Most of the corporates lockout all web traffic behind a proxy for logging as well as auditing, also they also in some situations lock out certain ports to disable certain applications such as IMs, this tutorial will teach how to host a minimal Squid server on Amazon cloud to secure your traffic, this Squid server will act as the front end of all your traffic, and they’ll appear to your company’s Proxy as HTTP requests.
This also has the additional advantage of masking your IP, as you’ll appear to the sites you are visiting as Amazon’s gateway. (A micro instance such as the one we are using costs $0.02 per hour.)
1. Log into EC2 click on launch instance, click on AMIs (on the left menu)
2. Keeping it simple we’ll use one of the recommended instances, an ubuntu server
ami-056e3e40(seems like this AMI is no longer active any Ubuntu machine would do), from the drop down menus pick All Images and then search for the mentioned instance, once the instance appears, highlight it and click on launch instance.
3. Since its going to be a proxy and doesn’t a lot of processing power we’ll go for one micro instance, additional since the proxy will be on all the time we need to make sure that the operational costs are minimal.
4.Click continue untill you are in the create key pair step, if you don’t already have a key pair set up, choose the create new key pair radio button, any name would do, and then click create and download key pair,
5. You’ll be asked to download a .pem file, download it.
6. For the security group click on default (we’ll configure it later).
7. Finally click on launch to have your machine started.
8. Connecting to the VM machine will depends if you are using windows or linux, however I’ll assume you are using a windows OS with putty installed on it, first you’ll need to convert the pem file to ppk, this is done as follows:
- Open puTTYgen (it gets installed with putty, so if you have putty you have this).
- Click on load, and direct it to the pem file you downloaded.
- Click on save private key
- Now you have a ppk file saved that can be used to connect to your machine.
9. Now you have to make sure you to configure the security policy to enable your machine to accept SSH connections, and to enable the port squid will be using later on.
10. Go to the EC2 console and click on Security Groups, click on the security policy you used while setting up the machine (default)
11. Enable SSH connections by adding the following rule, (basically its stating that any one can connect on port 22.) click on save.
12. Check for a port that’s allowed from your company and enable it on the machine as well, most corporate block ports typically used by proxies, so to beat that you need to configure your squid server to accept connections from a “friendly” port, personally I’d recommend port 443 (https port). By repeating the same step but picking HTTPS from the left drop down menu.
13. Go back to the EC2 and click on instances on the left menu
16. Expand SSH from the left and then click on auth to import the key
18. Click open to be connected to the machine.
19. At the prompt type ubuntu, and you’ll be logged in as ubuntu.
20. Type sudo bash to switch to root
21. To install squid type apt-get install squid.
22. You’ll be asked to confirm download and install , hit Y to do so.
23. Now squid is installed all you need to do now is to configure it. Go to /etc/squid/squid.conf and take a backup from it, by typing cp /etc/squid/squid.conf ~
24. Now you need to configure it to do the following :
25. http_port 3128 you have to change that to something more friendly since most corporate proxies would block traffic going out on this port, change it to the friendlier 80 This can be done by vi /etc/squid/squid.confSearch the file for the port and replace it with 80
26. The next step would be allowing machines from all ips to connect to this squid server, by default squid is configured to only accept connections from the local subnet, so you need to make sure that it accept.
27. Squid uses something called access lists (acl) to do that, if you want to configure your squid to accept only connections from a fixed IP you can read further about squid configuration however its out of scope for this tutorial.
28. Mainly you define a list of ips (acl)and give it a name, and later on use that name to set the permissions for that list, we are going to use one of the built in acls that include all the possible ips, which basically means that anyone can connect, so just verify that this acl exists and move to the next step.
29. Now the rules themselves, every need is different, but we want an unrestrictive proxy since we are using it merely to secure our traffic rather than filter it, Search and hash out http_access deny CONNECT !SSL_ports
30. Allow the all acl to connect, please note that you may end up with conflicting rules so you need to be really careful, by default the config file is designed to deny the acl all from everything and allow other acls to certain services. What we are going to do here is hash out the directives that includes deny all and modify all the allow directives to allow all.
31. The most important thing is to have this, which basically means any one can use your squid.
32. once you change the settings you need to force squid to reload, you can do this by typing the following as root squid -k shutdown, followed by squid.
33. Now your squid server is ready to be used, all you need to do now is to open your web browser and set it as your proxy, don’t forget to use the customer port that you configured earlier.
if you weren’t able to connect you should trouble shoot the connectivity as the custom port you are using maybe blocked by your corporation’s proxy, so try to telnet using the address:port of the proxy and if you were able to reach it then you can start debugging.
Squid logs can help you with the debug just in case you face any problems, the logs can be found on /var/log/squid/ and you have 2 main logs to use cache.log which logs everything related to the server’s start/stop and access.log which logs everything that has to do with the connections, additionally you can change the logging level location by modifying squid.conf and reloading it.