Configuring an anonymous proxy server on aws with Ubuntu 12.04 and Squid3
written on Tuesday, February 14, 2012
Updated for Ubuntu 12.10 on the 04/11/2012
My little sister is travelling around Vietnam at the moment and was annoyed to find Facebook blocked and mentioned it to me over Skype. I knew it was pretty easy to circumvent these geographic restrictions using a proxy so I told her I would sort something out in a couple of hours. Well it took a bit longer than that but the actual instructions are pretty simple.
- Install squid3 and apache2-utils
- Change /etc/squid/squid.conf
- Create users and passwords
- Open firewall if necessary
So first off you'll need to install squid3 and apache2-utils.
apt-get install squid3, apache2-utils
once you have installed squid3 the next part is modifying the config file. Mine looks like this:
# Squid proxy server settings http_port 3128 visible_hostname squidworth auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/ acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl wwwusers src all acl ncsa_auth proxy_auth REQUIRED acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access allow ncsa_auth http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access allow localhost http_access deny all follow_x_forwarded_for deny all forwarded_for off
One of the most important bits is making sure that you have 'forwarded_for off'. That means that the proxy will be anonymizing connections and not letting the other server know who made the request.
If the configuration is not working for you try increasing the verbosity of the logging by putting
At the end of your squid.conf.
The final step is creating a user and password. Or users and passwords. We are using super simple basic authentication in this example but there are lots of other backends that you could use instead of ncsa_auth.
To create a user/pass combination run this command:
htpasswd /etc/squid3/passwd squid_user
This will prompt you to set a password. Make as many users as you need. htpasswd is provided by the apache2-utils package in case you were wondering why we installed it up front.
If you are running this on AWS like I am you will then need to allow incoming traffic on port 3128 to your server. So add it as an inbound TCP rule to the security group.
Then restart squid and try and set up your browser to point to your new proxy server using the port you specified. Default is 3128. When you visit a website now your reported IP address should be that of your AWS server. Also handy for watching The Daily Show in the UK.