How-to Create a Highly Anonymous Proxy Server from a Default Debian Squid3 Setup

IntnsRed's picture


With the US government literally spying on every person in the US and millions of more people across the world, and with corporations tracking people for advertising and other purposes, anonymity on the Internet is more important than ever. There are many ways to get some level of anonymity -- VPNs, Tor, and other approaches are popular.

This how-to is going to set up Debian's Squid3 proxy server package as a high anonymous proxy server. This page is written using Debian 7.x/Wheezy. It assumes a default install of the "squid3" package on a typical Debian system.


Squid has a great deal of functionality. By default, proxy servers like Squid will tell web sites your real IP address in addition to the fact that you are using a proxy server. This is "normal" behavior and is handy for diagnostic purposes. We're going to configure Squid3 to completely hide your real IP address and the fact that you are running a proxy server.

This how-to assumes the following machines:

• An Internet-connected server with one NIC. This could be a virtual private server (VPS) or any other sort of server running on the Internet. This server is assumed to be running Debian and will be the Squid3 server. Thus, all web sites will "see" the IP address of this machine.

• A client computer. This is your home, work or school computer. This could be an entire network of computers, but the client will run a web browser (Iceweasel in this example) and will connect to the above server. The IP address of this client computer should never be seen by any web sites.

Server Setup

The first thing that has to be done is to install Squid3:

# apt-get update ; apt-get install squid3

Just to be on the safe side we'll make sure Squid3 is stopped before we start editing its config file:

# /etc/init.d/squid3 stop

Squid3's config file lives in /etc/squid3. But before we start editing that we'll need to talk about authentication and security.

We do not want to leave a proxy server "open" on the Internet. Who knows who would be using the proxy for who knows what. You are strongly urged to put some sort of authentication on your proxy server.

We're going to use the most simple form of Squid authentication -- the "basic" variety. This authentication is not super-duper secure. And this form of authentication is cumbersome to manage with a large number of users. But the basic authentication of Squid does have the advantage of being simple (it's been used in the Apache web server for years). We'll assume that if someone has the knowledge to break this authentication that they'll also have access to other machines and more interesting things to do with their time. For a few users, and a non-critical item like using a proxy server, Squid's basic authentication is "good enough".

Setting Up Squid's Basic Authentication

So the first thing we're going to do is to create a username and password for our proxy server. We'll do this with the program htpasswd. This program is part of the apache2-utils package in Debian, so you may have to install the apache2-utils package:

# apt-get install apache2-utils

It might be a good idea to now (or definitely later) read over the htpasswd manual page by doing a "man htpasswd".

We're going to create a single user in a new password file. We'll do this with this command:

# cd /etc/squid3
# htpasswd -bc squid_passwords testuser testpassword

Obviously you'll want to replace "testuser" and "testpassword" with real data. But if you're that numb, you probably shouldn't be reading this how-to. Smile

Once you have run that, if you type out the contents of that file you'll see something like this:

# cat squid_passwords

Be warned! That above command includes the "-c" option of htpasswd. That option creates a new password file but it will erase an existing password file. See? I told you that you should have read the manual page. Smile If you run htpasswd on an existing password file, make sure you leave off the "c" commandline parameter. Again, read "man htpasswd".

So now that we have a password file with a username and password in it, we can tell Squid to use that password file with the basic form of authentication.

Now we're going to edit Squid3's main config file /etc/squid3/squid.conf and I'll explain how we're going to do this.

But before we even edit Squid's configuration file we're going to make a backup copy of it. That way if we screw up the working copy, we'll always have a backup, "golden" or good copy lying around. So let's do this:

# cd /etc/squid3
# cp squid.conf squid.conf-original

Here we called the backup copy "squid.conf-original" to let us know that this is the original Debian squid.conf file. We could have just as easily called it "squid.conf-golden" or "squid.conf.backup" or anything else that clearly tells us what the file is.

Some config files have different "sections" and parameters from one section should not go in a different or a "wrong" section or things might break. So when editing Squid's config file I'm going to tell you the line number of where to edit. This may not be 100% correct and some may prefer to put things in a different location, but this will help you to find the correct area in large configuration files and it helps to avoid confusion.

I'm going to use the editor vim for these examples. Vim will show the line numbers at the bottom of the screen (you may have to install vim with apt-get if you don't have it installed already). Run the command:

# vim /etc/squid3/squid.conf

Go to line number 343.

Insert the following text:

# YourUserNameHere: added this from; reference at
auth_param basic realm Private port. Please go away and have a nice day.
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/squid_passwords
auth_param basic credentialsttl 4 hours
auth_param basic children 5

I added these lines right after the:

# none

lines in the config file.

