Tag Archive : proxy

/ proxy

Building Small Proxy using Micro Proxy

December 9, 2015 | Article | No Comments

On other occasion, we have discussed about how to use Squid and building an Anonymous Server. In this article, we would build a similar thing but in smaller size. We would build a small proxy server using micro proxy as our tools.

In this article, I use:

  1. Ubuntu Server 11.10
  2. micro proxy
  3. xinetd

Although it use Ubuntu Server as example, the method covered here is a generic one, which can be applied to other UNIX Operating System, and other Linux distribution as well.

Obtaining the Material

Focusing to the theme of this article, we will use Micro Proxy or micro_proxy. Micro proxy is a small UNIX-based HTTP/HTTPS proxy that runs from inetd. The application can be freely obtained here.  In this article I use the latest version, which can be downloaded here.

Before we proceed, let me state this. This micro_proxy is a very small UNIX HTTP/HTTPS proxy. In term of performance, it is poor compared to Squid or other proxy tools. But for a low-traffic sites, it’s quite adequate. This server also offer all basic features of an HTTP/HTTPS proxy, including IPv6 forwarding.

xinetd, or eXtended InterNET Daemon, is an open-source daemon which runs on many UNIX system and manages internet-based connectivity. It offer a more secure extension to or version of inetd, the Internet Daemon. xinetd performs the same function as inetd does: starts program that provide internet service. Instead of having such servers tarted at system initialization time, and be dormant until a connection request arrives, xinetd is the only daemon process start and will listen on all service ports for the services listen in its configurations file. When incoming request come in, xinetd will then starts the appropriate server.

xinetd is freely available on its website here. Now download the latest version, here.

Installation

Now extract the package. You should get four files: Makefile, micro_proxy.8, micro_proxy.c, and README file.

Reading the README file, we got some information. If we use a System V like machine ( this will include old linux system), then edit the Makefile and uncomment the SYSV_LIBS line. However our server is not using System V, therefore we will ignore this.

Now just invoke make and make install to install the tool.

Next do installation of xinetd. We can accomplish this by extract, compile, and install the xinetrd. Once we finish, we will then get two package installed: xinetd, and micro_proxy.

Configuration

Set Micro Proxy to run via xinetd. Below is the sample configuration I use for micro_proxy:

service microproxy
{
   disable = no
   bind = 127.0.0.1
   socket_type = stream
   protocol = tcp
   user = root
   wait = no
   server = /usr/sbin/micro_proxy
}
service microproxyssl
{
   disable = no
   bind = 127.0.0.1
   socket_type = stream
   protocol = tcp
   user = root
   wait = no
   server = /usr/sbin/micro_proxy
}

Now edit /etc/services file and add following entries:

microproxy 2280/tcp
microproxyssl 2243/tcp

Both port are bound to microproxy and whenever connection arrives to those ports, microproxy will be executed.

Notice that in this article I use port 2280 for HTTP and 2243 as HTTPS. There is no limitation for what port you can choose. But for simplicity, I will use both ports for the rest of this article.

Now restart xinetd to force micro_proxy (if have been loaded) to reloaded. To make xinetd takes effect, make sure /etc/services is accessible by inetd.

Make sure micro_proxy is run. You can use any method to do so. These three methods can be used to check (either use one or all, but make sure you have appropriate tools installed).

lsof -i -nN -P | grep 2280
netstat -vatn
nmap localhost

Micro Proxy use SSL for operation. Therefore we need to establish a tunnel and direct all connection through the tunnel. Now, invoke following to terminal. This command works for Linux and UNIX. If you use Windows, you should check a SSH tunnel program. You can use PuTTY or KiTTY to accomplish this. A link to download KiTTY can be found here.

ssh -L 5000:127.0.0.1:2280 -L 5043:127.0.0.1:2243 [email protected]

In above snippet, server.name refers to our actual server’s hostname. If you use different port than used in this article, adjust it on ssh command.

To use, point proxy to our machine. In short, use 127.0.0.1 as proxy address and port 5000 for HTTP connection and port 5043 for HTTPS connections. Well, this is because we have create an SSH tunnel to our proxy out there.

Firewall

If you have IPtables installed on your machine, you will need to instruct your firewall to allow traffic through ports we have configured. This assume you have enough privileges to do so. Now, let’s open firewall baricade by invoking following rules to IPTables:

iptables -A INPUT -p tcp -i eth0 –dport 2280 -j ACCEPT

Now, we should be able to go through network.

Building Anonymous Proxy with Squid

December 9, 2015 | Article | 2 Comments

An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet untraceable. It is a proxy server computer that acts as an intermediary and privacy shield between a client computer and the rest of the Internet. It accesses the Internet on the user’s behalf, protecting personal information by hiding the client computer’s identifying information.

