Skip to content

Instantly share code, notes, and snippets.

@flaviomuniz
Forked from e7d/README.md
Created October 28, 2017 17:19
Show Gist options
  • Save flaviomuniz/2ac2c73ecfb527d55626fc7580a1bf85 to your computer and use it in GitHub Desktop.
Save flaviomuniz/2ac2c73ecfb527d55626fc7580a1bf85 to your computer and use it in GitHub Desktop.
[Debian] Setup a Squid anonymous proxy

If you want to use the latest available version of Squid, you can Build a Squid anonymous proxy from source code

Setup a Squid anonymous proxy

Table of contents

Disclaimer

Read the install script before using it.
You may want to understand what the script is doing before executing it.
I will not be responsible for any damage caused to your server.

Squid installation script

wget -qO- https://gist.githubusercontent.com/e7d/9472c3e7ac1821056867b95244c73609/raw/squid-install.sh | sh

Manage users

Using the command htpasswd, you can manage the users able to use the proxy:

  • create/update a user: htpasswd -bd /etc/squid3/users.pwd myuser mypw
  • remove a user: htpasswd -D /etc/squid3/users.pwd myuser

Note: The maximum acceptable length of password is 8 characters long.

#!/bin/sh
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
echo "Update packages list"
apt-get update
echo "Build dependencies"
RUNLEVEL=1 apt-get -y install squid3 squid3-common apache2-utils
echo "Create configuration file"
mv /etc/squid3/squid.conf /etc/squid3/squid.conf.default
wget --no-check-certificate -O /etc/squid3/squid.conf https://gist.githubusercontent.com/e7d/9472c3e7ac1821056867b95244c73609/raw/squid.conf
echo "Create users database sample"
htpasswd -cbd /etc/squid3/users.pwd proxy proxy
echo "Prepare environment for first start"
mkdir -p /var/log/squid3
mkdir -p /var/cache/squid3
mkdir -p /var/spool/squid3
chown -cR proxy /var/log/squid3
chown -cR proxy /var/cache/squid3
chown -cR proxy /var/spool/squid3
squid3 -z
echo "Start service"
service squid3 start
exit 0
# General
http_port 3128
visible_hostname Proxy
forwarded_for delete
via off
# Log
logformat squid %tg.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
access_log /var/log/squid3/access.log squid
# Cache
cache_dir aufs /var/cache/squid3 1024 16 256
coredump_dir /var/spool/squid3
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Network ACL
acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
# Port ACL
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rync
acl Safe_ports port 80 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl purge method PURGE
acl CONNECT method CONNECT
# Authentication
# Uncomment the following lines to enable file based authentication BUT:
# The following section requires to have squid libs installed, especially `nsca_auth`, to be working.
# This sections uses a Htpasswd file named `users.pwd` file to store eligible accounts.
# You can generate yours using the htpasswd command from "apache2-utils" aptitude package, using "-d" flag to use system CRYPT.
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/users.pwd
auth_param basic children 5
auth_param basic realm Proxy
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive on
acl Users proxy_auth REQUIRED
http_access allow Users
# Access Restrictions
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_reply_access allow all
htcp_access deny all
icp_access allow all
always_direct allow all
# Request Headers Forcing
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
# Response Headers Spoofing
reply_header_access Via deny all
reply_header_access X-Cache deny all
reply_header_access X-Cache-Lookup deny all
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment