This tutorial is for Ubuntu & Squid3. Use AWS, Google cloud, Digital Ocean or any services with Ubuntu to follow this tutorial.
sudo apt-get update -y
sudo apt-get install squid3 -y
sudo apt-get install apache2-utils -y
Choose a username/password. Example:
username: abc
password: 123
Type in console:
sudo touch /etc/squid/passwords
sudo chmod 777 /etc/squid/passwords
sudo htpasswd -c /etc/squid/passwords [USERNAME]
Replace [USERNAME] with your username, in this example: abc
.
You will be prompted for entering the password. Enter and confirm it. This example password: 123
.
/usr/lib/squid3/basic_ncsa_auth /etc/squid/passwords
After executing this line the console will look like its hung, there is a prompt without any text in it. Enter USERNAME PASSWORD
(replacing these with your specific username and password) and hit return. You should receive the response "OK".
If not, review the error message, your username/password might be incorrect. Its also possible basic_ncsa_auth is located on a different path (e.g. lib64).
Backup default config file:
sudo mv /etc/squid/squid.conf /etc/squid/squid.conf.original
Make a new configuration files
sudo nano /etc/squid/squid.conf
Enter this in the config file
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 24 hours
auth_param basic casesensitive off
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all
dns_v4_first on
forwarded_for delete
via off
http_port 8888
visible_hostname foxy
#------------------------------------------------------------------------------------------------------------------
# ACL list allow myisp range
acl myisp src 90.89.0.0/17
http_access allow myisp # only allow myisp range to use proxy
# operating between 9:00AM and 5:00PM, Monday through Friday, and which uses the 10.1.42.0/24 subnetwork
acl biz_network src 10.1.42.0/24
acl biz_hours time M T W T F 9:00-17:00
http_access allow biz_network biz_hours
#------------------------------------------------------------------------------------------------------------------
# Block domains #
http_access deny facebook.com
# Block domains
acl socialsite dstdomain .twitter.com
acl socialsite dstdomain .facebook.com
http_access deny socialsite
# Block URLs using keywords
# Say if any url contains keyword such as "foo" or "browse.php?u=" block it using the url_regex acl
# nano /etc/squid/blocked-urls-keyword.conf
# foo
# browse.php?u=
acl urlkeywordsblocks url_regex -i "/etc/squid/blocked-urls-keyword.conf"
http_access deny urlkeywordsblocks
# Block file extensions
# Append the following in /etc/squid/blocked-file-externsions.conf
# .exec, .mp4, .mp3, .zip, .pdf
acl blockedextension urlpath_regex -i "/etc/squid/blocked-file-extension.conf"
http_access deny blockedextension
#------------------------------------------------------------------------------------------------------------------
# Say if you have multiple IP addresses assigned to your server we can change proxy server outgoing IP address as follows:
# You can forward clients request based on IPs for certain users:
# define acl
acl admin 192.168.1.100
acl private 192.168.1.101
acl public 192.168.1.102
# set up outgoing rule
tcp_outgoing_address 202.234.45.87 admin
tcp_outgoing_address 202.234.45.89 private
tcp_outgoing_address 202.234.45.81 public
## full filtering enabled using iptables on 10.0.0.0/24 and routed via squid##
acl throttle_service_net src 10.0.0.0/24
## admins are skip from this limits ##
acl admins_service_net src 192.168.1.0/24
## Set rules ##
tcp_outgoing_address 10.1.0.2 throttle_service_net
tcp_outgoing_address 192.168.1.254 admins_service_net
#------------------------------------------------------------------------------------------------------------------
# Specify a list of DNS name servers to use
dns_nameservers 8.8.8.8 1.1.1.1
#------------------------------------------------------------------------------------------------------------------
auth_param basic credentialsttl 24 hours
: after 24 hours, user/pass will be asked again.auth_param basic casesensitive off
: case sensitive for user is off.dns_v4_first on
: use only IPv4 to speed up the proxy.forwarded_for delete
: remove the forwarded_for http header which would expose your source to the destinationvia off
: remove more headers to avoid exposing the source.http_port 8888
: port 8888 is used for proxy. You can choose any port.
Save the file in vi with [esc]:wq
Start squid: sudo service squid start
To check service status: service squid status
Restart squid service
sudo service squid restart
or sudo systemctl restart squid.service
.
Use your proxy with your ip:port
. Example: 111.111.222.333:8888
and login with your user/pass.
You might need to create inbound firewall rule first before using the proxy.
For Google cloud: Firewall. Create an Ingress rule, Target Apply to all, IP range of 0.0.0.0/0
, allow TCP:8888, UDP:8888
for all traffic.