This howto describes step by step a method to install a SQUID 3 server as an Anonymous Proxy. An anonymous proxy is a tool that attempts to make activity on the Internet untraceable. It accesses the Internet on the user’s behalf, protecting personal information by hiding the source computer’s identifying information. Simply say to hide your IP.
The following How To sets up CentOS 5 as OS but it can be implemented on CentOS 4, Fedora Core 5-9 with same steps and SQUID version 3. By default SQUID only uses the default IP to communicate on the Internet but we will make use of all IPs available on the server to act as an anonymous proxy, i.e., if a user connects to IP1 of server then IP1 will act as a proxy and forward the same IP, if a user connects to IP2 then IP2 will act as a proxy and foward the same IP and so on and also we will implement ncsa user based authentication to protect the server from unauthorized usage.
Server = CentOS 5.2, SQUID = version 3, IPs = 192.168.0.1 – 192.168.0.5
1) Installation Of Squid 3:
CentOS 5 comes with Squid 2.6 but we need Squid 3, so we will download the source rpm of squid 3 and compile it for our OS.
1.1) Install Prerequisites
Install pre-requisite software, i.e. development tools to get all the compilers, libraries and other rpms for the compilation of SQUID 3.
yum -y groupinstall “Development Tools”
yum -y install rpm-build openjade linuxdoc-tools openldap-devel pam-devel openssl-devel httpd rpm-devel
1.2) Download Squid 3 Source RPM
Download source rpm of Squid 3 from the FEDORA website and install it.
rpm -ivh squid-3.0.STABLE10-1.fc10.src.rpm
1.3) Compile Squid 3
Use the following commands to start the compilation, at the end it will generate an rpm file to install:
rpmbuild -bb squid.spec
1.4) Install Squid 3
Install the newly built rpm, which will be found in /usr/src/redhat/RPMS/i386 for i686 and /usr/src/redhat/RPMS/x86_64 for x86_64.
rpm -Uvh /usr/src/redhat/RPMS/i386/squid-3.0.STABLE10-1.i386.rpm
I will use the default squid.conf to edit.
2.1) Configure auth_param
We will enable ncsa authentication to access our squid server. Find the following lines:
#auth_param basic program <uncomment and complete this line> #auth_param basic childred 5 #auth_param basic realm Squid proxy-caching web server #auth_param basic credentialsttl 2 hours
Change it to:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd auth_param basic childred 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours
2.2) Create proxy_auth acl
Here we will create proxy_auth acl to prompt user/pass to everyone who wants to use our anonymous proxy. Find the following line:
#INSERT YOUR OWN RULES(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
We will insert our proxy_auth rule below the above line.
#INSERT YOUR OWN RULES(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS acl ncsaauth proxy_auth REQUIRED http_access allow ncsaauth
2.3) Disable Forwarded Client IP
By default squid forwards the client IP to the respective website, but to set up an anonymous proxy we will disable it to hide client IPs and send only IPs which are configured on the squid server. Find the following line squid.conf:
Change it to:
2.4) Configure IPs
Now we will generate rules for outgoing IPs, i.e. if anyone connects to any IP of my server, so it will go with the same IP to the destination server. In this way we can connect several clients on different IPs and all IPs act as an anonymous proxy. Find the following line:
# TAG: tcp_outgoing_address
Add the following lines below it:
acl ip1 myip 192.168.0.1 tcp_outgoing_address 192.168.0.1 ip1 acl ip2 myip 192.168.0.2 tcp_outgoing_address 192.168.0.2 ip2 acl ip3 myip 192.168.0.3 tcp_outgoing_address 192.168.0.3 ip3 acl ip4 myip 192.168.0.4 tcp_outgoing_address 192.168.0.4 ip4 acl ip5 myip 192.168.0.5 tcp_outgoing_address 192.168.0.5 ip5
You can add as many IPs as you like, just use the same pattern as above.
2.5) Enable Anonymizer (Anonymous Proxy)
Put the following lines at the bottom of your squid.conf:
request_header_access Allow allow all request_header_access Authorization allow all request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all request_header_access Proxy-Authenticate allow all request_header_access Cache-Control allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all request_header_access Proxy-Connection allow all request_header_access User-Agent allow all request_header_access Cookie allow all request_header_access All deny all
Configuration is finished, save the file.
3) User Management
Now it’s time to create the squid_passwd file, in which we will put our users for authentication using ncsa. For this we need the htpasswd command to generate a user/pass.
Create the file to hold the usernames and passwords:
3.1) Create New User
htpasswd /etc/squid/squid_passwd proxyadmin
Where /etc/squid/squid_passwd is a file, in which all users go, and proxyadmin is a username which will be added with the password given.
3.2) To Update Password
Use the same command for existing users.
htpasswd /etc/squid/squid_passwd proxyadmin
4) Service Management
Run the squid service and add it up at startup.
service squid start
chkconfig squid on
5.1) visible_hostname error
If you see a visible_hostname error after starting the service, then again edit the /etc/squid/squid.conf file and add the visible_hostname tag with your server hostname.
Your server is ready now and you can use Firefox or IExplorer on your client to check if it’s working. I have used the default port 3128 for squid, so use any of the above IPs and ports to connect. As it connects it will prompt you for a user/pass; type in the right user/pass and you will start browsing the site. To check the anonymity open http://www.whatsmyipaddress.com. If you have done something wrong in request_header_access, your proxy can be detected; but if everything is fine, it will just show the IP and assume it’s a direct connection without a proxy.