DIY Cloud Proxy Server Using Squid

Proxy servers have many applications, such as caching to increase responsiveness of network resources, content filtering for web requests, basic authentication for network segments (both remote and local), with the most popular use arguably being IP address masking. Virtual IP addresses are used in proxy servers, which forward the traffic of the requesting system to its destination using the proxy server’s IP address in place of the original. While the intention of the requesting party can either be for legitimate or nefarious reasons alike, the ability to bypass censorship controls or creating a virtual degree of separation in terms of system identity can be easily achieved with a cloud proxy server.

Companies such as Digital Ocean provide cost effective cloud hosting services that are intuitive and offer a diverse range of features. At the time of this post, a “droplet” on Digital Ocean with 1 CPU, 1 GB RAM, and 25 GB of disk space costs $5 (USD) per month, which is more than sufficient for operating a personal proxy server.

Running a cloud proxy server offers the flexibility of being able to access it from any device that you configure to authenticate with your system. The proxy service known as Squid can be installed on a droplet that hosts a Linux distribution with a repository that Squid resides on.

After spinning up your droplet, making the necessary configurations, and ensuring that security hardening tasks have been accomplished, you are ready to establish an SSH connection to your new server and begin the proxy configuration.

Adding A New User For Proxy Authorization

Create a user account that will be associated with the authentication portion that will be covered later by entering this command:

adduser usernamehere

You will be prompted to create a system-level password and enter some basic information (you can leave the personal information entries blank), since this is just a user account on the server, and is not tied to the proxy authentication stage. You will create a proxy access password during a later step.

Installing Squid And Apache Utilities Using Apt

In your SSH terminal, install Squid and the necessary Apache Utilities by entering:

sudo apt-get install squid apache2-utils

The install will produce directories and files that need to be manipulated in such a way that your proxy server will not only function but successfully allow you to authenticate with a username and password.

Editing The Configuration File

First off, you want to create a backup of the default configuration file, basically a “factory reset” file you can jump back to should you lose your way with the configuration file you make changes to. From the command line, run:

cp /etc/squid/squid.conf /etc/squid/squid.conf.bkp

Open the ‘squid.config’ file in Vim or Nano, and make the following entries:

http_port 3228

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/.passwd
auth_param basic children 1
auth_param basic credentialsttl 1 minute
auth_param basic casesensitive off

acl auth proxy_auth REQUIRED
acl localhost src

http_access allow auth
http_access allow localhost
http_access deny all

cache deny all

via off
forwarded_for off

request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all

The ‘http_port’ entry dictates the port your inbound connection will utilize, and can be changed. This will be the port number that you enter when configuring your system’s proxy settings to access your proxy server. The nine entries after that are what enforce the Access Control List (ACL) entries to allow or deny traffic based on the criteria reflected in the associated entries.

Setting ‘cache deny all’ has been set for a few reasons. The first reason is based on the fact that you are using a cloud server, and more than likely if you are attempting to mask your location both logically and geographically, your data center region is going to be hosted in an entirely different country. That is far too much copper and number of hops to put between a system and a proxy server that is leveraged for it’s caching capability to see an increase in performance, so it’s a waste.

Another reason is that your hard drive space may be eaten up depending on how much of a cache you are storing, and since a $5 droplet on Digital Ocean only has 25 GB of space, let’s not. Lastly, and most importantly, should your Squid server become compromised, and you really are attempting to mask your activities and location, you don’t want a nice, neat, parsable package with a bow for a threat actor to harvest and develop a list of targets and possibly capture information you’d rather be kept secret.

The remaining entries for the ‘forwarded_for off’ support the stripping of packet information that identifies the origin IP address as well as intrinsic data that can indicate the traffic is coming from a proxy. This increases your privacy as well as reduces the likelihood that any services you wish to access while using your proxy connection will detect proxy traffic and block your inbound requests.

Squid’s Authentication Mechanism

Should you not have the ‘htpassword’ service installed on your system, you can do so using apt just like you did when you installed Squid. You can now use this program to generate the authentication mechanism that will prompt users when they attempt to access the proxy connection once configured on their machine. Just run this from the command line of your open SSH session:

htpasswd -c /etc/squid/.passwd usernameyoucreatedhere

Using a period in front of the filename for “password” will create it as a hidden file, meaning it will not be visible when searching directories unless this file type is included in the list criteria.

Since the configuration file has been edited and you have done your handy work with the authentication mechanism using htaccess, you will need to restart Squid so the changes can take effect by entering this in the command line:

systemctl restart squid

Accessing Your Proxy Connection From A Client

Most operating systems have a similar approach to configuring proxy settings, and in Linux this can be accomplished in a few different ways. One simple example would be Linux Mint’s ‘Network Settings’, which can be accessed by clicking your network connection tray icon. Once open, you enter your proxy server’s IP address and the port number that you designated in the ‘squid.conf’ file.

You can also do this in your browser, as with Firefox it’s as straight-forward as typing “about:preferences” into the browser address bar, scrolling down to the bottom of the page, clicking the “Settings” button for ‘Network Settings’, and entering your proxy address and port number:

Congratulations, you now have a personal proxy server for $5 a month using cloud computing and Open Source software!