Anonymous Proxy Using SQUID 3 On CentOS 5.x

This howto describes step by step a method to install a SQUID 3 server as an Anonymous Proxy. An anonymous proxy is a tool that attempts to make activity on the Internet untraceable. It accesses the Internet on the user's behalf, protecting personal information by hiding the source computer's identifying information. Simply say to hide your IP.

The following How To sets up CentOS 5 as OS but it can be implemented on CentOS 4, Fedora Core 5-9 with same steps and SQUID version 3. By default SQUID only uses the default  IP to communicate on the Internet but we will make use of all IPs available on the server to act as an anonymous proxy, i.e., if a user connects to IP1 of server then IP1 will act as a proxy and forward the same IP, if a user connects to IP2 then IP2 will act as a proxy and foward the same IP and so on and also we will implement ncsa user based authentication to protect the server from unauthorized usage.

Server = CentOS 5.2, SQUID = version 3, IPs = 192.168.0.1 - 192.168.0.5

 

1) Installation Of Squid 3:

CentOS 5 comes with Squid 2.6 but we need Squid 3, so we will download the source rpm of squid 3 and compile it for our OS.

 

1.1)  Install Prerequisites

Install pre-requisite software, i.e. development tools to get all the compilers, libraries and other rpms for the compilation of SQUID 3.

yum -y groupinstall "Development Tools"
yum -y install rpm-build openjade linuxdoc-tools openldap-devel pam-devel openssl-devel httpd rpm-devel

 

1.2) Download Squid 3 Source RPM

 Download source rpm of Squid 3 from the FEDORA website and install it.

cd /usr/src
wget http://download.fedora.redhat.com/pub/fedora/linux/releases/10/Fedora/source/SRPMS/squid-3.0.STABLE10-1.fc10.src.rpm
rpm -ivh squid-3.0.STABLE10-1.fc10.src.rpm

 

1.3) Compile Squid 3

Use the following commands to start the compilation, at the end it will generate an rpm file to install:

cd /usr/src/redhat/SPECS
rpmbuild -bb squid.spec

 

1.4) Install Squid 3

Install the newly built rpm, which will be found in /usr/src/redhat/RPMS/i386 for i686 and /usr/src/redhat/RPMS/x86_64 for x86_64.

rpm -Uvh /usr/src/redhat/RPMS/i386/squid-3.0.STABLE10-1.i386.rpm

 

2) Configuration

I will use the default squid.conf to edit.

vi /etc/squid/squid.conf

 

2.1) Configure auth_param

We will enable ncsa authentication to access our squid server. Find the following lines:

#auth_param basic program <uncomment and complete this line>
#auth_param basic childred 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours

Change it to:

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
auth_param basic childred 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours  

 

2.2) Create proxy_auth acl

Here we will create proxy_auth acl to prompt user/pass to everyone who wants to use our anonymous proxy. Find the following line:

#INSERT YOUR OWN RULES(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

We will insert our proxy_auth rule below the above line.

#INSERT YOUR OWN RULES(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl ncsaauth proxy_auth REQUIRED
http_access allow ncsaauth

 

2.3) Disable Forwarded Client IP

By default squid forwards the client IP to the respective website, but to set up an anonymous proxy we will disable it to hide client IPs and send only IPs which are configured on the squid server. Find the following line squid.conf:

forwarded_for on

Change it to:

forwarded_for off

 

2.4) Configure IPs

Now we will generate rules for outgoing IPs, i.e. if anyone connects to any IP of my server, so it will go with the same IP to the destination server. In this way we can connect several clients on different IPs and all IPs act as an anonymous proxy. Find the following line:

# TAG: tcp_outgoing_address

Add the following lines below it:

acl ip1 myip 192.168.0.1
tcp_outgoing_address 192.168.0.1 ip1
acl ip2 myip 192.168.0.2
tcp_outgoing_address 192.168.0.2 ip2
acl ip3 myip 192.168.0.3
tcp_outgoing_address 192.168.0.3 ip3
acl ip4 myip 192.168.0.4
tcp_outgoing_address 192.168.0.4 ip4
acl ip5 myip 192.168.0.5
tcp_outgoing_address 192.168.0.5 ip5

You can add as many IPs as you like, just use the same pattern as above.

