SQUID Proxy: Anonymous Browsing
Contents:
- Environment
- Problem
- Solution
- Squid configuration
- Browser configuration
- Anonymize squid
- Additional notes
- Alternative solutions
- Conclusion
- External Links
Environment:
SuSE Linux Enterprise Server 10 Service Pack 1
squid-2.5.STABLE12-18.6
Problem
You want to prevent your browser from sending out sensitive information such as the type of your operating system, browser, date/time, referrer page.
Solution
Configure squid to block and modify browser information originating from your private LAN.
I recommend to install Squid on the server that acts as the router for the LAN.
Limitations:
This is not a so called “elite anonymous proxy” as it *does not* hide the fact that you access the server via a Proxy. Geographical location/IP hidding is outside the scope of this document.
Proxy and browser check:
First, let’s see what information our browser sends out. Click here to get a similar result as depicted on the screenshots.
Current result:
Depending on your environment, you should get a similar result.
Desired result:
If you use the Firefox, you can first enable the plugin “NoScript” which blocks unwanted execution of scripts.
title=”There’s a browser safer than Firefox… it is Firefox, with NoScript”>
width=”88″ border=”0″/>
In our example NoScript hides the Plugin and Display information.
Squid configuration
- Install squid:
YaST2 => Software => Software Manager
- Create a basic squid.conf:
cd /etc/squid/ mv squid.conf squid.conf.ORG grep -v ^$ squid.conf.ORG |grep -v ^# > squid.conf
We do this step because the annotated squid.conf is over 3000 lines long and it’s easier to work with a smaller config file.
The order of the configuration directives in
/etc/squid/squid.conf
is significant.- Add your private network:
acl localhost src 127.0.0.1/255.255.255.255 # preconfigured acl localnet src 10.0.0.0/24
The “acl localhost” is already preconfigured. I will show 2 lines in my example to make it easier to see where the configuration directives should go.
- Add the Server hostname as “visible_hostname”:
hierarchy_stoplist cgi-bin ? # preconfigured visible_hostname sles10
- Allow traffic from your localnetwork:
http_access allow localhost # preconfigured http_access allow localnet
- Start squid
/etc/init.d/squid start Starting WWW-proxy squid done
Browser configuration
- Check squid port:
On the squid server run:
lsof -i -P |grep -i squid.*listen squid 10348 squid 13u IPv4 2798257 TCP *:3128 (LISTEN)
3128 is the squid port number.
- Configure firefox:
Edit => Preferences => Network => Settings => Manual proxy configuration
- Test connectivity:
After you enable squid, access the proxy test page again. Click here.
We can now see that our private client IP is shown and also that our proxy was detected.
Anonymize squid
- Hide private IP:
header_access X-Forwarded-For deny all header_replace X-Forwarded-For 11.11.11.11
X_FORWARDED_FOR – Value is a real IP address of a client.
After edditing squid.conf you always need to restart squid for the changes to take effect.
/etc/init.d/squid restart Shutting down WWW-proxy squid done Starting WWW-proxy squid done
Resulting effect:
- Hide Proxy:
header_access Via deny all header_replace Via 11.11.11.11
VIA – Value is an address of a proxy server.
Resulting effect:
- Hide browser:
header_access User-Agent deny all header_replace User-Agent SecretBrowser/5.0 (iPhone; U; Commodore64; en)
USER-AGENT – Values are information about the browser.
- Hide referer page information:
header_access Referer deny all header_replace Referer unknown
REFERER – the address (URI) of the resource from which the Request-URI was obtained.
Resulting effect:
Additional notes
Warning:
Many web pages include rules that load CSS style sheets and other accessibility code based on the provided browser information. If you provide false data, some web sites won’t display correctly. Let’s take an example www.google.com:
False Browser (using SecretBrowser/5.0):
Valid Browser:
Many modern browsers these days also include the possibility to set a limited number of predefined User-Agents. Firefox can handle this via the User Agent Switcher add-on.
If you wonder why the “Referer” header is not named “Referrer”
this is simply a typo in the RFC4229 specification.
Alternative solutions
Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world.
Privoxy is a web proxy with advanced filtering capabilities for protecting privacy.
Conclusion
This is just a basic setup to demonstrate how you can shape HTTP data to hide some information and by far does not provide complete anonymity on Internet. The advantage however is a somewhat increased privacy as well as a performance gain from the cache proxy.
The drawbacks include possible broken functionality of some websites.
External Links
RFC4229
squid-cache.org
Detailed User-Agent list
No comments yet