Using squid hosted on EC2 to bypass corporate proxy

Most of the corporates lockout all web traffic behind a proxy for logging as well as auditing, also they also in some situations lock out certain ports to disable certain applications such as IMs, this tutorial will teach how to host a minimal Squid server on Amazon cloud to secure your traffic, this Squid server will act as the front end of all your traffic, and they’ll appear to your company’s Proxy as HTTP requests.

This also has the additional advantage of masking your IP, as you’ll appear to the sites you are visiting as Amazon’s gateway. (A micro instance such as the one we are using costs $0.02 per hour.)

1. Log into EC2 click on launch instance, click on AMIs (on the left menu)

EC2 dashboard

2. Keeping it simple we’ll use one of the recommended instances, an ubuntu server ami-056e3e40(seems like this AMI is no longer active any Ubuntu machine would do), from the drop down menus pick All Images and then search for the mentioned instance, once the instance appears, highlight it and click on launch instance.

click on AMIs from left menu3. Since its going to be a proxy and doesn’t a lot of processing power we’ll go for one micro instance, additional since the proxy will be on all the time we need to make sure that the operational costs are minimal.

Choose Micro Instance from the drop down menu

4.Click continue untill you are in the create key pair step, if you don’t already have a key pair set up, choose the create new key pair radio button, any name would do, and then click create and download key pair,

create a new keypair and name it

5. You’ll be asked to download a .pem file, download it.

6. For the security group click on default (we’ll configure it later).

7. Finally click on launch to have your machine started.

8. Connecting to the VM machine will depends if you are using windows or linux, however I’ll assume you are using a windows OS with putty installed on it, first you’ll need to convert the pem file to ppk, this is done as follows:

  • Open puTTYgen (it gets installed with putty, so if you have putty you have this).
  • Click on load, and direct it to the pem file you downloaded.
  • Click on save private key
  • Now you have a ppk file saved that can be used to connect to your machine.

9. Now you have to make sure you to configure the security policy to enable your machine to accept SSH connections, and to enable the port squid will be using later on.

10. Go to the EC2 console and click on Security Groups, click on the security policy you used while setting up the machine (default)

11. Enable SSH connections by adding the following rule, (basically its stating that any one can connect on port 22.) click on save.

Enable SSH and your custom squid proxy for all src ips

12. Check for a port that’s allowed from your company and enable it on the machine as well, most corporate block ports typically used by proxies, so to beat that you need to configure your squid server to accept connections from a “friendly” port, personally I’d recommend port 443 (https port). By repeating the same step but picking HTTPS from the left drop down menu.

13. Go back to the EC2 and click on instances on the left menu

14. Click on the machine you have to display your machine’s details, the details found there can be used to connect

Copy the machines public address from EC2 console15. Set the ip of the machine in putty.

connect using putty

16. Expand SSH from the left and then click on auth to import the key

User the ppk certificate to authenticate while connecting17 . Browse and then point to the ppk file you created.

18. Click open to be connected to the machine.

19.  At the prompt type ubuntu, and you’ll be logged in as ubuntu.

20. Type sudo bash to switch to root

21. To install squid type apt-get install squid.

22. You’ll be asked to confirm download and install , hit Y to do so.

23. Now squid is installed all you need to do now is to configure it. Go to /etc/squid/squid.conf and take a backup from it, by typing cp /etc/squid/squid.conf ~

24. Now you need to configure it to do the following :

25. http_port 3128 you have to change that to something more friendly since most corporate proxies would block traffic going out on this port, change it to the friendlier 80 This can be done by vi /etc/squid/squid.confSearch the file for the port and replace it with 80

26. The next step would be allowing machines from all ips to connect to this squid server, by default squid is configured to only accept connections from the local subnet, so you need to make sure that it accept.

27. Squid uses something called access lists (acl) to do that, if you want to configure your squid to accept only connections from a fixed IP you can read further about squid configuration however its out of scope for this tutorial.

28. Mainly you define a list of ips (acl)and give it a name, and later on use that name to set the permissions for that list, we are going to use one of the built in acls that include all the possible ips, which basically means that anyone can connect, so just verify that this acl exists and move to the next step.

29. Now the rules themselves, every need is different, but we want an unrestrictive proxy since we are using it merely to secure our traffic rather than filter it, Search and hash out http_access deny CONNECT !SSL_ports

enable ssl access by hasing out the directive

30. Allow the all acl to connect, please note that you may end up with conflicting rules so you need to be really careful, by default the config file is designed to deny the acl all from everything and allow other acls to certain services. What we are going to do here is hash out the directives that includes deny all and modify all the allow directives to allow all.

31. The most important thing is to have this, which basically means any one can use your squid.

Modify directive to enable http access to all

32. once you change the settings you need to force squid to reload, you can do this by typing the following as root squid -k shutdown, followed by squid.

33. Now your squid server is ready to be used, all you need to do now is to open your web browser and set it as your proxy, don’t forget to use the customer port that you configured earlier.

if you weren’t able to connect you should trouble shoot the connectivity as the custom port you are using maybe blocked by your corporation’s proxy, so try to telnet using the address:port of the proxy and if you were able to reach it then you can start debugging.

Squid logs can help you with the debug just in case you face any problems, the logs can be found on /var/log/squid/ and you have 2 main logs to use cache.log which logs everything related to the server’s start/stop and access.log which logs everything that has to do with the connections, additionally you can change the logging level location by modifying squid.conf and reloading it.

Advertisements

15 thoughts on “Using squid hosted on EC2 to bypass corporate proxy

  1. This is a great guide. One other change you can make is to use Basic Authentication to avoid having your EC2 instance acting as a proxy to the entire world. The extra additions to squid.conf are relatively easy to make.

    • Thanks a lot, my concept here is a one shot disposable proxy that gets terminated after usage thus destroying any traceable logs. there is no intention of keeping it operational for more than few hours at one time, and every time a new Amazon instance name is used so there is no pressing need for authentication. I can however enrich this entry with information about authentication if any one is interested in using it as a full fledged proxy.

  2. Hey, I’ve tried this tutorial but and squid is running ok, but after I’m trying to connect my proxy I get no respond from any server… seems like its not working :\ can u help me plz? thanks!

    • Is the proxy service on? /etc/init.d/squid status
      Did you open the port from ec2?
      Did you use a standard proxy port, perhaps you company is blocking it, try something such as the seemingly innocent port 52/53?
      did you try telnetting to it?
      id have tried to use a wget command from the server with the proxy and place 127.0.0.1:53 as my proxy and see what happens.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s