# Squid "public" proxy server



## babovand (Apr 7, 2013)

Hi,

As you may or may not know, Iranians have a censored Internet and it is heavily monitored by their government. This makes accessing sites like Facebook and YouTube impossible since the user will be blocked by their filters.

About a month ago they started to block VPN access due to the upcoming election in the country. OpenVPN is and has been blocked for a time.

So I've read about Squid proxy server, And I've been able to run it with basic NCSA auth, since I only want to have relatives in Iran to be able to access the proxy server. The problem is that I can*'*t seem to make Squid work so I can access it globally. i.e external access.

I've forwarded a port on my router, the firewall is not turned on, on the machine which is hosting Squid.

Help me fight the censorship! Thank you.

My configuration:

```
#
# Recommended minimum configuration:
#
auth_param basic program /usr/local/libexec/squid/basic_ncsa_auth /usr/local/etc/squid/passwd
auth_param basic children 5
auth_param basic realm please sug min den
auth_param basic credentialsttl 2 hours
visible_hostname "freebsd.local"
#acl manager proto cache_object
#acl localhost src 127.0.0.1/32 ::1
#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl localnet src 192.168.2.0/24

acl ncsa_users proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
#acl ncsa_users proxy_auth REQUIRED

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

#http_access allow localnet
#http_access allow localhost
http_access allow ncsa_users

# And finally deny all other access to this proxy
http_access allow all

# Squid normally listens to port 3128
http_port 5841
#https_port 3129 cert=/usr/local/etc/squid/ssl/squid.crt key=/usr/local/etc/squid/ssl/squid.key

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

dns_nameservers 192.168.2.1 8.8.8.8
cache_effective_user squid
cache_effective_group squid
```


----------



## throAU (Apr 8, 2013)

First thing:  Are any entries logged in the Squid access log file(s) when your relatives attempt to connect?  If you do not see any connection attempts, they are being blocked upstream (probably in Iran).  If you do see connection attempts, then they may help you discover the reason they are not working.

Do they get any error messages displayed in their browser?

If Iran is blocking VPNs, you can be pretty sure they're probably blocking HTTP proxies as well.

If they have spent any real time and effort on blocking, changing the port won't necessarily help, as their firewall will be doing deep packet inspection, and/or random non-commonly-used ports will be blocked.


----------



## SirDice (Apr 8, 2013)

Watch out that you don't accidentally open up the proxy to the rest of the world. Your ideals my be good but there are people out there whose morals aren't. And your proxy is very likely to end up on some spammer's list getting abused to send spam and malware. That's probably something you don't want to happen.


----------



## kpa (Apr 8, 2013)

I would try to set up OpenVPN with static keys on a non standard listening port, it is practicly impossible to detect that the encrypted traffic is in fact OpenVPN traffic when using a static key set up.


----------



## babovand (Apr 8, 2013)

throAU said:
			
		

> First thing:  Are any entries logged in the Squid access log file(s) when your relatives attempt to connect?  If you do not see any connection attempts, they are being blocked upstream (probably in Iran).  If you do see connection attempts, then they may help you discover the reason they are not working.
> 
> Do they get any error messages displayed in their browser?



I've not yet given the server address to my relatives since I, myself have not gotten it to work which is why I've posted here, The server location is in Sweden, and I myself live in sweden, could not connect to my squid proxy from my friends house.



			
				throAU said:
			
		

> If Iran is blocking VPNs, you can be pretty sure they're probably blocking HTTP proxies as well.


Public proxy servers is working fine, thats mainly how I communicate with them now, but as you may know they are very, very slow.



			
				SirDice said:
			
		

> Watch out that you don't accidentally open up the proxy to the rest of the world. Your ideals my be good but there are people out there whose morals aren't. And your proxy is very likely to end up on some spammer's list getting abused to send spam and malware. That's probably something you don't want to happen.



This is why I've 
	
	



```
auth_param basic program /usr/local/libexec/squid/basic_ncsa_auth /usr/local/etc/squid/passwd
```
. I want to make all users have to auth when using the proxy.



			
				kpa said:
			
		

> I would try to set up OpenVPN with static keys on a non standard listening port, it is practicly impossible to detect that the encrypted traffic is in fact OpenVPN traffic when using a static key set up.



I was not clear, *ALL* OpenVPN traffic is blocked. The Iranian Deep inspection firewall Prevents any form of OpenVPN traffic, the static keys handshake gets blocked.

*To the problem, again.*
I cannot access my proxy server from outside the local network. Dosent matter if i try to access from Iran or another country or a neighboring house, The logs dosent show anything, and Firefox cannot establish a connection to the proxy server, changing the address to the computers LAN IP, 192.168.x.x works.


----------



## kpa (Apr 8, 2013)

babovand said:
			
		

> I was not clear, *ALL* OpenVPN traffic is blocked. The Iranian Deep inspection firewall Prevents any form of OpenVPN traffic, the static keys handshake gets blocked.



They must be blocking all unknown traffic in that case, it's simply not possible to detect that the traffic is OpenVPN traffic if static keys are used. The traffic will be just incomprehensible random data to any inspector, human or machine.


----------



## cpm@ (Apr 8, 2013)

Some iranians use VPN accounts provided by StrongVPN. Consider it like a _secure_ option that works. Also read StrongVPN Setup Instruction Pages - PPTP, L2TP, SSTP and OpenVPN Accounts.


----------

