Recently I have had the need to setup 4 different Proxy servers using Squid. My requirements were rather simple: each machine had 8 IPv4 addresses which needed to be able to route requests, the login needed to be simple username and password, and the proxy incoming ip was to be used as the outgoing ip. This is for a standard HTTP and HTTPS proxy, if you need a SOCKS5 Proxy please see this post (How to install Dante Server 1.4.1 on Ubuntu 16.04)
This is actually going to be a super simple and really just be a matter of installing a couple utilities, squid, and then configuring it. To start go ahead and log into your server and make sure your account has sudo privileges.
Install utils and squid
[email protected]:~$ sudo apt-get update [email protected]:~$ sudo apt-get install squid [email protected]:~$ sudo apt-get install apache2-utils
Really apach2-utils is only used for the htpasswd program which we need later
Create a password file
I assume you want to password protect your proxy addresses. If not go, ahead and skip to the configure squid; of course, leaving out the configuration line for user authentication.
[email protected]:~$ cd /etc [email protected]:~$ sudo mkdir squid3 [email protected]:~$ sudo htpasswd -c /etc/squid3/passwords proxy_username
you will then be prompted to enter a password, and then re-enter the password. Once you have done this, the password file is ready to be used by Squid.
it is already time to configure squid to be a really simple proxy for whatever you want to use it for. Maybe watching the BBC from the US? Or, just to hide your location from websites and applications that track that data, with this proxy they will only see your location as wherever your server is. But back to configuring our little proxy server:
Open up the squid.conf configuration file using your preferred editor (I like nano, it is really simple)
[email protected]:~$ sudo nano /etc/squid/squid.conf
Then proceed to enter the following configuration. Remember to replace the ***.***.***.*** with your ip addresses
# Authentication auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwords auth_param basic realm proxy acl authenticated proxy_auth REQUIRED http_access allow authenticated # Choose the port you want. Below we set it to default 3128. http_port 3128 # Configure and Name the available addresses acl ip1 myip *.*.*.1 acl ip2 myip *.*.*.2 acl ip3 myip *.*.*.3 acl ip4 myip *.*.*.4 acl ip5 myip *.*.*.5 acl ip6 myip *.*.*.6 acl ip7 myip *.*.*.7 acl ip8 myip *.*.*.8 # Configure the incoming address -> outgoing address, map tcp_outgoing_address *.*.*.1 ip1 tcp_outgoing_address *.*.*.2 ip2 tcp_outgoing_address *.*.*.3 ip3 tcp_outgoing_address *.*.*.4 ip4 tcp_outgoing_address *.*.*.5 ip5 tcp_outgoing_address *.*.*.6 ip6 tcp_outgoing_address *.*.*.7 ip7 tcp_outgoing_address *.*.*.8 ip8 # Make this proxy anonymous, it will make all services think # it is the originating IP of the requests forwarded_for off request_header_access Allow allow all request_header_access Authorization allow all request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all request_header_access Proxy-Authenticate allow all request_header_access Cache-Control allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all request_header_access Proxy-Connection allow all request_header_access User-Agent allow all request_header_access Cookie allow all request_header_access All deny all
Note here that I have 8 inbound IPs and 8 outbound IPs. I have not tried any other configuration, as this if the behavior that I needed. Each inbound IP will then send all packets out as well. Sort of in a passthrough like mechanism. It is possible to have one inbound IP send out from different outbound and visa-versa.
I cannot say this is secure by any means, but I do know that with some other precautions on the server, such as fail2ban (I will write a little article on this soon) I am running this in a production environment with no serious issues as of yet.