Setup High Anonymous Elite Proxy with Squid

Hello everyone, in this simple post we will take a look on how to setup an Elite Proxy. There are three types (probably many) of web proxy available outside which is:

  1. Transparent Proxy
  2. Anonymous Proxy
  3. Elite Proxy

What type they are basically just comes down to which HTTP Headers they include about who you are. Before we setup the proxy, let us take a deep through what that means.

1. Transparent Proxy

Exposing the proxy IP address through REMOTE_ADDR and HTTP_VIA headers, and your real IP address through HTTP_X_FORWARDED_FOR. This proxy is just simply a transparent proxy or a default proxy installation, nothing mod to the HTTP headers are made. All headers are allowed.

REMOTE_ADDR: Proxy IP address  
HTTP_VIA: Proxy IP address/hostname and details – e.g. 1.1 proxy1.mydomain.net:3128 (squid/2.7.STABLE9)  
HTTP_X_FORWARDED_FOR: Your real IP address

2. Anonymous Proxy

In Anonymous proxy, It completely hide your IP address from the webserver, by denying HTTP header X_FORWARDED_FOR but still revealing to the websites that you're using a proxy. Anonymous proxy not hide REMOTE_ADDR and HTTP_VIA HTTP header.

REMOTE_ADDR: Proxy IP address  
HTTP_VIA:   Proxy IP address/hostname and details – e.g. 1.1 proxy1.mydomain.net:3128 (squid/2.7.STABLE9)   
HTTP_X_FORWARDED_FOR: blank

3. Elite Proxy

Elite proxy completely makes you anonymous by hiding your real IP address and not telling the web server that you're using a proxy. So the webserver will see that your IP is actually your Elite proxy IP (but don't know that you're using a proxy).

REMOTE_ADDR: Proxy IP address  
HTTP_VIA: blank  
HTTP_X_FORWARDED_FOR: blank

Prerequisites

To enable such highly anonymous proxy, you'll need to build Squid proxy from source and enabling --enable-http-violation when configuring because we need to modify the HTTP response and request headers. Please follow this guide that I made last post.

WARNING: Doing this VIOLATES the HTTP standard. Enabling these feature could make you liable for problems which it causes. Enabling "paranoid" mode may causes problems on visiting some websites.

Anonymous configs

This option only applies to outgoing HTTP request headers (i.e., headers sent by Squid to the next HTTP hop such as a cache peer or an origin server). The option has no effect during cache hit detection.

Below is a suggestion configs by Squid to achieve the same behavior as the old 'http_anonymizer standard' option, you should use:

    request_header_access From deny all
    request_header_access Referer deny all
    request_header_access User-Agent deny all
    
    reply_header_access Server deny all
    reply_header_access WWW-Authenticate deny all
    reply_header_access Link deny all

After done modifying, restart Squid and test the different.

Elite configs

Elite configs in simpler form:

### Deny headers
request_header_access Via deny all
request_header_access Forwarded-For deny all
request_header_access X-Forwarded-For deny all
request_header_access Referer deny all
request_header_access From deny all
request_header_access User-Agent deny all

### Deny headers
reply_header_access Via deny all
reply_header_access Server deny all
reply_header_access WWW-Authenticate deny all
reply_header_access Link deny all	

Below configs allowing some useful headers and denying all other headers. To reproduce the old 'http_anonymizer paranoid' feature you should use:

    request_header_access Authorization allow all
    request_header_access Proxy-Authorization allow all
    request_header_access Cache-Control allow all
    request_header_access Content-Length allow all
    request_header_access Content-Type allow all
    request_header_access Date allow all
    request_header_access Host allow all
    request_header_access If-Modified-Since allow all
    request_header_access Pragma allow all
    request_header_access Accept allow all
    request_header_access Accept-Charset allow all
    request_header_access Accept-Encoding allow all
    request_header_access Accept-Language allow all
    request_header_access Connection allow all
    request_header_access All deny all

    reply_header_access Allow allow all
    reply_header_access WWW-Authenticate allow all
    reply_header_access Proxy-Authenticate allow all
    reply_header_access Cache-Control allow all
    reply_header_access Content-Encoding allow all
    reply_header_access Content-Length allow all
    reply_header_access Content-Type allow all
    reply_header_access Date allow all
    reply_header_access Expires allow all
    reply_header_access Last-Modified allow all
    reply_header_access Location allow all
    reply_header_access Pragma allow all
    reply_header_access Content-Language allow all
    reply_header_access Retry-After allow all
    reply_header_access Title allow all
    reply_header_access Content-Disposition allow all
    reply_header_access Connection allow all
    reply_header_access All deny all

After done modifying, restart Squid and see the difference.

Custom configs

In custom configs below, I follow the 'HTTP paranoid' above and add custom deny options. Note: If you customize the rule, make sure deny rule first then allow rule ('All' rule must at the bottom).

### Request Headers ###
### Deny headers
request_header_access Via deny all
request_header_access Forwarded-For deny all
request_header_access X-Forwarded-For deny all
request_header_access Referer deny all
request_header_access From deny all
request_header_access User-Agent deny all

### Allow headers
request_header_access Cache-Control allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Pragma allow all
request_header_access Authorization allow all
request_header_access Proxy-Authorization allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all

### All others are deny
request_header_access All deny all

### Replacement
request_header_replace User-Agent 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13; ) Gecko/20101203'

#####################
### Reply Headers ###
### Deny headers
reply_header_access Via deny all
reply_header_access Server deny all
reply_header_access WWW-Authenticate deny all
reply_header_access Link deny all

### Allow headers
reply_header_access Allow allow all
reply_header_access Proxy-Authenticate allow all
reply_header_access Cache-Control allow all
reply_header_access Content-Encoding allow all
reply_header_access Content-Length allow all
reply_header_access Content-Type allow all
reply_header_access Date allow all
reply_header_access Expires allow all
reply_header_access Last-Modified allow all
reply_header_access Location allow all
reply_header_access Pragma allow all
reply_header_access Content-Language allow all
reply_header_access Retry-After allow all
reply_header_access Title allow all
reply_header_access Content-Disposition allow all
reply_header_access Connection allow all

### All others are denied
reply_header_access All deny all

Post installation

1. Spoof request and response header

You might also want to spoof the request header such as User-Agent. You can do that by using request_header_replace tag. To spoof response header, use reply_header_replace tag. You can do this by refering to this post.

2. Post installation

Post instalation includes how you can enable the proxy startup on boot, allowing firewall, etc. Refer complete post installation here.

3. Complete uninstallation

Again, I've already write the tutorial on how to completely uninstall Squid proxy, please refer here for complete uninstallation.

Thoughts

In my opinion, the only way to 'really' anonimize you is by browsing through Tor network. It is not only safe but completely encrypt your network traffic. Using Tor is the best bet. But yet Anonymous Elite proxy can help you quick simple anonimization. Cheers!

Hazmirul Afiq

Read more posts by this author.