Secure and Private Browsing with Squid

Version 1.0

Author: Joe Topjian <joe [at] adminspotting [dot] net>

Browsing a site that supports SSL is a definite way to make sure no one can snoop in on what you're doing -- which is a good thing when you're doing something personal like checking email over the web or buying something from amazon. But if you're just doing stuff like reading the daily news or checking movie times, is privacy that important? The ultra-paranoid will give a resounding "yes" to that question while most people will just shrug. I find myself in between those two parties. At home while I'm reading the news, I could care less if the traffic is encrypted or not. However, when I'm at a public wi-fi spot, it does bother me a bit.

Most public areas that allow access to the internet have absolutely no security in place. Need a good eye-opener? Next time you're at a public hotspot, take a copy of the dsniff tools.

This article will show you a way to protect yourself from something like this -- in a way. This article will only show you how to protect your web traffic. If you still decide to talk to your CEO over AIM about some ultra-secret product coming out next week while waiting for your next flight, this won't save you. Squid can, of course, proxy requests for other applications besides HTTP, but HTTP is all I'll be covering. Maybe I'll go over other applictions in another article.

OK, let's get started. Here's what we'll need:

  • A server running Squid on some other network.
  • A laptop with ssh and port-forwarding support.
  • What we're going to do is set up a Squid server somewhere outside the network we're currently on. Squid will only accept connections from the server itself -- no outside connections. Then how do we use it? We'll create an SSH tunnel into it. Once the tunnel is created, we simply set our webbrowser to use a proxy server with the address of our SSH tunnel. Now any web traffic going out of our laptop to our Squid server will be encrypted.

    But what about from the Squid server to the actual webpage? That stuff won't be encrypted, unfortunately. But hey, atleast we got outside the unprotect LAN securely.

    I'll be using Debian Sarge for the Squid server, but you're more than welcome to use whatever distro you want. After Squid is installed, the configuration will be the exact same. To install Squid on Debian, just do:

    apt-get install squid

    The default configuration for Debian (and maybe other distributions too -- better check!) is to only allow connections from the localhost. This doesn't harm anything, so we can leave it as is. However, we still need a way for us to connect externally. For that, we will add an acl that will prompt us for a password and if we're authenticated it will let us in. We'll add it right before the "deny all" portion" so it'll look something like this:

    acl localhost src
    http_access allow localhost
    http_access allow password
    http_access deny all

    By default, Squid listens on port 3128. I personally like 8080 better, so we'll change it with:

    http_port 8080

    Next we need to set up authentication for Squid. There are a bunch of different authentication methods that come with the Debian package and they can be viewed with:

    ls /usr/lib/squid/*auth

    We'll be using the pam_auth module. This will allow anyone who has a shell account to also be able to use the Squid server. Search for the auth_param section in the config and add these lines:

    auth_param basic program /usr/lib/squid/pam_auth
    auth_param basic children 5
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 2 hours

    Next search for this line and uncomment it:

    acl password proxy_auth REQUIRED

    Now create a pam module called /etc/pam.d/squid that contains:

    auth required /lib/security/
    account required /lib/security/

    You will need to give this file SUID access so chmod it 4755. Yeah, I know this isn't the best way to do this but it's the least complicated. You're more than welcome to research the other methods on your own.

    Squid should be all set and ready to go. Next make sure you have shell access to the server via SSH. It doesn't matter if you use a password, passphrase, or blank passphrase. To set the tunnel up, run this:

    ssh -L 8080:squidhost:8080 [email protected]

    You'll be asked for authentication and if you're successful, it'll look like you've logged into the remote box. If you open another window up and type

    telnet localhost 8080

    You'll see that you're now talking to squid on the remote server.

    Finally, tell your browser to use the SSH tunnel as a proxy. I won't go over each individual browser here, but basically it'll be somewhere in the preferences. For the hostname, just type in localhost and for the port, type in 8080.

    Now whenever you browse to a webpage, you'll be prompted for authentication. Type in your shell account information and you'll be all set to go. The browser might give a warning about authenticating through plaintext -- ignore it. It will be travelling through our SSH tunnel so it will be encrypted.

    Congratulations! You may now surf the web without worry of anyone snooping on you. If anyone has any comments, fixes, or ways to improve this method, please let me know!
    Original location of this document:
    Share this page:

    12 Comment(s)

    Add comment

    Please register in our forum first to comment.



    proxy auth along with max_ip acl would make it even more secure. i think max_ip is wrong but i can't remeber exact acl. I faced problem with it. i hope somebody would come up with how to with it.


    I used to use this exact method but with tinyproxy instead of squid. A stronger, more distributed method of browsing anonymously can be accomplished with Tor ( There is no server required for you to configure. You just run a Tor client on your machine and it connects (securely) to the Tor network, with randomized entry and exit nodes. The method in this article ties your traffic to a single server which can be watched and which is most definitely connected to your client.


    I briefly read something about Tor yesterday.. I'll have to look at it in more depth now. Thanks!

    By: joe

    Forgot to login.. that comment was from me :P


    Sorry, but how does adding squid help? You do know you can just run a Socks proxy through ssh right? ssh -D 8128 and then setup your laptop to use localhost and port 8128 as the socks proxy - much simpler. Your only concern with my method being that dns lookups are done locally and so are viewable, but really - who cares about that most of the time?

    By: joe

    I was unaware of using Socks and SSH. Thanks for the input, I'll look into that as well.

    By: Anonymous

    Using SSH also has some problems when using it as a proxy, sometimes it locks up and you have to exit the connection using "~." and then log back in. The OpenSSH programmer guy is a pain in the ass to talk to, he thinks everyone else is of a lower evolution then he is and thinks he is the SSH god of the world so never mind ever seeing it get fixed. Even when just using it for a tunnel it has the same sort of problem. Socks 4 is the only thing supported. Basicly it sucks as any type of tunnel, sorry. If you have nothing else to use then oh well.


    The finished http_access section, according to this article, would be:

    http_access allow localhost
    http_access allow password
    http_access deny all

    This will NOT prompt for proxy authentication for SSH-tunneled connections - they come from localhost and will be allowed before authentication is used.

    That first http_access line should be re-written:

    http_access deny !localhost

    The logic of Squid access controls is explained in the FAQ:

    By: joe

    Actually, we are both wrong.

    I assumed that when creating an SSH tunnel all network traffic coming out of the tunnel would be viewed as being sourced locally. This isn't the case. All traffic is still viewed as coming from the external interface. Therefore, denying anything but local connections would mean we could not access squid at all. So adding "deny !localhost" completely shuts us off. You were correct when saying that the "allow password" was the key acl prompting us for a password and letting us in.

    Thank you for pointing this out.. I will update the howto accordingly!

    By: Anonymous


    ? thanks for the info on this. I thougtht I'd be having to pay for a service to have electronic privacy at work. So, now that I'm setup I would like to ask: How secure is this whole http over ssh tunneling connection?


    By: Anonymous

    For instance, how is DNS resolved?

    By: Anonymous

    Its realy very useful site and one more small request/doubt.

    How can i get the proxy user log?

    Please mail me, email id : [email protected]