With the US government literally spying on every person in the US and millions of more people across the world, and with corporations tracking people for advertising and other purposes, anonymity on the Internet is more important than ever. There are many ways to get some level of anonymity -- VPNs, Tor, and other approaches are popular.
This how-to is going to set up Debian's Squid3 proxy server package as a high anonymous proxy server. This page is written using Debian 7.x/Wheezy. It assumes a default install of the "squid3" package on a typical Debian system.
Squid has a great deal of functionality. By default, proxy servers like Squid will tell web sites your real IP address in addition to the fact that you are using a proxy server. This is "normal" behavior and is handy for diagnostic purposes. We're going to configure Squid3 to completely hide your real IP address and the fact that you are running a proxy server.
This how-to assumes the following machines:
• An Internet-connected server with one NIC. This could be a virtual private server (VPS) or any other sort of server running on the Internet. This server is assumed to be running Debian and will be the Squid3 server. Thus, all web sites will "see" the IP address of this machine.
• A client computer. This is your home, work or school computer. This could be an entire network of computers, but the client will run a web browser (Iceweasel in this example) and will connect to the above server. The IP address of this client computer should never be seen by any web sites.
The first thing that has to be done is to install Squid3:
Code: sudo apt-get update & apt-get install squid3
Just to be on the safe side we'll make sure Squid3 is stopped before we start editing its config file:
Code: sudo /etc/init.d/squid3 stop
Squid3's config file lives in /etc/squid3. But before we start editing that we'll need to talk about authentication and security.
We do not want to leave a proxy server "open" on the Internet. Who knows who would be using the proxy for who knows what. You are strongly urged to put some sort of authentication on your proxy server.
We're going to use the most simple form of Squid authentication -- the "basic" variety. This authentication is not super-duper secure. And this form of authentication is cumbersome to manage with a large number of users. But the basic authentication of Squid does have the advantage of being simple (it's been used in the Apache web server for years). We'll assume that if someone has the knowledge to break this authentication that they'll also have access to other machines and more interesting things to do with their time. For a few users, and a non-critical item like using a proxy server, Squid's basic authentication is "good enough".
Setting Up Squid's Basic Authentication
So the first thing we're going to do is to create a username and password for our proxy server. We'll do this with the program htpasswd. This program is part of the apache2-utils package in Debian, so you may have to install the apache2-utils package:
Code: sudo apt-get install apache2-utils
It might be a good idea to now (or definitely later) read over the htpasswd manual page by doing a "man htpasswd".
We're going to create a single user in a new password file. We'll do this with this command:
Code: cd /etc/squid3
Code: htpasswd -bc squid_passwords testuser testpassword
Obviously you'll want to replace "testuser" and "testpassword" with real data. But if you're that numb, you probably shouldn't be reading this how-to. Smile
Once you have run that, if you type out the contents of that file you'll see something like this:
Code: cat squid_passwords
Be warned! That above command includes the "-c" option of htpasswd. That option creates a new password file but it will erase an existing password file. See? I told you that you should have read the manual page. Smile If you run htpasswd on an existing password file, make sure you leave off the "c" commandline parameter. Again, read "man htpasswd".
So now that we have a password file with a username and password in it, we can tell Squid to use that password file with the basic form of authentication.
Now we're going to edit Squid3's main config file /etc/squid3/squid.conf and I'll explain how we're going to do this.
But before we even edit Squid's configuration file we're going to make a backup copy of it. That way if we screw up the working copy, we'll always have a backup, "golden" or good copy lying around. So let's do this:
Code: cd /etc/squid3
Code: sudo cp squid.conf squid.conf-original
Here we called the backup copy "squid.conf-original" to let us know that this is the original Debian squid.conf file. We could have just as easily called it "squid.conf-golden" or "squid.conf.backup" or anything else that clearly tells us what the file is.
Some config files have different "sections" and parameters from one section should not go in a different or a "wrong" section or things might break. So when editing Squid's config file I'm going to tell you the line number of where to edit. This may not be 100% correct and some may prefer to put things in a different location, but this will help you to find the correct area in large configuration files and it helps to avoid confusion.
I'm going to use the editor vim for these examples. Vim will show the line numbers at the bottom of the screen (you may have to install vim with apt-get if you don't have it installed already). Run the command:
Code: sudo nano /etc/squid3/squid.conf
Go to line number 343.
Insert the following text:
auth_param basic realm Private port. Please go away and have a nice day.
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/squid_passwords
auth_param basic credentialsttl 4 hours
auth_param basic children 5
I added these lines right after the:
lines in the config file.
