Paying attention to the news, and to certain types of legislation that are constantly being passed around, it becomes more and more obvious that we people might want to secure our internet usage form prying eyes. I am a big proponent of privacy and security, and of just people keeping their nose out of other people’s business, especially mine. Fortunately, despite the looming climate of Orwellian anti-privacy and anti-free-information measures that are constantly being tossed about, there are things that we can do to secure our privacy and therefore peace of mind.
Over the last few weeks I posted some simple instructions on how to secure your internet traffic, and how to add a layer of security to your home server (every household should have a home server). This post is going to add to our security knowledge base and show how to set up a simple, anonymizing, caching, http/htttps (web) proxy server, with seamless authentication, meaning no need to log in. This server will be able to get around internet blockades, and will not be open to the public, but you won’t ever have to enter in your user name or password. Again, I am opting for the added security of running my own proxy, instead of subscribing to a service, because I can set the security, manage the data retention (or lack of retention), and I just get free of having to pass my data through anyone else’s hands.
One major differnece between this and the Socks server we set up in a previous post, is that this server is installed on the VPS itself, and you have to connect to it from your client computer. That means taht you CAN open this up to your friends and family, and you CAN get to it from ANY computer that you happen to be using, at work or at school, for instance. Some see this as a major benefit, and a good reason to have both running!
Before we get to work, let’s familiarize ourselves a bit with our subject material, and just take a look at some of the benefits of the wonderful Squid Proxy Server, one of which is the simple integration of a caching proxy server, this is how Squid can speed up your web browsing experience, and people often set this up at home just to gain that benefit alone. This service essentially makes a local copy of the websites that you frequent, so that it is more readily available when you need it, and only has to send out for new information when there actually is new information to get, resulting in a much faster experience. Of course, this option can be turned off for higher security and anonymization.
Webmasters can set up reverse caching proxies that cache a website that people frequent before they get to it. This has the benefit of taking some pressure off of the web server, and can really help deliver your content to a lot of clients when page requests get really, really high.
Another benefit which may come in handy, particularly if you have small children that are about internet ready age, or if you are setting up something at work, is the ability to block unwanted or unfriendly websites, of course this can be added to a reverse proxy as well to keep the gate shut for good to unwanted visitors. There are plenty of block list providers out there covering topics from porn to religion, and plenty of blocklists for everything from advertisement servers to just unfriendly corporate or …ahem… legal entities. This is one MAJOR benefit of a proxy server: it can filter out the internet for you. You can even set it up to block only specific websites to specific computers, users, or during specific times of day! We won’t be covering that function in any depth here, but there is plenty of information out there to get up and going with a blocklist provider in no time flat.
Finally there is the major benefit of redirecting all of our traffic away from our home IP, and routing it through an anonymous proxy server. This is the primary benefit that we are seeking in this tutorial, so while the other benefits are handy, and good to know about, we will be optimizing our server for this particular benefit, and optimizing it thoroughly. The flip side to this coin is that we will also be getting around any potential blockades set up by ISP providers, angry governments, work or school proxy servers, etc… you get the idea: no more pesky blocked web-sites.
The assumptions that I will be using are the same that I used in a previous post, namely that you are 1.) running Ubuntu, or have access to Putty, and that 2.) you have a VPS also running Ubuntu, and a domain name of some sort. If you need a domain name, check out Afraid DNS, they have plenty of public, open domain names available, ready for you to add a custom subdomain to, and use for FREE. I will continue, assuming that your domain name is server.com, and that we have a subdomain called home.server.com.