 

2.5) Enable Anonymizer (Anonymous Proxy)

Put the following lines at the bottom of your squid.conf:

request_header_access Allow allow all 
request_header_access Authorization allow all 
request_header_access WWW-Authenticate allow all 
request_header_access Proxy-Authorization allow all 
request_header_access Proxy-Authenticate allow all 
request_header_access Cache-Control allow all 
request_header_access Content-Encoding allow all 
request_header_access Content-Length allow all 
request_header_access Content-Type allow all 
request_header_access Date allow all 
request_header_access Expires allow all 
request_header_access Host allow all 
request_header_access If-Modified-Since allow all 
request_header_access Last-Modified allow all 
request_header_access Location allow all 
request_header_access Pragma allow all 
request_header_access Accept allow all 
request_header_access Accept-Charset allow all 
request_header_access Accept-Encoding allow all 
request_header_access Accept-Language allow all 
request_header_access Content-Language allow all 
request_header_access Mime-Version allow all 
request_header_access Retry-After allow all 
request_header_access Title allow all 
request_header_access Connection allow all 
request_header_access Proxy-Connection allow all 
request_header_access User-Agent allow all 
request_header_access Cookie allow all 
request_header_access All deny all

Configuration is finished, save the file.

 

3) User Management

Now it's time to create the squid_passwd file, in which we will put our users for authentication using ncsa. For this we need the htpasswd command to generate a user/pass.

Create the file to hold the usernames and passwords:

touch /etc/squid/squid_passwd

 

3.1) Create New User

htpasswd /etc/squid/squid_passwd proxyadmin

Where /etc/squid/squid_passwd is a file, in which all users go, and proxyadmin is a username which will be added with the password given.

 

3.2) To Update Password

Use the same command for existing users.

htpasswd /etc/squid/squid_passwd proxyadmin

 

4) Service Management

Run the squid service and add it up at startup.

service squid start
chkconfig squid on

 

5) Troubleshooting

5.1) visible_hostname error

If you see a visible_hostname error after starting the service, then again edit the /etc/squid/squid.conf file and add the visible_hostname tag with your server hostname.

visible_hostname server1 

Your server is ready now and you can use Firefox or IExplorer on your client to check if it's working. I have used the default port 3128 for squid, so use any of the above IPs and ports to connect. As it connects it will prompt you for a user/pass; type in the right user/pass and you will start browsing the site. To check the anonymity open http://www.whatsmyipaddress.com. If you have done something wrong in request_header_access, your proxy can be detected; but if everything is fine, it will just show the IP and assume it's a direct connection without a proxy.

Share this page:

Suggested articles

21 Comment(s)

Add comment

Comments

By: Anonymous
Reply  

I have a ton of usernames and passwords and it's  SUCH A CHORE to re-add them every time I reinstall the os because ubuntu or centos 5.2 crashed and kicks everyone off the proxy server. ANYBODY got a quick and nearly instant way to input usernames and passwords??  Help!

 

By: Anonymous
Reply  

I think the correct command should be rpm groupinstall -y "Development Tools"

 

By: HQ Network
Reply  

On a Centos 5.5 box, i was able to get yum to work with groupinstall

yum groupinstall "Development Tools"

(as opposed to rpm...) 

By: Anonymous
Reply  

I repeatedly got bad exit status for iconv 'iconv: conversion from ISO88591 unsupported' and 'iconv: conversion to UTF8 unsupported' - Maybe a problem with the .spec file - Changing

iconv -f ISO88591 -t UTF8 ChangeLog -o ChangeLog.tmp

to 

iconv -f ISO-8859-1 -t UTF-8 ChangeLog -o ChangeLog.tmp

didn't work and gave a not found error for ChangeLog.tmp

Changing to 

iconv -f ISO-8859-1 -t UTF-8 ChangeLog > ChangeLog.tmp

worked fine though

By: HQ Network
Reply  

To download Squid 3 via wget, the link above may no longer work. They have since moved it to the release directory.

 http://download.fedora.redhat.com/pub/fedora/linux/releases/10/Fedora/source/SRPMS/squid-3.0.STABLE10-1.fc10.src.rpm

By: Ataa
Reply  

New Location : http://archives.fedoraproject.org/pub/archive/fedora/linux/releases/10/Fedora/source/SRPMS/squid-3.0.STABLE10-1.fc10.src.rpm

By:
Reply  

Here is the addition if you want to bypass the login screen for your local network clients.  I also added a bypass for Hamachi (5.0.0.0/8) since I use this setup to securely browse from open hotspots. 

