ip belonging to this rule all those in the LAN 10.0.0.0/8

Now you have 2 choice:

1) If you have a public IP you can just use it, if your IP it’s 1.2.3.4 change the above configuration in:

acl localnet src 1.2.3.4

2) If you have a dynamic IP the best solution it’s to open a range of IP, this will be more insecure than just opening 1, but much better than leave Squid wide open. to open the range from 1.2.3.0 to 1.2.3.254 do the following change:

acl localnet src 1.2.3.0/24

now you must add another parameter to match this change, search for the string:

http_access allow localhost

and ADD also the line

http_access allow localnet

Change standard port

For security reasons i prefer to do not use the defualt ports when possible, so i suggest to search for this line:

http_port 3128

And change the 3128 in any other port > 1024.

Anonymous Browsing

By default squid forwards the client IP to the respective website, but to set up an anonymous proxy we will disable it to hide client IPs and send only IPs which are configured on the squid server. Find the following line in the file /etc/squid3/squid.conf:

forwarded_for on

Change it to:

forwarded_for off

And add at the bottom of the squid.conf file the following instructions:

request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

All done, save the file and restart squid with the command:

/etc/init.d/squid restart

On the Browser

Now you just have to change the proxy setup on your browser, for example on firefox it’s located in Edit -> Preferences -> Advanced -> Network -> Settings here select “Manual proxy configuration” and put the IP and port of your Squid server as HTTP proxy.

Visit http://www.whatismyip.com/ and you should see the IP of your Linux server.

NOTE: Https sites will NOT work in this Anonymous setup.

Popular Posts:

Flattr this!

  12 Responses to “How to setup a Squid Proxy on your Debian Linux”

  1. Ciao, innanzitutto complimenti per l’articolo. Ho seguito passo passo le istruzioni e sono riuscito ad installare e configurare squid sul mio pc con ubunu 10.04, però non ho capito molto come funzionerebbe il discorso dell’anonimato, dovrei installarlo su una vps per nascondere l’ip del client (e quindi visualizzare l’ip del server) oppure è possibile in qualche modo farlo anche dal mio pc?

  2. ma se al posto di usare una gamma di ip mettessimo l‘accesso a solo utenti preconfigurati funzionerebbe = e avremmo meno problemi con gli ip( se è possibile mi illustreresti come fare)

    altrimenti se come ip client ne settassi uno letterale rindirizzato da noip funzionerebbe? ciao e grazie

    ho la necessuta di accere via proxy all connessione di un utente però con adsl l’ip mi cambia tantissimo e non vorrei lasciarlo tutto aperto

  3. ubuntu
    /etc/init.d/squid restart

    Debian 6
    /etc/init.d/squid3 restart

  4. How can we add authenticated users to our squid cache ?
    I want to add existing users for authentication privileges to squid.

    Thanks

  5. Is there a way to setup the proxy so that I can visit HTTPS sites? Thanks

  6. Salut,

    pour l’install, un simple aptitude install squid3 suffit.
    Le aptitude squid3-common est une dépendance de squid3 🙂
    Comme ca, le jour ou tu vire squid3, le common suivra avec, ce sera plus propre comme désinstall.

    Merci pour le tuto sinon 🙂

  7. The localnet part doesn’t seem to work in squid3 for Debain 6

    Restarting Squid HTTP Proxy 3.x: squid3Creating Squid HTTP Proxy 3.x cache structure ... (warning).
    2013/09/01 14:10:17| aclParseAclList: ACL name 'localnet' not found.
    FATAL: Bungled squid.conf line 788: http_access allow localnet
    Squid Cache (Version 3.1.6): Terminated abnormally.
    CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys
    Maximum Resident Size: 17312 KB
    Page faults with physical i/o: 0
    2013/09/01 14:10:17| aclParseAclList: ACL name 'localnet' not found.
    FATAL: Bungled squid.conf line 788: http_access allow localnet
    Squid Cache (Version 3.1.6): Terminated abnormally.
    CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys
    Maximum Resident Size: 17312 KB
    Page faults with physical i/o: 0

  8. Ciao.
    Io voglio renedere il mio proxy aperto a tutti, senza che venga richiesto nulla, come posso fare?
    Grazie in anticipo.

    Hello.
    I want my proxy renedere open to all , without requiring anything , how can I do ?
    Thank you in advance.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

*