Let’s get to work:
Part 01: Setting Up Squid 3 In Ubuntu 14.04: Highly Anonymous
Skip to the Seamless Auth Section
To begin with, we want to ssh into our server, which should be a snap using the ssh key method that we put in place previously. Once into the server, we just want to install squid, make a backup of the configuration file, and protect it from writing, with this simple set of commands:
$ sudo apt-get install squid3
$ sudo cp /etc/squid3/squid.conf /etc/squid3/squid.conf.original
$ sudo chmod a-w /etc/squid3/squid.conf.original
Next, we have to set up Squid to use an external, basic authentication system, and we have to set up some passwords with this simple set of commands:
$ sudo apt-get install apache2-utils
$ cd /etc/squid3
$ sudo htpasswd -bc squid_passwords <username> <password>
What that does is install the htpasswd program, and creates an encrypted file that contains a <username> and <password> combination, you will want to substitute your own username and password there, of course. You can read more about htpasswd by typing man htpasswd into your terminal, and you really should. In the meantime, just pay attention to the fact that if you want to add more user names to your configuration, you do it with the command
$ sudo htpasswd -b squid_passwords <username.02> <password.02>
Notice that the “c” has been taken out of the equation. We only use “c” when we want to create a whole new file.
Before, I have recommended the program nano to edit text files in the terminal, but you can also use a GUI tool like gEdit to get the job done in a normal text editor. You can either copy and paste what is below, or download the zip file attached below and replace yours with the conf file in it. But before you do that, run this command while still in /etc/squid3
$ sudo grep -v '^#' squid.conf | grep -v '^$' > squid.conf.stripped
Now you can open the file /etc/squid.conf.stripped with your favorite editor. For this exercise you may want to use a diff tool like the Diffuse Merge Tool so that we can compare the settings in the original Squid configuration file with what we are about to replace it with. You can run the same command on our file to get rid of all of the comments and just look at the settings as they are. It is worthwhile to familiarize yourself with the default settings, and to see how ours differs from what is there. Also, the original Squid config file is FULL of good information, and you may want to spend some time reading the wealth of information that is there.
Here’s our replacement squid.conf file, please read it through and make the necessary changes:
Once you have read that through, edited it to suit your needs, and that file is in place, you can reload Squid using the following command:
$ sudo service squid3 restart
Now you just configure your browser to use the server, and you should be all set. In Chrome I use the VPN.S HTTP Proxy extension, in Ubuntu you can set a system wide proxy as well. Once you get it set up with your browser, go ahead and click on this link from Open DNS to test it out, you should see a log on pop up from your Squid Proxy Server, and then you should see the IP address of your server, and not your home.
That’s it! Now you’ve got yourself a layer of protection in between you and the internet at large. Of course, there is a lot more that you can do with squid, but for now you have a private, anonymous, caching proxy server set up for just a few bucks a month. You might want to invite some friends 
Let’s keep going…
Pro-Tip: Want to use your proxy on your Android device? Install Proxy Droid!
Part 02: Seamless Authentication With The Squid
Now we want set up our seamless login. We are going to suppose that we need to do this for our home IP only. Notice at line 19 in our squid.conf file you see the following:
acl Auth_Not_Required src "/home/username/ip_log"
We need to add our home IP to the file referenced in that line, so that whenever we connect to Squid from a computer in our home network we never have to use our user name or password, a nice convenience for sure. One simple way to do that is to just go to the Open DNS link above without our proxy setting turned on, record our home IP address manually into the file, and then restart Squid with the same command from above. The problem is that most home IP’s are dynamic, and the folks at your local ISP want to charge you a lot of extra $$$ to get that static, unchanging IP. This creates the necessary hassle of having to periodically check our IP to make sure that it is correctly logged into our server’s acl file. This, of course, defeats the convenience of the acl to begin with.
So let’s fix that.
