< Back to Blog

SQUID Proxy: Anonymous Browsing

January 18, 2008 | By: jslezacek

Share
Share

Contents:

Environment:

SuSE Linux Enterprise Server 10 Service Pack 1
squid-2.5.STABLE12-18.6

Problem

You want to prevent your browser from sending out sensitive information such as the type of your operating system, browser, date/time, referrer page.

Solution

Configure squid to block and modify browser information originating from your private LAN.

I recommend to install Squid on the server that acts as the router for the LAN.

Limitations:
This is not a so called “elite anonymous proxy” as it *does not* hide the fact that you access the server via a Proxy. Geographical location/IP hidding is outside the scope of this document.

Proxy and browser check:

First, let’s see what information our browser sends out. Click here to get a similar result as depicted on the screenshots.

Current result:

privacy details without anonymizer

Click to view

Depending on your environment, you should get a similar result.

Desired result:

privacy details without anonymizer

Click to view

Note:
If you use the Firefox, you can first enable the plugin “NoScript” which blocks unwanted execution of scripts.

title=”There’s a browser safer than Firefox… it is Firefox, with NoScript”>
have a safer Firefox with NoScript! width=”88″ border=”0″/>

In our example NoScript hides the Plugin and Display information.

Squid configuration

  1. Install squid:

YaST2 => Software => Software Manager

privacy details without anonymizer

Click to view

  1. Create a basic squid.conf:
   cd /etc/squid/
   mv squid.conf squid.conf.ORG
   grep -v ^$ squid.conf.ORG |grep -v ^# > squid.conf

We do this step because the annotated squid.conf is over 3000 lines long and it’s easier to work with a smaller config file.

 

Important Note:
The order of the configuration directives in /etc/squid/squid.conf is significant.
  1. Add your private network:
   acl localhost src 127.0.0.1/255.255.255.255	# preconfigured
   acl localnet src 10.0.0.0/24

The “acl localhost” is already preconfigured. I will show 2 lines in my example to make it easier to see where the configuration directives should go.

  1. Add the Server hostname as “visible_hostname”: 
   hierarchy_stoplist cgi-bin ?	# preconfigured
   visible_hostname sles10
  1. Allow traffic from your localnetwork:
   http_access allow localhost # preconfigured
   http_access allow localnet
  1. Start squid
   /etc/init.d/squid start
   Starting WWW-proxy squid                    done

Browser configuration

  1. Check squid port:

On the squid server run:

   lsof -i -P |grep -i squid.*listen
   squid     10348  squid   13u  IPv4 2798257 TCP *:3128 (LISTEN)

3128 is the squid port number.

  1. Configure firefox:

Edit => Preferences => Network => Settings => Manual proxy configuration

screenshot of firefox proxy configuration

Click to view

  1. Test connectivity:

After you enable squid, access the proxy test page again. Click here.

We can now see that our private client IP is shown and also that our proxy was detected.

Basic proxy showing private IP

Click to view

Anonymize squid

  1. Hide private IP:
   header_access X-Forwarded-For deny all
   header_replace X-Forwarded-For 11.11.11.11

X_FORWARDED_FOR – Value is a real IP address of a client.

After edditing squid.conf you always need to restart squid for the changes to take effect.

   /etc/init.d/squid restart
   Shutting down WWW-proxy squid                                        done
   Starting WWW-proxy squid                                             done

 

Resulting effect:

Hidden private IP

Click to view

  1. Hide Proxy:
   header_access Via deny all
   header_replace Via 11.11.11.11

VIA – Value is an address of a proxy server.

Resulting effect:

Hidden transparent proxy

Click to view

  1. Hide browser:
   header_access User-Agent deny all
   header_replace User-Agent SecretBrowser/5.0 (iPhone; U; Commodore64; en)

USER-AGENT – Values are information about the browser.

Screenshot showing the fake browser info

Click to view

  1. Hide referer page information:
   header_access Referer deny all
   header_replace Referer unknown

REFERER – the address (URI) of the resource from which the Request-URI was obtained.

 

Resulting effect:

Hidden referrer

Click to view

Additional notes

Warning:
Many web pages include rules that load CSS style sheets and other accessibility code based on the provided browser information. If you provide false data, some web sites won’t display correctly. Let’s take an example www.google.com:

False Browser (using SecretBrowser/5.0):

incorrectly displayed page

Click to view

Valid Browser:

Properly displayed page

Click to view

Many modern browsers these days also include the possibility to set a limited number of predefined User-Agents. Firefox can handle this via the User Agent Switcher add-on.

Note:
If you wonder why the “Referer” header is not named “Referrer”
this is simply a typo in the RFC4229 specification.

Alternative solutions


Tor project

Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world.

Privoxy

Privoxy is a web proxy with advanced filtering capabilities for protecting privacy.

Conclusion

This is just a basic setup to demonstrate how you can shape HTTP data to hide some information and by far does not provide complete anonymity on Internet. The advantage however is a somewhat increased privacy as well as a performance gain from the cache proxy.

The drawbacks include possible broken functionality of some websites.

External Links

RFC4229
squid-cache.org
Detailed User-Agent list

Share
(Visited 1 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *

No comments yet

158,358 views
jslezacek
Back

IT Modernization


SAP Solutions


AI and Analytics


Hybrid Cloud Solutions


Nonstop IT


Exit Federal Government

Back

SUSE Linux Enterprise

SUSE Rancher

All Products
Back

Solutions

Hybrid Cloud IT
Hybrid Cloud IT

Run workloads across cloud and on-premises
Run SAP
Run SAP

Deliver mission-critical SAP solutions
Cloud-native Transformation
Cloud-native Transformation

Orchestrate containerized applications
IT Operations at the Edge
IT Operations at the Edge

Deploy intelligent devices to the edge

Industries

Back

Support

Product Support
Premium Support Services

Dedicated support services from a premium team


Long Term Service Support

Stay on your existing product version


Expanded Support

Support for common Linux platforms


Renew Your Support Subscription

Services

Consulting Services
Blended Services

Consulting plus direct support to fast track your implementation


Training & Certification

Resources

SUSE Support User Guide
Patches & Updates
Product Documentation
Knowledgebase
SUSE Customer Center
Product Support Life Cycle
Licensing
Package Hub

Community packages for SUSE Linux Enterprise Server


Driver Search
Support Forums
Developer Services
Beta Program
Security
Back

Partners

Partner Program


Find a Partner


Become a Partner


Login to the SUSE Partner Portal

Back

Communities

Blog


SUSE & Rancher Community

Forum


Academic


Open Source Projects


openSUSE.org



Open Source Projects



SUSE België


SUSE Česká republika


SUSE Italia


SUSE Israel


SUSE Magyarország


SUSE Luxembourg


SUSE Nederland


SUSE Nordic Region


SUSE Polska


SUSE Россия


SUSE Suomi

Back

About

About Us


Leadership


Careers


Newsroom


Success Stories


Investor Relations


Social Impact


SUSE Logo and Brand


Events & Webinars


Merchandise Store


Communications Preferences