Add this to squid.conf
#Port Lists
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
or
# Port Lists
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 70 210 1025-65535 280 488 591 777
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
If users in your network access remote servers on non standard HTTP/S ports not listed in squid.conf, your browser will show an error page :
ERROR
The requested URL could not be retrieved
_____
While trying to retrieve the URL: http://xxx.xxx.xxx.xxx:1000 (this is an example)
The following error was encountered:
* Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
Your cache administrator is webmaster.
This ports restriction help limit unauthorized request.
If reboot and squid -k says it can not send stop signal again, means that squid.pid is missing
Check squid.pid in the system and if missing, here is what i can suggest :
Look into a previous post in this website, then shutdown squid
squid -k shutdown
Create squid.pid (usually squid.pid located in the same directory with log files)
touch squid.pid
squid.pid chmod permission
-rw-r--r--
squid.pid chown permission
root : squid
Since it’s empty, we must make Squid to rewrite a squid.pid file
Create Squid swap directories
squid -z
Run Squid
squid
then try reboot
The squid.pid file is missing or unreadable makes squid -k command don’t work (says it can not send stop signal). We kill Squid manually by finding the process ID with ps.
ps ax | grep squid
If there are more than one Squid process, be sure to kill the one that shows up as (squid).
example
500 ?? Is 0:00.01 squid -sD
505 ?? S 0:00.27 (squid) -sD (squid)
then kill it
kill -TERM 505
How to fix this? I learn that with a help from Squid Faq
Run squid again
squid
then do ps again
ps ax | grep squid
find squid process that shows up as (squid)
example : if the process id 82675 (remember this is example)
Create the PID file and put the process id number there
echo 82675 > /usr/local/squid/logs/squid.pid
note : /usr/local/squid/logs/squid.pid (location of squid.pid, this is probably different in your computer)
Then find the Squid process id. Send the process a HUP signal, which is the same as squid -k reconfigure
kill -HUP 82675
The reconfigure process creates a new PID file automatically.
A few things you need to know about Squid Swap Directories
1. Do not erase or delete using linux delete command. It can cause Swap Directories DIRTY.
2. You do not need to erase or delete Squid Swap Directories if you have no_cache deny (an instruction in squid for no-cache proxy) in squid.conf. Squid need that Swap Directories
3. Shutdown Squid before recreates Swap Directories.
4. If you recreates Swap Directories, disconnect any request to Squid. It can cause you a problem, in my experience, i can’t shutdown Squid properly in next event
Add/modify squid.conf :
#no local caching
maximum_object_size 0 KB
minimum_object_size 0 KB
# specify uncachable requests
acl all src 0.0.0.0/0.0.0.0
no_cache deny all
or
# caches nothing based on time
acl Working time 08:00-16:00
no_cache deny Working
# avoid having a cache directory
cache_dir null /tmp
or
cache_dir null /null
UPDATED
We can’t see the latest yahoo pages if ‘header_replace User-Agent’ set to ‘unknown’ or anonymous User-Agent. To avoid this, change into :
header_replace User-Agent Mozilla/5.0 (en) Gecko/20070515 Firefox/2.0.0.4
or
header_access User-Agent allow all
before
header_access Deny deny all
UPDATED
I manage squid 2.5 to become high anonymous proxy.
# cd /usr/local/etc/squid
# vi squid.conf
Change this in #Miscellanous
forwarded_for off
[client ip won't recognize]
Add this to #Miscellanous
header_access Allow allow all
header_access Authorization allow all
header_access Cache-Control allow all
header_access Content-Encoding allow all
header_access Content-Length allow all
header_access Content-Type allow all
header_acccess Date allow all
header_access Expires allow all
header_access Host allow all
header_access If-Modified-Since allow all
header_access Last-Modified allow all
header_access Location allow all
header_access Pragma allow all
header_access Accept allow all
header_access Accept-Enncoding allow all
header_access Accept-Language allow all
header_access Content-Language allow all
header_access Mime-Version allow all
header_access Cookie allow all
header_access Set_Cookie allow all
header_access Retry-After allow all
header_access Title allow all
header_access Connection allow all
header_access Proxy-Connection allow all
header_access All deny all
header_replace User-Agent anonymous
[browser will be identify as anonymous]
Save and reboot server
# reboot
or Re-read squid.conf without restarting
# squid -k reconfigure
Restore proxy to previous setting
add # besides header_replace to turn off.
Visit Proxy Blind to check proxy results
They will identify as no proxy or highly anonymous.
Proxy types according to Proxy Blind (description from their site)
No proxy : In this case (the majority of internet users), http requests are sent directly from your machine to the server. There is no privacy or caching benefits. A non-proxied system will display the following information:
REMOTE_ADDR = Your IP
HTTP_VIA = blank
HTTP_X_FORWARDED_FOR = blank
Transparent Proxy : A transparent proxy anounces to the world that it’s a proxy, and passes on your information. It provides no privacy improvements (except against poorly coded sites that only look at REMOTE_ADDR and not HTTP_X_FORWARDED_FOR). It can provide a benefit by caching frequently accessed pages; many companies also use this system for filtering purposes. A transparent proxy will display the following information:
REMOTE_ADDR = Proxy’s IP
HTTP_VIA = Proxy’s IP
HTTP_X_FORWARDED_FOR = Your IP
Anonymous Proxy :An anonymous proxy offers the caching benefits of a transparent proxy, while hiding your IP address (by replacing with either the proxies IP, or a random address. The downside to this approach is that sites that use address detection to establish unique users (online games, voting, some logins) will not be able to distinguish you from others in your domain. Of course, that might be a bonus sometimes. An anonymous proxy will display the following information:
REMOTE_ADDR = Proxy’s IP
HTTP_VIA = Proxy’s IP
HTTP_X_FORWARDED_FOR = Proxy’s IP, or random
Highly Anonymous : A highly anonymous (often known as an elite proxy) makes your system look the same as a non-proxied system (with the proxy servers IP address). This provides the best security; however, all the caveats of an anonymous proxy are still present. In addition, an anonymous proxy’s existance can be detected, and the server can suggest workarounds, but there’s no way to detect an elite proxy. Again, that may be your goal. A highly anonymous proxy will display the following information:
REMOTE_ADDR = Proxy’s IP
HTTP_VIA = blank
HTTP_X_FORWARDED_FOR = blank