Pro-Tip: Change the "YourUserNameHere" to your standard username. This way when editing config files you can do a search with your editor for YourUserNameHere and find each instance of the file that you edited. Additionally, if you include the web address of the page(s) where you got the ideas for your changes, six months from now when you've forgotten about the reasoning for your edits you'll have a handy reference.

The above lines are either obvious or are explained in the Squid config file comments itself and/or the Squid documentation. The one oddity is the realm, so I note that it is simply note that this a private port and ask politely that they leave.


Next go to line 840. Just below the lines that say:


we need to add the following lines:

# YourUserNameHere: added this from; reference at
acl ncsaauth proxy_auth REQUIRED
http_access allow ncsaauth

Optional: Multiple IP Addresses

If your server has more than one legitimate IP address, you can have Squid say clients are "from" each of those IP addresses. If a client connects to IP address #1, Squid will say it is from IP address #1; if a client connects to IP address #2, Squid will say it is from IP address #2; etc. To do this, go to line number 1428.

Right after the lines:

# none

add in a sequence like this:

# YourUserNameHere: added this from; reference at
acl ip1 myip
tcp_outgoing_address ip1
acl ip2 myip
tcp_outgoing_address ip2
acl ip3 myip
tcp_outgoing_address ip3
acl ip4 myip
tcp_outgoing_address ip4
acl ip5 myip
tcp_outgoing_address ip5

Changing Headers

Next go to about line number 3470. The exact line number will depend on whether you added multiple IP addresses listed above. We want to make changes at the end of the:

#  TAG: request_header_access

where it lists out the familiar:

# none

Reading the request_header_access section's comments is worth your time. This change will break the HTTP standard. Oh well, that's what we want to do. That standard may have been written back during a time before our government started using torture as a national policy, waging who-knows-how-many wars, and started spying on every single American and millions of other innocent people around the world.

So at this area near line 3460 or 3470, we'll want to add the following lines:

# YourUserNameHere: added this from; reference at
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Cookie allow all
request_header_access Proxy-Connection allow all
# request_header_access User-Agent allow all  <-- Uncomment this line if you want to reveal your real User-Agent
request_header_access All deny all

Optional: User-Agent Change

If you'd like, you can instruct Squid to change your web browser's identity to some fake browser. We could pretend to be a text-mode web browser or if we wanted to people to feel sorry for us we could tell them we're running Internet Explorer. Smile This is done by changing the User-Agent string that will be sent. I'm going to set mine to a generic Mozilla setting.

We should go to about (same caveat above; the line number may not be exact) line number 3587, at the end of the:

#  TAG: request_header_replace

section. After the typical "Default...none", let's include the lines:

# YourUserNameHere: added this from; reference at
request_header_replace User-Agent Mozilla/5.0 (X11; Linux x86_64)

One Last Step

Our final configuration step is to go to about line number 5593. Of course, by this time your line numbers may be different due to the configuration we've previously done. We're looking for the section entitled:

#  TAG: forwarded_for   on|off|transparent|truncate|delete

and at the bottom of that section you'll see:

# forwarded_for on

That's a good default setting for Squid. But it's not what we want for a highly anonymous proxy server configuration. So after those lines, we'll add in a couple of lines and turn this feature off:

# YourUserNameHere: added this from; reference at
forwarded_for off

And at this point, save your config file -- we're finished!

Client Setup and Testing

Once you save your customized configuration file, we'll want to restart Squid:

/etc/init.d/squid3 restart

Squid should be off (as per above) but I used "restart" just in case.

Keep an eye out for errors. Squid should have started cleanly but if it did not, you need to go back to the drawing board and figure out what went wrong.

Once you have Squid running we can configure a browser to use the proxy server. In Debian's Iceweasel web browser, go to the menu bar, click on the Edit menu, and then Preferences. When the Iceweasel Preferences window pops up, click on Advanced gear icon to the far right. Then click on the Network tab, and then the Settings button.

In our setup, we'll use the "Manual proxy configuration" so select that radio button. Then enter in your server's IP address in the HTTP Proxy field and whatever port that Squid is running on (Debian's default for Squid is port 3128). Optionally, you can use Squid to proxy SSL and/or FTP.

Tell the various window OK and Close to save them and you're ready to go!

The first time you go to any web site, you should be presented with an "Authentication Required" window asking for a User Name and Password. The text will say something like:

The proxy moz-proxy:// is requesting a username and password. The site says: "Private port. Please go away and have a nice day."

Obviously the "Private port. Please go away and have a nice day." is from our configuration above when we set up the authentication. At this point enter you need to enter the username and password we created above with htpasswd. Squid will then tell all sites that it is from the server's IP address.

To test this out there are many sites that will do a check to see if you're accessing the net via a proxy server -- for example, this one. And similarly, you can check what your web browser is reporting for its User-Agent string at sites like this.