How to Enable Squid Anonymous Stealth Mode
There are some times when you don’t want your proxy server announcing that it’s a proxy server to the world. Getting Squid to anonymise the requests coming from behind it isn’t done out of the box.
Squid is RFC compliant in that it adds the appropriate headers into the HTTP conversation which is being a good internet neighbour and good for system admins. Putting Squid in stealth mode will therefore make Squid not RFC compliant. It is however very useful when you need to check geo services in other parts of the world, or when you need to make sure your users are secure.
What we are wanting to do is to make sure we don’t break websites we may wish to visit,but make sure our details are secure.
Log on to your Proxy box as per usual.
Edit the Squid configuration:
nano /etc/squid3/squid.conf
Add the following lines to the top of your config file:
follow_x_forwarded_for deny all
forwarded_for delete
via off
header_access From deny all
header_access Server deny all
header_access WWW-Authenticate deny all
header_access Link deny all
header_access Cache-Control deny all
header_access Proxy-Connection deny all
header_access X-Cache deny all
header_access X-Cache-Lookup deny all
header_access Via deny all
header_access Forwarded-For deny all
header_access X-Forwarded-For deny all
header_access Pragma deny all
header_access Keep-Alive deny all
[ctrl]+o to save, and [ctrl]+x to exit.
These lines are in the config file already, so you can either find them, change them accordingly or just paste the code above.
Now lets restart Squid, on Ubuntu we could use:
service squid3 restart
Any questions or problems comment below. Or if you use any other controls I’d be very interested in learning!
4 Comments
My five cents worth and experience
You will almost certainly run across auth/script errors if you use:
header_access Link deny all
If not others in the above list.
But Link deny certainly causes issues.
Also, better off using:
forwarded_for off
Than
forwarded_for delete
Also follow_x_forwarded_for deny all is the default setting so its not necessary to specify in squid.conf
Thanks for the tips! I’ve never had a problem with the header_access (I don’t think), but will change it on my proxy and see how I get on 🙂
Hi,
Why I need to set follow_x_forwarded_for deny all and header_access Via deny all?
thanks
Hi Petertc,
If you don’t set the x forwarded for and header access then Squid will tell the websites it’s accessing on your behalf your real IP address, which isn’t Squid in stealth mode 🙂
Gyp