Solved

Setting up a proxy server

Posted on 2008-10-17
15
740 Views
Last Modified: 2013-12-15
I would like to set my US-based dedicated server up as a (password-protected!) proxy server to mask my real location (to websites that only allow U.S. traffic).

Does anyone know a decent ,free , easy to set up proxy server software?

Thanks!

(CentOS-4.3-32)
0
Comment
Question by:GertoWS
  • 6
  • 3
  • 2
  • +1
15 Comments
 
LVL 88

Expert Comment

by:rindi
ID: 22747223
Squid is what normally gets used on Linux systems, and it is included in most distro's.
0
 

Author Comment

by:GertoWS
ID: 22804471
Thanks, I have set up Squid 3.0 , but am unsure which settings  I need because this seems to do much more.

The only thing I need it for is for a proxy, it seems like it has tons of caching options etc, but I don't need that. Anyway, after trying it out of the box , when I set up my browser to use the proxy, I get the following message:
ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: http://www.google.com/

The following error was encountered:

    * Access Denied.

      Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is root.

I've tried to add the line "http_access allow MY_IP_ADDRESS" to the config file but that doesn't seem to work, it seems like it's set up by default to only allow access from local computers?

(in addition, I don't really want to set this up for my ip address since I have a dynamic ip address; a password or something would seem handy if possible)

Thanks!
0
 
LVL 88

Expert Comment

by:rindi
ID: 22804523
As I don't have much experience with configuring Squid, I'm afraid you'll have to read the diverse how-to's to get it configured, or hope someone else here replies. If you want, you can try using the "Request Attention" button.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 20

Expert Comment

by:Gns
ID: 22805530
Take a look at the FAQ... It's really quite informative;-).
http://www.squid-cache.org/Versions/v3/3.0/cfgman/auth_param.html might be a good place to start reading...

Cheers
-- Glenn
0
 

Author Comment

by:GertoWS
ID: 22806439
I've increased the amount of points to 500.

I already spent several hours yesterday searching the faq and wiki I just spent another hour wading through the FAQ , forums, the wiki, ....

But no matter what I do, I keep on getting "Access Denied." message.

Even if I set http_access and htcp_access to allow all.

Any ideas?
0
 
LVL 20

Expert Comment

by:Gns
ID: 22806824
Anything in the logs?
Almost soundlike you either aren't making the changes take effect, or change "the wrong file":-).

Cheers
-- Glenn
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 22858304
Hey GertoWS, please post the output of the command. That command will get rid of comments and blank likes so we can see how your squid.conf looks alike.

Anyway, I would say you need to open an ACL to allow your ip address.

but your squid should look like what I posted below.

To create the password file you can use this URL:
http://www.suretecsystems.com/our_docs/proxy-guide-en/htpasswd.html

anyway I have put a extract in the code snipped below.


egrep -v  "^\s*$|^\s*#" /etc/squid.conf
 
==8<===============================================
############################################################################
# Authentication extension
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm SQUID PASSWORD PROTECTED
auth_param basic credentialsttl 1 hour
auth_param basic casesensitive on
authenticate_ip_ttl 1800 seconds
#############################################################################
# ACL's
acl password proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
#############################################################################
# Here you define what to do with accesses:
http_access allow all password
==8<===============================================
 
HOW TO CREATE THE PASSWORD FILE:
cd /etc/squid
htpasswd -d -c password username
 
 
 
and that's all. restart your squid and try it.

Open in new window

0
 

Author Comment

by:GertoWS
ID: 22976952
Thanks for the help (and sorry for delay in getting back) .
I've changed the path from your example command to "/etc/squid/squid.conf" because that's where AFAIK my conf file is (or am I changing the wrong file, as asked above???)

[code] egrep -v  "^\s*$|^\s*#" /etc/squid/squid.conf
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow  manager
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
http_access allow localhost
http_access allow all
 http_reply_access allow all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid
[/code]

As you see, basically I changed all instances of "DENY" to "ALLOW" , which is not secure , but just want to get it working first.

