Building a Security Proxy with Tor
Creating a secure, anonymous web proxy is essential for privacy-conscious users and organizations looking to protect their browsing activities. This guide demonstrates how to set up a powerful security proxy using Tor and Squid on a Linux system. By integrating these tools, you'll create a solution that provides enhanced privacy, anonymity, and security for your internet traffic.
Introduction
This setup combines the anonymity features of the Tor network with the caching and filtering capabilities of Squid proxy. The result is a robust proxy solution that:
- Routes web traffic through the Tor network for anonymity
- Provides additional filtering and access control through Squid
- Creates a private proxy you can use from various devices
- Offers speed improvements through caching where appropriate
This tutorial will walk you through installing and configuring both Tor and Squid, then connecting them to create a comprehensive security solution.
Prerequisites
- A Linux server (this guide uses Ubuntu/Debian)
- Root or sudo access
- Basic knowledge of Linux command line
Step 1: Install and Configure Tor
First, we'll install Tor from the official repositories:
sudo apt update
sudo apt install torAfter installation, we need to configure Tor. Open the Tor configuration file:
sudo nano /etc/tor/torrcAdd or modify the following lines:
SocksPort 9050
Log notice file /var/log/tor/notices.log
RunAsDaemon 1
DataDirectory /var/lib/torSave the file and start the Tor service:
sudo systemctl restart tor
sudo systemctl enable torVerify that Tor is running correctly:
sudo systemctl status torStep 2: Install and Configure Squid
Now, let's install the Squid proxy server:
sudo apt install squidBefore configuring Squid, let's back up the original configuration file:
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.originalNow, open the Squid configuration file:
sudo nano /etc/squid/squid.confReplace the entire content with the following configuration:
# Basic Squid configuration
http_port 3128
cache_mem 256 MB
maximum_object_size 1024 MB
cache_dir ufs /var/spool/squid 1000 16 256
# Access control
acl localhost src 127.0.0.1/32 ::1
acl localnet src 192.168.0.0/16 # Adjust to your local network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# Allow localhost and local network access
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid to Tor redirection
# Route all HTTP and HTTPS traffic to Tor
tcp_outgoing_address 127.0.0.1
always_direct deny all
never_direct allow all
# Set up Tor as the parent proxy
cache_peer 127.0.0.1 parent 9050 0 no-query default
cache_peer_access 127.0.0.1 allow all
# Anonymizing settings
request_header_access From deny all
request_header_access Server deny all
request_header_access Via deny all
request_header_access Cache-Control deny all
request_header_access User-Agent deny all
request_header_access WWW-Authenticate deny all
request_header_access All allow all
# Logging
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
logfile_rotate 10
# Set visible_hostname to hide internal hostnames
visible_hostname squid-proxy
# Recommended minimum configuration:
coredump_dir /var/spool/squidSave the file and restart Squid:
sudo systemctl restart squid
sudo systemctl enable squidCheck if Squid is running properly:
sudo systemctl status squidStep 3: Configure Firewall
If you have a firewall enabled, you need to allow traffic on the Squid port:
sudo ufw allow 3128/tcp
sudo ufw reloadStep 4: Testing Your Tor + Squid Proxy
You can test your proxy setup from the same server with curl:
curl -x http://localhost:3128 https://check.torproject.org/ | grep "Congratulations"If you see "Congratulations" in the output, your Tor connection through Squid is working correctly.
Step 5: Configure Client Devices to Use Your Proxy
For Linux/Mac Terminal:
export http_proxy=http://your_server_ip:3128
export https_proxy=http://your_server_ip:3128For Web Browsers:
Firefox:
- Open Settings
- Scroll down to Network Settings and click "Settings"
- Select "Manual proxy configuration"
- Set "HTTP Proxy" to your server's IP and port 3128
- Check "Also use this proxy for HTTPS"
- Click "OK"
Chrome:
- Go to Settings
- Click on "Advanced" and then "System"
- Click on "Open proxy settings"
- Set the proxy server and port
Step 6: Advanced Configuration
Add User Authentication to Squid
For additional security, you can add user authentication:
sudo apt install apache2-utils
sudo touch /etc/squid/passwd
sudo htpasswd -c /etc/squid/passwd user1Then add the following lines to your Squid configuration file (/etc/squid/squid.conf) before the "http_access allow localnet" line:
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl authenticated proxy_auth REQUIRED
http_access allow authenticatedRestart Squid to apply the changes:
sudo systemctl restart squidImprove Tor Circuit Rotation
For better anonymity, you can configure Tor to change circuits more frequently. Edit the Tor configuration file:
sudo nano /etc/tor/torrcAdd the following lines:
MaxCircuitDirtiness 600 # Change circuits every 10 minutes
NewCircuitPeriod 300 # Build circuits preemptively every 5 minutesRestart Tor:
sudo systemctl restart torTroubleshooting Section
Common Issues and Solutions
1. Squid Won't Start
Problem: The Squid service fails to start.