Pro-Tip: Change the "YourUserNameHere" to your standard username. This way when editing config files you can do a search with your editor for YourUserNameHere and find each instance of the file that you edited. Additionally, if you include the web address of the page(s) where you got the ideas for your changes, six months from now when you've forgotten about the reasoning for your edits you'll have a handy reference.
The above lines are either obvious or are explained in the Squid config file comments itself and/or the Squid documentation. The one oddity is the realm, so I note that it is simply note that this a private port and ask politely that they leave.
Next go to line 840. Just below the lines that say:
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
we need to add the following lines:
acl ncsaauth proxy_auth REQUIRED
http_access allow ncsaauth
Optional: Multiple IP Addresses
If your server has more than one legitimate IP address, you can have Squid say clients are "from" each of those IP addresses. If a client connects to IP address #1, Squid will say it is from IP address #1; if a client connects to IP address #2, Squid will say it is from IP address #2; etc. To do this, go to line number 1428.
Right after the lines:
add in a sequence like this:
acl ip1 myip 188.8.131.52
tcp_outgoing_address 184.108.40.206 ip1
acl ip2 myip 220.127.116.11
tcp_outgoing_address 18.104.22.168 ip2
acl ip3 myip 22.214.171.124
tcp_outgoing_address 126.96.36.199 ip3
acl ip4 myip 188.8.131.52
tcp_outgoing_address 184.108.40.206 ip4
acl ip5 myip 220.127.116.11
tcp_outgoing_address 18.104.22.168 ip5
Next go to about line number 3470. The exact line number will depend on whether you added multiple IP addresses listed above. We want to make changes at the end of the:
where it lists out the familiar:
Reading the request_header_access section's comments is worth your time. This change will break the HTTP standard. Oh well, that's what we want to do. That standard may have been written back during a time before our government started using torture as a national policy, waging who-knows-how-many wars, and started spying on every single American and millions of other innocent people around the world.
So at this area near line 3460 or 3470, we'll want to add the following lines:
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Cookie allow all
request_header_access Proxy-Connection allow all
# request_header_access User-Agent allow all <-- Uncomment this line if you want to reveal your real User-Agent
request_header_access All deny all
Optional: User-Agent Change
If you'd like, you can instruct Squid to change your web browser's identity to some fake browser. We could pretend to be a text-mode web browser or if we wanted to people to feel sorry for us we could tell them we're running Internet Explorer. Smile This is done by changing the User-Agent string that will be sent. I'm going to set mine to a generic Mozilla setting.
We should go to about (same caveat above; the line number may not be exact) line number 3587, at the end of the:
# TAG: request_header_replace
section. After the typical "Default...none", let's include the lines:
request_header_replace User-Agent Mozilla/5.0 (X11; Linux x86_64)
One Last Step
Our final configuration step is to go to about line number 5593. Of course, by this time your line numbers may be different due to the configuration we've previously done. We're looking for the section entitled:
# TAG: forwarded_for on | off | transparent | truncate | delete
and at the bottom of that section you'll see:
# forwarded_for on
That's a good default setting for Squid. But it's not what we want for a highly anonymous proxy server configuration. So after those lines, we'll add in a couple of lines and turn this feature off:
And at this point, save your config file -- we're finished!
Client Setup and Testing
Once you save your customized configuration file, we'll want to restart Squid:
Code: sudo /etc/init.d/squid3 restart
Squid should be off (as per above) but I used "restart" just in case.
Keep an eye out for errors. Squid should have started cleanly but if it did not, you need to go back to the drawing board and figure out what went wrong.
Once you have Squid running we can configure a browser to use the proxy server. In Debian's Iceweasel web browser, go to the menu bar, click on the Edit menu, and then Preferences. When the Iceweasel Preferences window pops up, click on Advanced gear icon to the far right. Then click on the Network tab, and then the Settings button.
In our setup, we'll use the "Manual proxy configuration" so select that radio button. Then enter in your server's IP address in the HTTP Proxy field and whatever port that Squid is running on (Debian's default for Squid is port 3128). Optionally, you can use Squid to proxy SSL and/or FTP.
Tell the various window OK and Close to save them and you're ready to go!
The first time you go to any web site, you should be presented with an "Authentication Required" window asking for a User Name and Password. The text will say something like:
The proxy moz-proxy://22.214.171.124:3128 is requesting a username and password. The site says: "Private port. Please go away and have a nice day."
Obviously the "Private port. Please go away and have a nice day." is from our configuration above when we set up the authentication. At this point enter you need to enter the username and password we created above with htpasswd. Squid will then tell all sites that it is from the server's IP address.
To test this out there are many sites that will do a check to see if you're accessing the net via a proxy server -- for example, this one. And similarly, you can check what your web browser is reporting for its User-Agent string at sites like this.