Then I restarted squid (/etc/rc.d/init.d/squid restart) , and I always get the "proxy server rejected connection" error.

(I'm using port 3129 as proxy, because I was told this is the port squid listens to)

Also, I've noticed that if I load any of my own websites (hosted on this dedicated server I'm trying to set up as proxy) , it works perfectly.
0
 

Author Comment

by:GertoWS
ID: 22976964
(apparently messed up the code part, sorry, second try:)
egrep -v  "^\s*$|^\s*#" /etc/squid/squid.conf
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow  manager
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
http_access allow localhost
http_access allow all
 http_reply_access allow all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid

Open in new window

0
 
LVL 19

Accepted Solution

by:
Gabriel Orozco earned 500 total points
ID: 22977438
Hi GertoWS:

I messed the path, but of course you found the valid conf file.

Ok. If not told otherwhise, squid listens in port 3128 and leave port 3129 for ICP which is used for other caches.

So, Please try connection to port 3128 from your browser.
0
 

Author Comment

by:GertoWS
ID: 22977969
Thanks, apparently that was my biggest problem. It's working now!

I also did some things to make it more anonymous and that seems to work.
One last problem: I'd like to make it secure now.

To start, I tried to set  up the password with the code you provided, however then I get the connection refused error again.

Any suggestion how I should set this up with my browser? I was expecting it to ask me for a password
(if you want me to set this up as a different question, feel free to ask)

Thanks for all the help!
Current conf attached
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm SQUID PASSWORD PROTECTED
auth_param basic credentialsttl 1 hour
auth_param basic casesensitive on
authenticate_ip_ttl 1800 seconds
acl password proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
http_access allow all password
http_access allow manager localhost
http_access allow  manager
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
http_access allow localhost
http_access allow all
 http_reply_access allow all
http_reply_access allow all
icp_access allow all
forwarded_for off
client_db off
                header_access Allow allow all
                header_access Authorization allow all
                header_access WWW-Authenticate allow all
                header_access Proxy-Authorization allow all
                header_access Proxy-Authenticate allow all
                header_access Cache-Control allow all
                header_access Content-Encoding allow all
                header_access Content-Length allow all
                header_access Content-Type allow all
                header_access Date allow all
                header_access Expires allow all
                header_access Host allow all
                header_access If-Modified-Since allow all
                header_access Last-Modified allow all
                header_access Location allow all
                header_access Pragma allow all
                header_access Accept allow all
                header_access Accept-Charset allow all
                header_access Accept-Encoding allow all
                header_access Accept-Language allow all
                header_access Content-Language allow all
                header_access Mime-Version allow all
                header_access Retry-After allow all
                header_access Title allow all
                header_access Connection allow all
                header_access Proxy-Connection allow all
                header_access All deny all
coredump_dir /var/spool/squid

Open in new window

0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 22978229
I see you duplicated the authentication section.

try to comment lines 4-7 and ot change line 41 from "allow" to "deny"
also libnes 42 and 43 are repeated. line 44 is not needed since you do not have a network of caches.

also all these "header_access" Comment them first and then when everything is working try again step by step.

you are introducing too many changes in each step to find the culprit if something fails.
0
 

Author Closing Comment

by:GertoWS
ID: 31507185
Thank you very much
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AWS RDS 3 83
AD LDAP LDS 3 65
(Open)LDAP V2.44  search proxy to AD (W2012R2) 37 132
How to retrieve remote exit code when using rsh from Linux to Windows ? 13 37
1. Introduction As many people are interested in Linux but not as many are interested or knowledgeable (enough) to install Linux on their system, here is a safe way to try out Linux on your existing (Windows) system. The idea is that you insta…
The purpose of this article is to show how we can create Linux Mint virtual machine using Oracle Virtual Box. To install Linux Mint we have to download the ISO file from its website i.e. http://www.linuxmint.com. Once you open the link you will see …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now