How to set up an anonymous proxy on debian

This document describes the steps required to install squid proxy server from http://squid-cache.org and webmin from http://webmin.com on a debian 4.0 system as well as basic steps required to configure squid to listen on multiple ip addresses and use them as outgoing source address for connections. This will also show you how to configure squid from webmin to accept connections only from predefined clients based on the client's ip address.

For the steps presented below root access over ssh on the server or physical ( console ) access will be required.

Squid installation

Installing squid on a debian system is straight forward. The administrator must be logged in as root and just type: apt-get install squid. This will install squid along with all required dependencies (it may ask for the user permission to install, in that case just approve ).

Webmin installation

download the webmin .deb package from http://webmin.com/download.html and upload it on your server, then type: dpkg -i webmin_1.xyz.deb where xyz is the current webmin version.
This will look for required dependencies and will let you know if something is missing. In case anything is missing you can just install it using apt-get install command simiar to how you installed squid.

Once webmin is installed you can access it over web from your browser like https://yourdomain.com:10000

Webmin configuration

If wedmin and squid were both installed from the standard debian package then webmin should already know where squid configuration files are and be able to modify it and stop/start squid. If this is not the case then you can set the paths in the module's configuration section.

Squid Anonymous configuration

Set http_port to specify the port and ips where squid will listen for incoming connections. If you want squid to listen on any of the available ips just set it like this: http_port 3128

Make squid anonymous by specifying which headers it should allow/deny. For highly anonymous proxies here is the suggested configuration:
header_access Allow allow all
header_access Authorization allow all
header_access WWW-Authenticate allow all
header_access Proxy-Authorization allow all
header_access Proxy-Authenticate allow all
header_access Cache-Control allow all
header_access Content-Encoding allow all
header_access Content-Length allow all
header_access Content-Type allow all
header_access Date allow all
header_access Expires allow all
header_access Host allow all
header_access If-Modified-Since allow all
header_access Last-Modified allow all
header_access Location allow all
header_access Pragma allow all
header_access Accept allow all
header_access Accept-Charset allow all
header_access Accept-Encoding allow all
header_access Accept-Language allow all
header_access Content-Language allow all
header_access Mime-Version allow all
header_access Retry-After allow all
header_access Title allow all
header_access Connection allow all
header_access Proxy-Connection allow all
header_access Cookie allow all
header_access Set-Cookie allow all
header_access All deny all

Some may want to remove the lines that contain Cookie and Set-Cookie headers but if you do that most sites will not work anymore cause most require cookie / session support.

Squid multiple ip configuration

We want connections that come from one ip to go out on the same ip. First set acls to identify the ips where squid listens for incoming connections. Let's say we have 3 ips : 10.0.0.1 , 10.0.1.1 and 10.0.2.1 . The acls would look like this:
acl in_10_0_0_1 myip 10.0.0.1/32
acl in_10_0_1_1 myip 10.0.1.1/32
acl in_10_0_2_1 myip 10.0.2.1/32

Now you can set up tcp_outgoing address using the above acls:

tcp_outgoing_address 10.0.0.1 in_10_0_0_1
tcp_outgoing_address 10.0.1.1 in_10_0_1_1
tcp_outgoing_address 10.0.2.1 in_10_0_2_1

Set up access rules based on client ip

You will have to set up acls similar to the above but they identify the client's ip ( not proxy server's ip). The the acls will be used in the http_access directive. This can be done directly from the configuration file.

Here is a sample that shows how to allow access for a client with the ip 10.0.0.10 :
acl cli_10_0_0_10 src 10.0.0.0.10
http_access allow cli_10_0_0_10
Just put those two lines in squid.conf before the “http_access deny All” line.

You can also add an ACL from webmin -> Servers -> Squid Proxy Server -> Access Control ->> Edit Acl . The acl type has to be “Client address” . You just have to set a name and a “From address” ( the address you want to allow access to squid ) for it and then save it. After you set the ACL you have to go to "Add proxy restriction" , set the Action on “Allow” , select your acl from the "Match ACLs" box and click save. After the save you should be redirected on the main acls page where you should see your acl in the “Proxy restrictions” list, right at the bottom.
You will have to make sure your acl goes before the “Deny all” entry or else it will have no effect. You can put it one row up by clicking the “Up” arrow.

Now you can Start/Restart squid from command line /etc/init.d/squid start/restart or from webmin -> squid proxy server
You can test your squid configuration by setting any of the available ips as a HTTP proxy in your browser ( port 3128 ) and then go to http://spotip.com . That site should show you the exact ip you have set up as proxy in your browser.

8 thoughts on “How to set up an anonymous proxy on debian

  1. Are you sure for this:
    “For highly anonymous proxies here is the suggested configuration:”
    with all the “allow all” ?

    1. The idea is that we allow everybody access to a few headers and then at the end deny access for all other headers , including headers that could reveal the identity of the client.
      Some people that are more paranoid would want to also deny access to cookie/set-cookie headers but this just breaks a lot of functionality as most sites use cookies these days use cookies.
      I also observed some sites don’t work if I don’t allow access to the User-Agent header so if you’re having troubles you might want to add a rule for it before the deny all at the end

      1. Said that way I agree.

        Still, User-Agent header can be rewritten with virtually anything and there we go anonymous again.

        Cheers

        1. Yes and even if you can’t rewrite User-Agent or some site is only available for some browsers, the User-Agent is not really identifying information so I think we’re safe say we’re still anonymous even if we send the real User-Agent

  2. Hi there… first of all… great article. I do have a question though which I just can NOT seem to find a solution and I am hoping you could point me into the correct direction.

    I am trying to setup a single proxy server which essentially just acts as a relay for other proxy servers. My objective is to be able to enter a single proxy server into for example my web browser and automatically have this proxy server switch at regular intervals through a list of different proxy servers (with/without authentication). How can I do this?

    1. You can use the other proxies as the “cache peers” for the main proxy. But you would need a script that would change the configuration of the main proxy and restart/reload it at regular intervals if you want to switch/rotate the peers.

  3. Fantastic!!! after days of trying to configure the impossible squid with vps, virtual ip addresses i have finally nailed it.. thanks buddy your the best :)

    If anyone else is trying to do this! it works a great with vps, and virtual ips..

Leave a Reply