SUSE Conversations


SQUID Proxy: Anonymous Browsing



By: jslezacek

January 18, 2008 4:20 pm

Reads:2640

Comments:0

Rating:0

Contents:

Environment:

SuSE Linux Enterprise Server 10 Service Pack 1
squid-2.5.STABLE12-18.6

Problem

You want to prevent your browser from sending out sensitive information such as the type of your operating system, browser, date/time, referrer page.

Solution

Configure squid to block and modify browser information originating from your private LAN.

I recommend to install Squid on the server that acts as the router for the LAN.

Limitations:
This is not a so called “elite anonymous proxy” as it *does not* hide the fact that you access the server via a Proxy. Geographical location/IP hidding is outside the scope of this document.

Proxy and browser check:

First, let’s see what information our browser sends out. Click here to get a similar result as depicted on the screenshots.

Current result:

Depending on your environment, you should get a similar result.

Desired result:

Note:
If you use the Firefox, you can first enable the plugin “NoScript” which blocks unwanted execution of scripts.

title=”There’s a browser safer than Firefox… it is Firefox, with NoScript”>
have a safer Firefox with NoScript! width=”88″ border=”0″/>

In our example NoScript hides the Plugin and Display information.

Squid configuration

  1. Install squid:

YaST2 => Software => Software Manager

  1. Create a basic squid.conf:
   cd /etc/squid/
   mv squid.conf squid.conf.ORG
   grep -v ^$ squid.conf.ORG |grep -v ^# > squid.conf

We do this step because the annotated squid.conf is over 3000 lines long and it’s easier to work with a smaller config file.

 

Important Note:
The order of the configuration directives in /etc/squid/squid.conf is significant.
  1. Add your private network:
   acl localhost src 127.0.0.1/255.255.255.255	# preconfigured
   acl localnet src 10.0.0.0/24

The “acl localhost” is already preconfigured. I will show 2 lines in my example to make it easier to see where the configuration directives should go.

  1. Add the Server hostname as “visible_hostname”:
   hierarchy_stoplist cgi-bin ?	# preconfigured
   visible_hostname sles10
  1. Allow traffic from your localnetwork:
   http_access allow localhost # preconfigured
   http_access allow localnet
  1. Start squid
   /etc/init.d/squid start
   Starting WWW-proxy squid                    done

Browser configuration

  1. Check squid port:

On the squid server run:

   lsof -i -P |grep -i squid.*listen
   squid     10348  squid   13u  IPv4 2798257 TCP *:3128 (LISTEN)

3128 is the squid port number.

  1. Configure firefox:

Edit => Preferences => Network => Settings => Manual proxy configuration

  1. Test connectivity:

After you enable squid, access the proxy test page again. Click here.

We can now see that our private client IP is shown and also that our proxy was detected.

Anonymize squid

  1. Hide private IP:
   header_access X-Forwarded-For deny all
   header_replace X-Forwarded-For 11.11.11.11

X_FORWARDED_FOR – Value is a real IP address of a client.

After edditing squid.conf you always need to restart squid for the changes to take effect.

   /etc/init.d/squid restart
   Shutting down WWW-proxy squid                                        done
   Starting WWW-proxy squid                                             done

 

Resulting effect:

  1. Hide Proxy:
   header_access Via deny all
   header_replace Via 11.11.11.11

VIA – Value is an address of a proxy server.

Resulting effect:

  1. Hide browser:
   header_access User-Agent deny all
   header_replace User-Agent SecretBrowser/5.0 (iPhone; U; Commodore64; en)

USER-AGENT – Values are information about the browser.

  1. Hide referer page information:
   header_access Referer deny all
   header_replace Referer unknown

REFERER – the address (URI) of the resource from which the Request-URI was obtained.

 

Resulting effect:

Additional notes

Warning:
Many web pages include rules that load CSS style sheets and other accessibility code based on the provided browser information. If you provide false data, some web sites won’t display correctly. Let’s take an example www.google.com:

False Browser (using SecretBrowser/5.0):

Valid Browser:

Many modern browsers these days also include the possibility to set a limited number of predefined User-Agents. Firefox can handle this via the User Agent Switcher add-on.

Note:
If you wonder why the “Referer” header is not named “Referrer”
this is simply a typo in the RFC4229 specification.

Alternative solutions


Tor project

Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world.

Privoxy

Privoxy is a web proxy with advanced filtering capabilities for protecting privacy.

Conclusion

This is just a basic setup to demonstrate how you can shape HTTP data to hide some information and by far does not provide complete anonymity on Internet. The advantage however is a somewhat increased privacy as well as a performance gain from the cache proxy.

The drawbacks include possible broken functionality of some websites.

External Links

RFC4229
squid-cache.org
Detailed User-Agent list

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: , ,
Categories: SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

Comment

RSS