Setup Squid for HTTP and HTTPS Proxy Server with Multiple IPs Ubuntu 16.04

Recently I have had the need to setup 4 different Proxy servers using Squid. My requirements were rather simple: each machine had 8 IPv4 addresses which needed to be able to route requests, the login needed to be simple username and password, and the proxy incoming ip was to be used as the outgoing ip. This is for a standard HTTP and HTTPS proxy, if you need a SOCKS5 Proxy please see this post (How to install Dante Server 1.4.1 on Ubuntu 16.04)

Getting ready

This is actually going to be a super simple and really just be a matter of installing a couple utilities, squid, and then configuring it. To start go ahead and log into your server and make sure your account has sudo privileges.

Install utils and squid

user@localhost:~$ sudo apt-get update
user@localhost:~$ sudo apt-get install squid
user@localhost:~$ sudo apt-get install apache2-utils

Really apach2-utils is only used for the htpasswd program which we need later

Create a password file

I assume you want to password protect your proxy addresses. If not go, ahead and skip to the configure squid; of course, leaving out the configuration line for user authentication.

user@localhost:~$ cd /etc
user@localhost:~$ sudo mkdir squid3
user@localhost:~$ sudo htpasswd -c /etc/squid3/passwords proxy_username

you will then be prompted to enter a password, and then re-enter the password. Once you have done this, the password file is ready to be used by Squid.

Configure Squid

it is already time to configure squid to be a really simple proxy for whatever you want to use it for. Maybe watching the BBC from the US? Or, just to hide your location from websites and applications that track that data, with this proxy they will only see your location as wherever your server is. But back to configuring our little proxy server:

Open up the squid.conf configuration file using your preferred editor (I like nano, it is really simple)

user@localhost:~$ sudo nano /etc/squid/squid.conf

Then proceed to enter the following configuration. Remember to replace the ***.***.***.*** with your ip addresses

# Authentication
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

# Choose the port you want. Below we set it to default 3128.
http_port 3128

# Configure and Name the available addresses
acl ip1 myip *.*.*.1
acl ip2 myip *.*.*.2
acl ip3 myip *.*.*.3
acl ip4 myip *.*.*.4
acl ip5 myip *.*.*.5
acl ip6 myip *.*.*.6
acl ip7 myip *.*.*.7
acl ip8 myip *.*.*.8

# Configure the incoming address -> outgoing address, map
tcp_outgoing_address *.*.*.1 ip1
tcp_outgoing_address *.*.*.2 ip2
tcp_outgoing_address *.*.*.3 ip3
tcp_outgoing_address *.*.*.4 ip4
tcp_outgoing_address *.*.*.5 ip5
tcp_outgoing_address *.*.*.6 ip6
tcp_outgoing_address *.*.*.7 ip7
tcp_outgoing_address *.*.*.8 ip8

# Make this proxy anonymous, it will make all services think 
# it is the originating IP of the requests
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

Note here that I have 8 inbound IPs and 8 outbound IPs. I have not tried any other configuration, as this if the behavior that I needed. Each inbound IP will then send all packets out as well. Sort of in a passthrough like mechanism. It is possible to have one inbound IP send out from different outbound and visa-versa.

I cannot say this is secure by any means, but I do know that with some other precautions on the server, such as fail2ban (I will write a little article on this soon) I am running this in a production environment with no serious issues as of yet.