This howto describe step by step method to install SQUID 3 server as Anonymous Proxy. An anonymous proxy is a tool that attempts to make activity on the Internet untraceable. It accesses the Internet on the user’s behalf, protecting personal information by hiding the source computer’s identifying information. Simply say to hide your IP.The following How To setups CentOS 5 as OS but it can be implemented on CentOS 4, Fedora Core 5-9 with same steps and SQUID version 3. Bydefault SQUID only uses default IP to communicate on internet but we will make use of all IPs available on server to act as anonymous proxy i.e if user connects to IP1 of server then IP1 will be act as proxy and forward same IP, if user connects to IP2 then IP2 will be act proxy and foward same IP and so on and also we will implement ncsa user based authentication to protect server from unauthorized used.
Server = CentOS 5.2, SQUID = version 3, IPs = 192.168.0.1 – 192.168.0.5
1 Installation Of Squid 3:
CentOS 5 comes with SQUID 2.6 but we need squid 3, so we will download source rpm of squid 3 and compile for our OS.
1.1 Install Pre-requisite
Install pre-requisite softwares i.e Development Tools to get all the compilers, libraries and other rpms for compilation of SQUID 3.
yum -y groupinstall “Development Tools”
yum -y install rpm-build openjade linuxdoc-tools openldap-devel pam-devel openssl-devel httpd rpm-devel
1.2 Download Squid 3 Source RPM
Download source rpm of Squid 3 from FEDORA website and install it.
cd /usr/src
wget http://download.fedora.redhat.com/pub/fedora/linux/releases/10/Fedora/source/SRPMS/squid-3.0.STABLE10-1.fc10.src.rpm
rpm -ivh squid-3.0.STABLE10-1.fc10.src.rpm
1.3 Compile Squid 3
Use following commands to start compilation, at end it will generate rpm file to install
cd /usr/src/redhat/SPECS
rpmbuild -bb squid.spec
1.4 Install Squid 3
Install newly build rpm, which will be found in /usr/src/redhat/RPMS/i386 for i686 and /usr/src/redhat/RPMS/x86_64 for x86_64.
rpm -Uvh /usr/src/redhat/RPMS/i386/squid-3.0.STABLE10-1.i386.rpm
2 Configuration
I will use default squid.conf to edit.
vi /etc/squid/squid.conf
2.1 Configure auth_param
We will enable ncsa authentication to access our squid server. Find following lines
#auth_param basic program <uncomment and complete this line>
#auth_param basic childred 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
Change to
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
auth_param basic childred 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
2.2 Create proxy_auth acl
Here we will create proxy_auth acl to prompt user/pass to everyone want to use anonymous proxy. Find following line
#INSERT YOUR OWN RULES(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
We will insert our proxy_auth rule under above line.
#INSERT YOUR OWN RULES(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl ncsaauth proxy_auth REQUIRED
http_access allow ncsaauth
2.3 Disable Forwarded Client IP
Bydefault squid forward client IP to respective website, but to setup anonymous proxy we will disable it to hide client IPs and send only IPs which are configured on squid server. Find following line squid.conf
forwarded_for on
Change to
forwarded_for off
2.4 Configure IPs
Now we will generate rules for outgoing IP i.e if any one connects to any IP of my server, so it will go with same IP to destination server. In this way we can connect several clients on different IPs and all IPs act as anonymous proxy. Find following line
# TAG: tcp_outgoing_address
add following lines under it.
acl ip1 myip 192.168.0.1
tcp_outgoing_address 192.168.0.1 ip1
acl ip2 myip 192.168.0.2
tcp_outgoing_address 192.168.0.2 ip2
acl ip3 myip 192.168.0.3
tcp_outgoing_address 192.168.0.4 ip3
acl ip4 myip 192.168.0.4
tcp_outgoing_address 192.168.0.4 ip4
acl ip5 myip 192.168.0.5
tcp_outgoing_address 192.168.0.5 ip5
You can add as many IPs you like, just use the same pattern above.
2.5 Enable Anonymizer (Anonymous Proxy)
Put following lines at the bottom of your squid.conf
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
Configuration is finished, save the file.
