Solved

Setting up a proxy server

Posted on 2008-10-17
15
733 Views
Last Modified: 2013-12-15
I would like to set my US-based dedicated server up as a (password-protected!) proxy server to mask my real location (to websites that only allow U.S. traffic).

Does anyone know a decent ,free , easy to set up proxy server software?

Thanks!

(CentOS-4.3-32)
0
Comment
Question by:GertoWS
  • 6
  • 3
  • 2
  • +1
15 Comments
 
LVL 87

Expert Comment

by:rindi
Comment Utility
Squid is what normally gets used on Linux systems, and it is included in most distro's.
0
 

Author Comment

by:GertoWS
Comment Utility
Thanks, I have set up Squid 3.0 , but am unsure which settings  I need because this seems to do much more.

The only thing I need it for is for a proxy, it seems like it has tons of caching options etc, but I don't need that. Anyway, after trying it out of the box , when I set up my browser to use the proxy, I get the following message:
ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: http://www.google.com/

The following error was encountered:

    * Access Denied.

      Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is root.

I've tried to add the line "http_access allow MY_IP_ADDRESS" to the config file but that doesn't seem to work, it seems like it's set up by default to only allow access from local computers?

(in addition, I don't really want to set this up for my ip address since I have a dynamic ip address; a password or something would seem handy if possible)

Thanks!
0
 
LVL 87

Expert Comment

by:rindi
Comment Utility
As I don't have much experience with configuring Squid, I'm afraid you'll have to read the diverse how-to's to get it configured, or hope someone else here replies. If you want, you can try using the "Request Attention" button.
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Take a look at the FAQ... It's really quite informative;-).
http://www.squid-cache.org/Versions/v3/3.0/cfgman/auth_param.html might be a good place to start reading...

Cheers
-- Glenn
0
 

Author Comment

by:GertoWS
Comment Utility
I've increased the amount of points to 500.

I already spent several hours yesterday searching the faq and wiki I just spent another hour wading through the FAQ , forums, the wiki, ....

But no matter what I do, I keep on getting "Access Denied." message.

Even if I set http_access and htcp_access to allow all.

Any ideas?
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Anything in the logs?
Almost soundlike you either aren't making the changes take effect, or change "the wrong file":-).

Cheers
-- Glenn
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 19

Expert Comment

by:Redimido
Comment Utility
Hey GertoWS, please post the output of the command. That command will get rid of comments and blank likes so we can see how your squid.conf looks alike.

Anyway, I would say you need to open an ACL to allow your ip address.

but your squid should look like what I posted below.

To create the password file you can use this URL:
http://www.suretecsystems.com/our_docs/proxy-guide-en/htpasswd.html

anyway I have put a extract in the code snipped below.


egrep -v  "^\s*$|^\s*#" /etc/squid.conf
 

==8<===============================================

############################################################################

# Authentication extension

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd

auth_param basic children 5

auth_param basic realm SQUID PASSWORD PROTECTED

auth_param basic credentialsttl 1 hour

auth_param basic casesensitive on

authenticate_ip_ttl 1800 seconds

#############################################################################

# ACL's

acl password proxy_auth REQUIRED

acl all src 0.0.0.0/0.0.0.0

#############################################################################

# Here you define what to do with accesses:

http_access allow all password

==8<===============================================
 

HOW TO CREATE THE PASSWORD FILE:

cd /etc/squid

htpasswd -d -c password username
 
 
 

and that's all. restart your squid and try it.

Open in new window

0
 

Author Comment

by:GertoWS
Comment Utility
Thanks for the help (and sorry for delay in getting back) .
I've changed the path from your example command to "/etc/squid/squid.conf" because that's where AFAIK my conf file is (or am I changing the wrong file, as asked above???)

[code] egrep -v  "^\s*$|^\s*#" /etc/squid/squid.conf
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow  manager
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
http_access allow localhost
http_access allow all
 http_reply_access allow all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid
[/code]

As you see, basically I changed all instances of "DENY" to "ALLOW" , which is not secure , but just want to get it working first.

