FAQ

Frequently Asked Questions

How to set up your own Free proxy server?

Let me show you a step-by-step process to set up a FREE proxy server using Squid Proxy on the latest Ubuntu server. The process should be fast and easy and as a result, you will get your own free proxy server up and running!

Note: I have used Digital Ocean Cloud to deploy my proxy server. You can choose from many regions for your proxy setup. Also, you can get $100 free Digital Ocean credits from here.

Follow the steps given below:

Step 1: Login to the server and update the package list.

sudo apt update -y

Step 2: Install Squid Proxy server.

sudo apt -y install squid

Step 3: Start and enable squid service to start on system boot.

sudo systemctl start squid
sudo systemctl enable squid

Step 4: Verify the squid service status. You should be seeing the “active” status.

sudo systemctl status squid

Squid Proxy Port

By default, squid runs on port 3128

You can check it using the following command.

netstat -tnlp

Now we have a working squid proxy server. Next important step is to configure the squid proxy based on your needs.

Squid proxy configuration

If you are setting up squid proxy for your production environment, you have to make sure all the proxy configurations are set as per your needs.

The core settings of squid proxy are in /etc/squid/squid.conf

Squid proxy port

By default squid proxy runs on port 3128. If you are on cloud, make sure you allow 3128 in your firewall rules.

Also, you can change the default 3128 port to a custom port by editing the following configuration in the squid.conf file.

http_port 3128

Proxying Internet Connectivity

The primary use case for most of us have is to connect to the internet through a proxy server.

If you want to connect to internet through your proxy, you need to configure ACLs (Access Control List) in your squid configuration.

Enable Squid ACLs for Internet Connectivity

By default, all the incoming connection to the proxy server will be denied. We need to enable few configurations for the squid server to accept connections from other hosts.

Open /etc/squid/squid.conf file.

vim /etc/squid/squid.conf

Search for entry http_access allow localnet in the file. By default, it will be commented out. Uncomment it.

Next step is to add ACLs to the squid config file /etc/squid/squid.conf. ACL for localnet has the following format.

acl localnet src [source-ip-range]

You can whitelist the source IP ranges in the following ways.

  1. Single IP [49.205.220.161]
  2. A range of IPs [0.0.0.1-0.255.255.255]
  3. CIDR range [10.0.0.0/28]
  4. To allow connection from any IP [0.0.0.1-255.255.255.255]

Based on your requirements you can add the localnet acl. For example, in my use case, I had to whitelist my home network. I found my home network public address using Find My IP service and whitelisted that in the ACL as shown below.

acl localnet src 49.205.45.67

If you want to whitelist your private networks CIDR range, you can have the ACL like the following. Normally this kind of use cases comes when you set up a virtual network for your organization.

acl localnet src 10.0.0.0/8

Note: You can add your ACL in the config file under the default ACLs are present. If you search for,ACLs all you will find the ACL default section. If you specify a CIDR private range, make sure the proxy is in the same private network.

Here is the ACL I added to my squid server.

#Default:
# ACLs all, manager, localhost, and to_localhost are predefined.
#
#
# Recommended minimum configuration:
#
acl localnet src 49.205.45.67
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

Test Proxy Connectivty

To test the proxy connectivity for internet from your specified ACL source, you can use the following curl command syntax which should return a 200 OK response code.

curl -x http://[YOUR-PROXY-IP]:3128 -I https://www.google.com

Output would like the following.

➜ ~ curl -x http://134.209.77.172:3128 -I https://www.google.com
HTTP/1.1 200 OK
......... (rest of info) .........

Setting up your proxy server with basic username authentication:

Here’s what I had to do to setup basic auth on Ubuntu 14.04

Basic squid conf

/etc/squid3/squid.conf instead of the super bloated default config file

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

# Choose the port you want. Below we set it to default 3128.
http_port 3128

Please note the basic_ncsa_auth program instead of the old ncsa_auth

squid 2.x

For squid 2.x you need to edit /etc/squid/squid.conf file and place:

auth_param basic program /usr/lib/squid/digest_pw_auth /etc/squid/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

Setting up a user

sudo htpasswd -c /etc/squid3/passwords username_you_like

and enter a password twice for the chosen username then

sudo service squid3 restart

squid 2.x

sudo htpasswd -c /etc/squid/passwords username_you_like

and enter a password twice for the chosen username then

sudo service squid restart

htdigest vs htpasswd

For the many people that asked me: the 2 tools produce different file formats:

  • htdigest stores the password in plain text.
  • htpasswd stores the password hashed (various hashing algos are available)

Despite this difference in format basic_ncsa_auth will still be able to parse a password file generated with htdigest. Hence you can alternatively use:

sudo htdigest -c /etc/squid3/passwords realm_you_like username_you_like

Beware that this approach is empirical, undocumented and may not be supported by future versions of Squid.

On Ubuntu 14.04 htdigest and htpasswd are both available in the [apache2-utils][1] package.

MacOS

Similar as above applies, but file paths are different.

Install squid

brew install squid

Start squid service

brew services start squid

Squid config file is stored at /usr/local/etc/squid.conf.

Comment or remove following line:

http_access allow localnet

Then similar to linux config (but with updated paths) add this:

auth_param basic program /usr/local/Cellar/squid/4.8/libexec/basic_ncsa_auth /usr/local/etc/squid_passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

Note that path to basic_ncsa_auth may be different since it depends on installed version when using brew, you can verify this with ls /usr/local/Cellar/squid/. Also note that you should add the above just bellow the following section:

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

Now generate yourself a user:password basic auth credential (note: htpasswd and htdigest are also both available on MacOS)

htpasswd -c /usr/local/etc/squid_passwords username_you_like

Restart the squid service

brew services restart squid
 

Video tutorials