3 User Management
Now its time to create squid_passwd file, in which we will put our users for authentication using ncsa. For this we need htpasswd command to generate user/pass.
create file to hold username and password
touch /etc/squid/squid_passwd
3.1 Create New User
htpasswd /etc/squid/squid_passwd proxyadmin
Where /etc/squid/squid_passwd is a file, in which all users goes and proxyadmin is a username which will be added with the password given
4 Service Management
Run the squid service and add it up at startup.
service squid start
chkconfig squid on
5 Troubleshooting
5.1 visible_hostname error
If you see visible_hostname error after starting service, then again edit /etc/squid/squid.conf file and give visible_hostname tag with your server hostname.
visible_hostname server1
Your server is ready now and you can use Firefox or IExplorer on your client to check its working. I have used default port 3128 for squid, so put any of the above IP and port to connect. As it connects it will prompt you for user/pass, give the right user/pass and you will start browsing the site. To check the anonymity open http://www.whatsmyipaddress.com. If you have done anything wrong in request_header_access, you proxy can be dedect but if everything is fine. It will just show IP and assume its a direct connection without proxy.
Dear brother, I want to setup squid proxy, I follow your instructions only for building rpm and installation. Now it is giving an error.
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: http://www.google.com.pk/
Unable to determine IP address from host name “www.google.com.pk”
The DNS server returned:
Server Failure: The name server was unable to process this query.
This means that the cache was not able to resolve the hostname presented in the URL. Check if the address is correct.
Your cache administrator is root.
Generated Wed, 03 Feb 2010 03:15:18 GMT by 192.168.6.160 (squid/3.0.STABLE20)
What could be the error??? Plz help I am fedup.
Sir I want to configure the VPN thrugh linux machine
Dear Salman
Check the /etc/resolv.conf entry
it should be like this
nameserver your router IP
e.g.
nameserver 192.168.12.1
How to configure the POP TOP On RHEL 5 by using the the two lancard Scenario.
as well as i want to configure the Proxy Squid on the Same Machine.
One is local and other will use the Live IP.
Can someone give me the step by step instruction.
Waiting for the Urgent response.
Follow below link:
Red Hat pptpd HOWTO:
http://poptop.sourceforge.net/dox/redhat-howto.phtml
and for the centos:
http://www.associatedcontent.com/article/1514355/poptop_vpn_server_installation_on_centos.html
me too going to establish the vpn server at my end
AND FOR SQUID
FOLLOW ABOVE MENTIONED STEPS:
GOOD LUCK
RASHID
hi
thanks for these awesome posts. I really liked it..n i hope in future i will get some more help from you whenever needed. By the way i have a question: I am going to make centos dns in my office. Is it possible to make my other 50 computers a client of that dns? If so then how? Do i have to create user in Centos?
HI nihan
I am also the student of Open source and sir. sohail is my teacher.
I already done your requested question that configure the bind9 with the TSIG security key.
you can use either rndc.key or generate the key through TSIG.
looking forward from your side.
If you ask I can forward you the *.tar.gz2 of these two file.
If I enable those request_header_access options in my squid.conf ..does that mean when I go to whatismyipaddress.com URL ..it won’t show me my WAN IP?
salam how r u all i need some help in squid 3.0 in fedora 11
so can any one help me for this …
I would like to know ,how can I valid ncsa_auth user in my public squid proxy
sir,
please help me about iptables mangle
I’m very amazed by your post!
I did everything you said and it worked! THANKS 😀 !!!
I used for a while proxies from a proxylists like http://AnonTux.com which has very good proxies, but now I can use my own proxy 😀 Very cool!!!
Thanks again mate! Hope you write another good post like that! 🙂
how we can block ultrasurf software. which bypass my squid proxy.
Does this tutorial work with bulk of ip? In windows i can set squid foxy proxy with alot of IP which i can using firefox to rotate the IP. Does this tutorial work with that? I finding the whole internet still can’t find. I am doing this for craigslist posting but i am not spamming 😀
i am ussing linux squid proxy. i maked a bogus domain with the same name (ultrasurf or ultrareach) and also block the DNS queries directly to the internet. but still proxy iz bypassing. it ussing localhost ip 127.0.0.1 and port 9666.
one solution is that i block the https port (443). this is pretty good and ultrasurf could be blocked.
but https could not be blocked completely bcoz alot of sites ussing this port, like gmail, yahoo mail etc.
so what should i need to do.
amjad,
Can you upload your squid.conf file for reference.
I am also interested to block the https traffic because some of the website are blocked by our company acl or country acl when we try to open through https:// ……
its opening……
will be highly obliged.
Rashid
Dear Rashid:
i block the https with firwall not with squid.conf acl. but if u wanna to upload it. Insha-Allah i will.
Dear Amjad
my pleasure to see that file/procedure.
acl ip3 myip 192.168.0.3
tcp_outgoing_address 192.168.0.4 ip3
is it ok ? . .0.3 /. .0.4