#INSERT YOUR OWN RULES(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl our_networks src 192.168.1.0/24 5.0.0.0/8
http_access allow our_networks
acl ncsaauth proxy_auth REQUIRED
http_access allow ncsaauth

By:
Reply  

You should have miss something as i have used similar configuration on several servers and all works fine. Double check your configuration

Regards,

By: Anonymous
Reply  

I think the Author is really an idiot, he missed the most important point, which is:

EITHER, the client computer ip will be hidden or the Proxy Server's ip will be hidden, BUT NEVER both.

Simplier, if you set the "forwarded_for" to off, the proxy server's ip will be hidden, but the cost is showing the client computer's ip. If your set the forwarded_for to On, the client computer's will be hidden, but the proxy server's ip will be shown.

By: Sohail
Reply  

You should read this clearly first then put your comments. You make yourself an idiot by just ignoring following statement.

 

It accesses the Internet on the user's behalf, protecting personal information by hiding the source computer's identifying information. Simply say to hide your IP. 

 

Its clearly says "source computer's identiffying information".

 

By: Anonymous
Reply  

I just LOL'ed at this.  It never hides the IP of the proxy server.  The proxy server is connecting directly to the remote web server, so it is impossible to hide the IP of that (not counting IP spoofing, but that can't be used if you actually want to receive a response anyway).  What you should have said was:

"forwarded_for" to off = source PC hidden

forwarded_for to On = nothing hidden (remote web server gets the proxy's IP and the source PC's IP)

 

By: Mahendran
Reply  

i have set my browser setting and all but when i open http://www.whatsmyipaddress.com

it shows my ISP ip in the browser.please can anyone help me out.

thanks in advance

 

By: Tony
Reply  

did you figure out why whatismyipaddress.com was showing your ISP ip address? I tried this setup and it still shows my isp address?

 Does it mattter that I have my squid proxy on the same machine that acts as the client also?

 my squid runs on 127.0.0.1:3128

I followed the instructions except for the authentication part but I don't think that is the problem. Any suggestions? I'm using the latest squid ver. 3.1.9

By: ShoukaT
Reply  

getting this error

 # service squid start

init_cache_dir /var/spool/squid... /etc/init.d/squid: line 62: 21692 Aborted                 $SQUID -z -F -D >> /var/log/squid/squid.out 2>&1

Starting squid: /etc/init.d/squid: line 42: 21695 Aborted                 $SQUID $SQUID_OPTS >> /var/log/squid/squid.out 2>&1

                                                           [FAILED]

 followed all what you wrote

By: Anonymous
Reply  

I've installed Squid on 2 Debian systems, 1 Fedora and 1 Centos in the last days, and for Centos / Fedora I am using part of this tutorial as source. 2 comments.

 

1) "Childred" in the NCSA code should obviously be "children".

 

2) Since we've to compile (the Rpms for Fedora and Centos are for 2.6, which isses alot of essential features for a password protected proxy), I think it makes more sense to go to the root of the program and use the source from Squid-cache.org. In fact using the source for Fedora for Centos (and even for Fedora itself) still gave me some bugs and issues.

 

 Thanks..

By: Anonymous
Reply  

Hi!


Thats not work with clearos 5.2  

By: Anonymous
Reply  

does it worck with ipv6 ? i have 2 ipv4 and 5 ipv6 on my server . How can i add them all to squid ?

By: Andre
Reply  

Congratulations by the 'how to'. Very useful!!

By: bubonick
Reply  

Apparently my vps in an x64 machine.  After some poking around I discovered I needed to change one of the lines to an x64 location (CentOS)

 from: 

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd 

to:

auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/squid_passwd 

I was able to locate the true path with:

cd

rpm -ql squid | grep ncsa_auth 

By:
Reply  

I installed Squid on CentOS6

 After do above configuration I got following error. Anyone can help me

 Starting squid:                                            [FAILED]

2013/02/25 04:31:04| Processing Configuration File: /etc/squid/squid.conf (depth 0)

FATAL: auth_param basic program /usr/lib/squid/ncsa_auth: (2) No such file or directory

Squid Cache (Version 3.1.10): Terminated abnormally.

CPU Usage: 0.010 seconds = 0.004 user + 0.006 sys

Maximum Resident Size: 22608 KB

Page faults with physical i/o: 2

What's happening

 

By: Bob
Reply  

Better set forwarded_for to delete instead of on/off, to completely delete it.

http://www.squid-cache.org/Doc/config/forwarded_for/