Solution: Check the Squid error log:
sudo tail -f /var/log/squid/cache.logCommon issues include syntax errors in the configuration file or permission problems with cache directories. To fix cache directory issues:
sudo mkdir -p /var/spool/squid
sudo chown -R proxy:proxy /var/spool/squid
sudo squid -z
sudo systemctl restart squid2. Cannot Connect to Proxy
Problem: Clients cannot connect to the Squid proxy.
Solution: Check if Squid is listening on the correct port:
sudo netstat -tlnp | grep squidEnsure your firewall allows connections to port 3128:
sudo ufw statusVerify your Squid access control lists (ACLs) allow connections from your client's IP address.
3. Tor Connection Issues
Problem: Squid cannot connect to Tor.
Solution: Check if Tor is running:
sudo systemctl status torVerify Tor is listening on the correct port:
sudo netstat -tlnp | grep torCheck Tor logs for any errors:
sudo tail -f /var/log/tor/notices.log4. Slow Connection Speeds
Problem: Browsing through the proxy is extremely slow.
Solution: Tor connections are generally slower than direct connections. However, you can optimize Squid's caching:
sudo nano /etc/squid/squid.confAdd or modify these lines:
cache_mem 512 MB # Increase if you have more RAM
maximum_object_size_in_memory 10240 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDARestart Squid:
sudo systemctl restart squidBest Practices & Optimization Tips
Security Enhancements
- Regular Updates: Keep both Tor and Squid updated to protect against vulnerabilities
- Limit Access: Configure your Squid ACLs to only allow connections from trusted IPs
- SSL Inspection: Consider implementing SSL inspection for enhanced security (note: this reduces privacy)
- Filter Content: Use Squid's filtering capabilities to block malicious websites
- Monitor Logs: Regularly check Squid and Tor logs for suspicious activities
Performance Optimization
- Optimize Cache: Adjust cache settings based on your server's available memory and storage
- Connection Pooling: Configure persistent connections to improve performance
- Hardware Considerations: For high-traffic environments, consider dedicating more RAM and using SSDs for cache storage
# Add to squid.conf for performance
pipeline_prefetch on
connect_timeout 30 seconds
request_timeout 60 secondsMonitoring and Maintenance
Set Up Regular Log Rotation
Ensure log rotation is properly configured to prevent logs from filling your disk space:
sudo nano /etc/logrotate.d/squidVerify it contains appropriate rotation settings:
/var/log/squid/*.log {
weekly
rotate 5
compress
delaycompress
notifempty
missingok
nocreate
sharedscripts
postrotate
test ! -e /var/run/squid.pid || /usr/sbin/squid -k rotate
endscript
}Monitor Proxy Usage
Install sarg (Squid Analysis Report Generator) to monitor proxy usage:
sudo apt install sarg
sudo nano /etc/sarg/sarg.confConfigure the basic settings and generate a report:
sudo sarg -d yesterdaySchedule Regular Cache Maintenance
Add a cron job to periodically clear the Squid cache:
sudo crontab -eAdd the following line to clear the cache weekly:
0 2 * * 0 /usr/sbin/squid -k rotateConclusion
You've successfully set up a powerful security proxy using Tor and Squid. This configuration provides enhanced privacy and anonymity for your internet browsing while offering the benefits of caching and access control.
Remember that while this setup significantly improves your privacy, no system is completely foolproof. Always practice good security habits and be aware of the limitations of anonymity tools.
Key benefits of your new setup include:
- Anonymous browsing through the Tor network
- Improved performance through Squid's caching capabilities
- Enhanced security with access control and authentication
- Ability to extend functionality through additional Squid modules
For even stronger security, consider combining this setup with a VPN service and implementing DNS over HTTPS (DoH) to prevent DNS leaks.