Then I restarted squid (/etc/rc.d/init.d/squid restart) , and I always get the "proxy server rejected connection" error.

(I'm using port 3129 as proxy, because I was told this is the port squid listens to)

Also, I've noticed that if I load any of my own websites (hosted on this dedicated server I'm trying to set up as proxy) , it works perfectly.
0
 

Author Comment

by:GertoWS
Comment Utility
(apparently messed up the code part, sorry, second try:)
egrep -v  "^\s*$|^\s*#" /etc/squid/squid.conf

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern .               0       20%     4320

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443 563     # https, snews

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

http_access allow manager localhost

http_access allow  manager

http_access allow !Safe_ports

http_access allow CONNECT !SSL_ports

http_access allow localhost

http_access allow all

 http_reply_access allow all

http_reply_access allow all

icp_access allow all

coredump_dir /var/spool/squid

Open in new window

0
 
LVL 19

Accepted Solution

by:
Redimido earned 500 total points
Comment Utility
Hi GertoWS:

I messed the path, but of course you found the valid conf file.

Ok. If not told otherwhise, squid listens in port 3128 and leave port 3129 for ICP which is used for other caches.

So, Please try connection to port 3128 from your browser.
0
 

Author Comment

by:GertoWS
Comment Utility
Thanks, apparently that was my biggest problem. It's working now!

I also did some things to make it more anonymous and that seems to work.
One last problem: I'd like to make it secure now.

To start, I tried to set  up the password with the code you provided, however then I get the connection refused error again.

Any suggestion how I should set this up with my browser? I was expecting it to ask me for a password
(if you want me to set this up as a different question, feel free to ask)

Thanks for all the help!
Current conf attached
hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern .               0       20%     4320

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443 563     # https, snews

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd

auth_param basic children 5

auth_param basic realm SQUID PASSWORD PROTECTED

auth_param basic credentialsttl 1 hour

auth_param basic casesensitive on

authenticate_ip_ttl 1800 seconds

acl password proxy_auth REQUIRED

acl all src 0.0.0.0/0.0.0.0

http_access allow all password

http_access allow manager localhost

http_access allow  manager

http_access allow !Safe_ports

http_access allow CONNECT !SSL_ports

http_access allow localhost

http_access allow all

 http_reply_access allow all

http_reply_access allow all

icp_access allow all

forwarded_for off

client_db off

                header_access Allow allow all

                header_access Authorization allow all

                header_access WWW-Authenticate allow all

                header_access Proxy-Authorization allow all

                header_access Proxy-Authenticate allow all

                header_access Cache-Control allow all

                header_access Content-Encoding allow all

                header_access Content-Length allow all

                header_access Content-Type allow all

                header_access Date allow all

                header_access Expires allow all

                header_access Host allow all

                header_access If-Modified-Since allow all

                header_access Last-Modified allow all

                header_access Location allow all

                header_access Pragma allow all

                header_access Accept allow all

                header_access Accept-Charset allow all

                header_access Accept-Encoding allow all

                header_access Accept-Language allow all

                header_access Content-Language allow all

                header_access Mime-Version allow all

                header_access Retry-After allow all

                header_access Title allow all

                header_access Connection allow all

                header_access Proxy-Connection allow all

                header_access All deny all

coredump_dir /var/spool/squid

Open in new window

0
 
LVL 19

Expert Comment

by:Redimido
Comment Utility
I see you duplicated the authentication section.

try to comment lines 4-7 and ot change line 41 from "allow" to "deny"
also libnes 42 and 43 are repeated. line 44 is not needed since you do not have a network of caches.

also all these "header_access" Comment them first and then when everything is working try again step by step.

you are introducing too many changes in each step to find the culprit if something fails.
0
 

Author Closing Comment

by:GertoWS
Comment Utility
Thank you very much
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
In my business, I use the LTS (Long Term Support) versions of Linux. My workstations do real work, and so I rarely have the patience to deal with silly problems caused by an upgraded kernel that had experimental software on it to begin with from a r…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now