Setting up the DNS
For this to work, you will need to configure a new subdomain “A” record at Afraid DNS, iplog.server.com, and point it to the IP for your VPS. Now let’s set up home.server.com with a dynamic DNS service aiming at your home server. After creating the subdomain, go to the “Dynamic DNS” tab at Afraid, or just click here, you should see your domain, and both/all of your subdomains listed on this page. Click on the super tiny “Quick Cron Example” link underneath the “home” subdomain, and copy the long string at the bottom of the page. Now, enter into a terminal that is NOT connected to the server via ssh and enter in this command to your local machine, your home server:
$ crontab -e
You may have to select an editor, I’m going to assume nano. Using your arrow button, go down to the bottom of the file and enter in the line you copied from Afraid, it should look something like this:
4,9,14,19,24,29,34,39,44,49,54,59 * * * * sleep 47 ; wget --no-check-certificate -O - https://freedns.afraid.org/dynamic/update.php?SOME_RANDOME_STRING >> /tmp/freedns_iplog_server_com.log 2>&1 &
Press ctrl + x, and follow the prompts, selecting yes. That will cause your home server to update your home.server.com address at Afraid DNS with your home IP address every 5 minutes. Now if you go to home.server.com in your web browser, it will point at your home IP. You may want to check out the post I mentioned earlier about adding security to your home server when we’re done here.
Setting up the Web-Script
Now you will have to be running your Ubuntu VPS as a basic LAMP server, we need the “P” part of the LAMP at the very least, so let’s set this up. Before you try and install the web server, first check to see if it is already installed by pointing your web browser to http://server.com and see if you get the happy and familiar, “It Works!” web page, if so, you can skip this command, if not… for the fastest, simplest way to achieve our goal, simply open your terminal that is connected to your server via ssh and enter in this command:
$ sudo apt-get install lamp-server^
That will install the Apache web server, the MySQL database server (which we don’t need for this, but is very handy to have, and doesn’t hurt anything if you have the power to have it chilling on your server), and the PHP web language, which we will need for this project.
Now let’s add a virtual host to our Apache server, appending something simple like this to the /etc/apache2/sites-available/000-default.conf file will do:
<VirtualHost *:80>
ServerName iplog.server.com
DocumentRoot /var/www/iplog/
<Directory /var/www/iplog/>
Options +FollowSymLinks
AllowOverride all
</Directory>
</VirtualHost>
Now, copy the index file below and paste the contents into /var/www/iplog/index.php on your server (you may have to create that folder, you will have to create that file).
Keep the file open to make some adjustments:
You have to edit line 3 to reflect your own home server subdomain instead of home.server.com.
$ip = gethostbyname('home.server.com');
Also look to line 7 and replace “username” with your actual user name.
$ip_log = '/home/username/ip_log';
And finally on line 23, enter your email in between the quotes if you want to be notified when the IP updates.
$email = '';
Save and exiting that file,. Now we need to make sure that the file /home/username/ip_log exists and make sure all of our files are accessible by our webserver. Open up the terminal that IS connected to your server via ssh and enter in the following making sure to replace “username” with your actual user name:
$ cp /var/www/iplog/ip_log /home/username/ip_log
$ sudo chown username:username /home/username/ip_log
$ sudo chmod 777 /home/username/ip_log
$ sudo chown www-data:www-data /var/www/iplog -R
$ sudo service apache2 restart
That’s it for preparing the IP update script for a manual update method, but we don’t really want to leave that open to the general public. Even though it seems against the whole point of what we’re doing, we have to password protect that page. Manually updating the IP for automatic login to our proxy server is something that will very rarely be used, and when it does get used it won’t have to be used again for a good while. A few examples of when this might be necessary:
- You go on vacation and want to add your IP there.
- You get a new job and want to add the office IP.
- You happen to get ahead of the automation process and just want to do it.
- You just want to check if your IP is in the whitelist.
These are valid, and I’m sure there’s more, but one thing’s for sure, you will never want anybody else able to add their IP to the list. So let’s fix that by creating a file in /var/www/iplog called .htaccess that contains the following:
AuthType Basic
AuthName “Restricted Content”
AuthUserFile /etc/squid3/squid_passwords
Require valid-user
That’s it, the update scripot is installed and password protected by the same username and password combo that you used earlier. Now we should be able to check the IP status, and/or update it manually by going to the URL http://iplog.server.com, but we cannot stop quite yet. If there is an update at this point, while we only have to click on one link to check for it and get it into the acl file, we still aren’t fully automated, and we would have to manually restart Squid for any changes to take effect. Let’s fix that.