In this article we will discuss about how to use squid proxy as anonymous proxy. In this article I use:

  1. FreeBSD 8.3
  2. Squid Proxy

Although I use FreeBSD, the method covered in this article will be written as generic as possible which should be applicable for either FreeBSD, Linux, or other Operating System.

Make sure Squid proxy is installed on your machine. You can either do fresh installing Squid Proxy, or using established / running Squid Proxy. Both are usable.

How it Works

Every machine connected to the internet has a unique Internet Protocol address (or IP address). Of course our machine too. The IP might be statically allocated or can dynamically change each time we go surfing. On both cases, we are tagged with IP address. Well, it is necessary for the intercommunicate within a network. Literally, it can be called our identity or address on internet world.

IP addresses do not contain any personally identifiable information about the assigned machine. Neither the user. However, if we are signed up with an Internet Service Provider (ISP) then our ISP can easily link our IP address with our name, home address, phone number, e-mail address and even credit card information. Well, ISPs have strict privacy policies so it won’t give out your personal information to random people. Neither they will give your information for police, unless you have done something.

A proxy can act as a bridge, connecting client to internet. It facilitates us, either for browsing or in operating system level, on internet. Thus when you get touch with a server or other client in internet, they won’t get your IP address and get proxy information instead. In Anonymous Proxy, it will completely hide our identity.

anonymous-proxy-server
A Proxy in Action

Configuration

Edit /usr/local/etc/squid/squid.conf (default FreeBSD installation using ports) or /usr/local/squid/etc/squid.conf (Generic path for source installation. This might be vary according to your installation). On rest of this article we will use squid.conf, unless told otherwise.

Disable Forwarded Client IP

In default configuration, Squid will forwards the client IP address to the respective website. This, of course, is unsuitable and must be disabled if we want to build an anonymous proxy server. Hiding IP address method will force Squid to send only IPs which are configured on the server. Now alter / modify to be this line (or create it if it doesn’t exists):

forwarded_for off

Configuring IPs

Next we will generate rules for outgoing IPs. If anyone connects to any IP addresses listed here, it will go with the same IP to the destination server. In this way, we can connect several clients on different IPs and all IPs act as an anonymous proxies.

acl ip1 myip 192.168.0.1
tcp_outgoing_address 192.168.0.1 ip1
acl ip2 myip 192.168.0.2
tcp_outgoing_address 192.168.0.2 ip2
acl ip3 myip 192.168.0.3
tcp_outgoing_address 192.168.0.3 ip3
acl ip4 myip 192.168.0.4
tcp_outgoing_address 192.168.0.4 ip4
acl ip5 myip 192.168.0.5
tcp_outgoing_address 192.168.0.5 ip5

There is no limit for this list. We can add as many IP address as we like, but at least use the same pattern as above.

Enable Anonymizer

Now, this is the core part of our article. Add this at the bottom of squid.conf:

request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

Configuration is finished. You can restart / reconfigure Squid. If you see an error message such as visibile_hostname error after starting the service, then edit squid.conf and add visibile_hostname tag with your machine’s hostname. For example:

visible_hostname veda.celestial-being.net

Testing the Proxy

Our server is ready now. Use any web browser you like and point your Proxy to machine we have built. Make sure to write correct IP and correct port used by Squid on browser’s proxy configuration. If you activated account system on Squid, you will be asked for username and password before you can browsed. Now check the anonymity by open http://www.whatsmyipaddress.com/.

Beware. If something wrong in request_header_access, our proxy can be detected. But this is fine. It will just show the IP and assume it’s a direct connection without a proxy.

Squid is a caching proxy for Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-request web pages. Squid has extensive access controls and makes a great server accelerator. Run on most available operating system and licensed under GNU GPL.

Squid is used by hundreds of Internet Providers world-wide to provide their users with the best possible web access. Squid optimises the data flow between client and server to improve performance and caches frequently-used content to save bandwidth. Squid can also route content requests to servers in a wide variety of ways to build cache server hierarchies which optimise network throughput.

Thousands of web-sites around the Internet use Squid to drastically increase their content delivery. Squid can reduce server load and improve delivery speeds to clients. Squid can also be used to deliver content from around the world – copying only the content being used, rather than inefficiently copying everything. Finally, Squid’s advanced content routing configuration allows you to build content clusters to route and load balance requests via a variety of web servers.

In this article we will discuss about how to install Squid, gives a simple configuration, and then use it as a local cache server. Our goals is to improves response times and minimizing bandwidth on Slackware64 machine.

I use following:

  1. Slackware64 14.0 with multilib support.
  2. Squid Cache 3.3.3 source code

Obtain the Materials

The only material we need is squid’s source code which can be downloaded from their official site. At the time of writing this article, the latest stable version available is version 3.3.3. The direct download can be made on here.

As stated on site, we need Perl installed on our system. On Slackware64 it, is already installed by default, unless you have uninstalled it before. Make sure Perl is available.

Installation

Create a working directory. You can use any directory you want but in this case I will use my home directory /home/xathrya/squid. The archive we got is squid-3.3.3.tar.xz.

