Search code examples
ubuntuproxyhttp-proxysquid

How do I setup an Elite HTTP Squid Proxy with password protection on Ubuntu?

I would like to setup an Elite HTTP Proxy. An Elite proxy should not expose any information about the source to the destination address. I have hired a Ubuntu virtual private server for this purpose. The proxy should be password protected, so that only I can use it. I would like to use Squid as my proxy.

What are the steps to achieve this?

Solution

  • Update your APT repository and install the software we will need

    sudo apt-get update
sudo apt-get install squid3
sudo apt-get install apache2-utils

    Squid3 is the proxy software. apache2-utils is required for htpasswd which we will use as a flat file password store to secure the proxy.

    Setup the password store

    sudo touch /etc/squid/passwords
sudo chmod 777 /etc/squid/passwords
sudo htpasswd -c /etc/squid/passwords USERNAME
[prompt for new password]

    In the lines above, replace USERNAME with the username you want on your proxy. When the line is executed you will be prompted to enter a password for the user.

    Test the password store

    /usr/lib/squid3/basic_ncsa_auth /etc/squid/passwords

    After executing this line the console will look like its hung, there is a prompt without any text in it. Enter "USERNAME PASSWORD" (replacing these with your specific username and password) and hit return. You should receive the response "OK". If not, review the error message, your username/password might be incorrect. Its also possible basic_ncsa_auth is located on a different path (e.g. lib64).

    Configure the Squid Proxy

    Move the default squid configuration file

    sudo mv /etc/squid/squid.conf /etc/squid/squid.conf.original

    Now create a new squid configuration file

    vi /etc/squid/squid.conf

    Which should look like this

    http_port 3128
dns_v4_first on
cache deny all
forwarded_for delete
tcp_outgoing_address 9.9.9.9   //-- change this ip
via off
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all

    Here is a description of what each line does:

    • http_port: specifies the proxy listen port. This is required
    • dns_v4_first on: effectively turns off IPv6 DNS. Without this your proxy may run very slowly.
    • cache deny all: stops the proxy caching pages
    • forwarded_for delete: remove the forwarded_for http header which would expose your source to the destination
    • tcp_outgoing_address: Set this to the address of your server. You can find the address with the command "ip a"
    • via off: removes more headers which would expose your source
    • auth_param: defines your the location of your basic_ncsa_auth and password file you created. Note you may need to check the location of basic_ncsa_auth.
    • acl authenticated: creates an access control list for user authenticated by the password store
    • http_access allow authenticated: allow user to access the proxy if they have been authenticated by password
    • http_access deny all: if you have not been authenticated by password, you're not coming in

    Restart the squid proxy

    service squid restart

    Note the service could also be called squid3. It may take a while for the proxy to restart. If you prefer, you can reload squid configurations with the command

    squid -k reconfigure

    Check its working

    service squid status

    The service should be running.

    netstat -ltnp

    You should see a service listening on port 3128, or whichever port you used in the configuration.

    On your desktop, open firefox, go to Options-> Network Proxy -> Settings. Choose to use a manual proxy configuration. In the HTTP proxy field enter the IP address of you server, and include the port in the port field. Click OK.

    enter image description here

    Go to google, enter your username and password when prompted, search "what is my ip address", you should see the IP of your proxy server.