Automating the Update Process
We have to edit cron on the VPS, so in the same terminal connected to server.com enter
$ crontab -e
Enter the following on the last line of the crontab:
30 3 * * * /usr/bin/php /var/www/code/iplog/index.php >/dev/null 2>&1
Press ctrl + x again and select yes to the prompts. Now your system will internally execute index.php every night at 3:30 AM. That script will check the IP of your home server as registered with Afraid DNS, which is being updated every 5 minutes, and if there is any change, it will register the new IP with our acl file in squid. Clearly we can do some changes to our crontab files to reflect similar timing in the checks, for example we could set this crontab to run every five minutes, but two minutes behind the other, these examples are here to give you a good place to start. Learning cron, if you’ve come this far, is certainly worth your while.
Now we have to tell Squid to restart every time that file is altered to load the new acl. We do this with incron.
Install incron:
$ sudo apt-get install incron
Now we have to add “root” to the incron users,
$ sudo nano /etc/incron.allow
Add the word “root” without the quotes, and exit out, saving the changes. Then enter the following:
$ sudo su
$ incrontab -e
And add the single line below to tell incron to watch the ip_log file for changes, and reload Squid if any change occurs
/home/username/ip_log IN_MODIFY service squid3 restart
Now, every time our home IP address changes (or we manually trigger an update), our server will update that acl file, appending the new IP to the end of the list, and squid will autoatically restart, loading our new IP into the realm of ” no auth needed” allowed IP’s, ensuring uninterupted seamless auth and a “no log on convenience” while protecting the privacy of our proxy server. Win! Just make sure to edit out unwanted ip’s after you come home from vacation or quit that job 😉
Setting up Notifications
Let’s make it so that our system can send us email notifications when updates occur, so that we can be alerted to watch out for any potential bumps in the road. First, we install a few simple tools:
$ sudo apt-get install libphp-phpmailer ssmtp
Using your favorite text editor, edit the /etc/ssmtp/ssmtp.conf file
Root=your_email@gmail.com
Mailhub=smtp.gmail.com:465
RewriteDomain=gmail.com
AuthUser=your_gmail_username # (before the @gmail.com part)
AuthPass=your_gmail_password
FromLineOverride=Yes
UseTLS=Yes
Just save and exit that file, and that’s it!
You’re Done!
Congratualtions!
Let’s just take a moment to review what we just accomplished.
- Installed and configured a private instance of the Squid 3 caching proxy server that serves the purposes of
- Heightened anonymity in web browsing
- A way around any website blockade set up by intrusive freedom hating service providers
- A caching system that will speed up our browsing experience
- Potential web filters to block ads or pesky unwanted content
- Set up seamless authentication for Squid for our home IP address, retaining privacy while eliminating the need to log on to the service. In order to accomplish that we did the following:
- Set up a dynamic DNS service for our home server/address (which we can also use to access our home server from afar via ssh or sftp)
- Set up a basic LAMP server
- Installed a custom PHP script that updates our Squid acl
- Password protected that sensitive file.
- Automated the update process via selective cron tasks
- Set up a notification system to alert the webmaster to changes in the system.
Pretty good! Could it be better? Sure it could, we could add in a service to keep our phone logged in via acl, or set up TOR after our proxy to really make things anonymous, or any number of multi-proxy complexities, but all in all, I think we did a pretty good job In the meantime, if you wanted to add a lot of extra traffic to your new proxy server in order to add to the mess of packets and data transfer that your web browsing footprint could get lost in, you could install an RSS feed aggregator like Tiny Tiny RSS to your server, and have it start going to work!
Thanks to Debian Help, Novell, and My Linux Tips for the original info that got me started on this project.