Now extract and configure the makefile.In this article I use /usr/local/squid directory as root of installation which is the default path for installing squid. If you want to install squid on another directory, on ./configure use –prefix=/path/to/new/squid where /path/to/new/squid is a path like /usr After compilation finished, install Squid using root privilege. A complete command to do so is given below:

tar -Jxf squid-3.3.3.tar.xz
cd squid-3.3.3
./configure
make
make install clean

The compilation might took some times, depending on your machine.

Setup

Squid is officially installed on this stage, but we need to do some setup to make it work properly.

Before we proceed we need to specify what are resource allocated to squid and what configuration must we set to meet our need. In my case, the squid can be activated on demand, the directory for caching is using a dedicated partition on /cache (you can also use other directory, and a dedicated partition is not a must) which is 48.0 GiB allocated, squid can use some peer that can be configured dynamically without need for me to change the configuration file directly.

Your need might be different from me, so adjust it yourself.

Create Basic Configuration File

In this example, the configuration file is located at /usr/local/squid/etc/squid.conf, but might be vary if you install squid on different directory than /usr/local/squid. On general, squid configuration file is located on <root directory>/etc/squid.conf

Now adjust your configuration file. Below is the configuration I use:

###############################################################
##
## BlueWyvern Proxy Service
## XGN-Z30A : SquidProxy
##
###############################################################

##
#      Proxy Manager Information
##
cache_mgr [email protected]
visible_hostname proxy.bluewyvern.celestial-being.net

###############################################################

##
#    Basic Configuration
##
cache_effective_user squid
cache_effective_group squid

# DNS server (not required)
# Use this if you want to specify a list of DNS servers to use instead
# of those given in /etc/resolv.conf
#dns_nameservers 127.0.0.1 8.8.8.8

# Set Squid to listens port 1351 (normally listens to port 3128)
http_port 1351

# Timeouts
dead_peer_timeout 30 seconds
peer_connect_timeout 30 seconds

# Load the peer
include /usr/local/squid/peers.conf

###############################################################

##
#    Access Control List
#
#    My machine allow client from self, so IP other than self will be rejected
#    Also define some safe ports
##
acl localnet src 10.0.0.0/8        # RFC1918 possible internal network
acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

###############################################################

##
#    Directory & Logs
#
#    We use /cache for directory
#    I have 48.0 GiB = 51 GB available
#        64 directories, 256 subdirectories for each directory
#
##

# Cache directory 48GiB = 51500MB
cache_dir ufs /cache 51500 64 256

# Coredumps is specified on /cache too
coredump_dir /cache

# Squid logs
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

# Defines an access log format
logformat custom %{%Y-%m-%d %H:%M:%S}tl %03tu %>a %tr %ul %ui %Hs %mt %rm %ru %rv %st %Sh %Ss

###############################################################

##
#    Other
##
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

Make user squid and group squid if you don’t have it yet. Then create cache directory if you don’t have any and change ownership to user squid and group squid (or any user and group you assign to squid, see squid.conf). Also I use /var/log/squid directory to log things squid need to.  After all the preparations are ready, we need to do initial setup. Below is the snippet I use to do:

ln -s /usr/local/squid/sbin/squid /usr/bin/squid

/bin/egrep -i "^squid" /etc/group
if [ $? -ne 0]; then
groupadd squid
fi

/bin/egrep -i "^squid" /etc/passwd
if [ $? -ne 0 ]; then
useradd -g squid -s /bin/false -M  squid
fi

if [ ! -d /cache ]; then
mkdir /cache
fi

chown squid.squid /cache

if [ ! -d /var/log/squid ]; then
mkdir /var/log/squid
fi

chown squid.squid /var/log/squid

/usr/local/squid/sbin/squid -z

Now create a file /usr/local/squid/etc/peers.conf and write all peer you want to use.

Creating Scripts

All the system are ready. Now we need to create a control panel script which can execute system. Using this script, I can start and stop squid, and also purge content from cache. The script I use is:

#! /bin/bash
ROOTFOLDER=/usr/local/squid
SQUID=${ROOTFOLDER}/sbin/squid
SQUIDCLIENT=${ROOTFOLDER}/bin/squidclient

case $1 in
"start")
$SQUID start
ifconfig | grep inet
;;
"purge")
$SQUIDCLIENT -h 127.0.0.1 -p 8080 -m purge $2
;;
"stop")
$SQUID stop
;;
esac

Known Issues

Compile & Installation

  • Squid 3.5 onward use GnuTLS instead of OpenSSL. If you are getting error message such as “error: ‘gnutls_transport_set_int’ was not declared in this scope” then chance that you have old GnuTLS installed. Make sure you installed newer version. The safe assumption is to use the latest version. I test GnuTLS v3.3 with Nettle 2.7.1.

Runtime

Social media & sharing icons powered by UltimatelySocial