Untitled paste
uid HTTP/HTTPS Proxy — Step by Step
Step 0 — What you need
- Your host's public IP (from your provider's dashboard).
- SSH login (user + password or key).
- If host is behind a cloud firewall / security group (AWS, GCP, Oracle, etc.), you'll also open the port there, not just on the OS.
---
Step 1 — SSH into the host
From your own computer's terminal:
ssh youruser@YOUR_SERVER_IP
If you only have root:
ssh root@YOUR_SERVER_IP
▎ Tip: in this Claude session you can run it inline by typing ! ssh youruser@YOUR_SERVER_IP.
---
Step 2 — Update the system
sudo apt update && sudo apt upgrade -y
---
Step 3 — Install Squid + auth tool
sudo apt install -y squid apache2-utils
- squid = the proxy.
- apache2-utils = gives htpasswd for username/password auth.
---
Step 4 — Back up the default config
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.bak
---
Step 5 — Create a proxy user + password
sudo htpasswd -c /etc/squid/passwd proxyuser
- Type a password when prompted.
- Add more users later (drop the -c, which means "create new file"):
sudo htpasswd /etc/squid/passwd seconduser
Lock the file down:
sudo chown proxy:proxy /etc/squid/passwd
sudo chmod 640 /etc/squid/passwd
---
Step 6 — Confirm the auth helper path
ls /usr/lib/squid/basic_ncsa_auth
- If found → use that path below.
- If not found, check the alternate location:
ls /usr/lib64/squid/basic_ncsa_auth
Use whichever path exists in the next step.
---
Step 7 — Write the Squid config
Open it:
sudo nano /etc/squid/squid.conf
Easiest: replace the whole file with this minimal config (delete existing contents, paste this). Change the port and auth path if needed.
# ---- Auth ----
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic realm Proxy
auth_param basic credentialsttl 2 hours
acl authenticated proxy_auth REQUIRED
# ---- Access rules ----
http_access allow authenticated
http_access deny all
# ---- Listen port ----
http_port 3128
# ---- Privacy: hide that you're a proxy / hide client IP ----
via off
forwarded_for delete
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
# ---- DNS (optional, prevents some leaks) ----
dns_v4_first on
# ---- Logs ----
access_log /var/log/squid/access.log squid
Save in nano: Ctrl+O, Enter, then Ctrl+X.
▎ Security note: http_access deny all AFTER the allow line is required. Without it, an open allow rule = anyone on the internet uses your proxy. Keep the order exactly as shown.
---
Step 8 — Test the config syntax
sudo squid -k parse
No errors = good. Fix typos if it complains.
---
Step 9 — Restart + enable Squid
sudo systemctl restart squid
sudo systemctl enable squid
sudo systemctl status squid --no-pager
Want active (running).
---
Step 10 — Open the firewall
OS firewall (ufw):
sudo ufw allow 3128/tcp
sudo ufw reload
(If ufw is inactive and you want it on: sudo ufw allow OpenSSH first, then sudo ufw enable — do SSH first or you lock yourself out.)
Cloud firewall / security group: in your provider dashboard, add an inbound rule:
- Protocol: TCP
- Port: 3128
- Source: your home IP (best) or 0.0.0.0/0 (any — less safe)
---
Step 11 — Test from your own computer
On your local machine (not the server):
curl -x http://proxyuser:YOURPASSWORD@YOUR_SERVER_IP:3128 https://api.ipify.org
- Returns the server's IP = working.
- 407 Proxy Authentication Required = wrong user/pass.
- Hang/timeout = firewall (Step 10) not open.
---
Step 12 — Use it in a browser/app
Point app HTTP + HTTPS proxy at:
Host: YOUR_SERVER_IP
Port: 3128
User: proxyuser
Pass: YOURPASSWORD
Firefox: Settings → Network Settings → Manual proxy. Chrome: uses system proxy.
---
Hardening (do these — proxy is exposed to internet)
1. Lock source IP. In Step 10 cloud rule, set Source = your IP only. Open proxies get found by scanners in hours and abused.
2. Change the port. 3128 is scanned constantly. Pick a high random port (e.g. 28931), update http_port + firewall + curl test.
3. Watch logs:
sudo tail -f /var/log/squid/access.log
3. Strangers' IPs hitting it = your allow rule or firewall is too open.
4. Strong password. Auth is the only wall between your IP and abuse.
---
Common fails — quick map
┌──────────────────────────┬───────────────────────────────┬─────────────────────────────────┐
│ Symptom │ Cause │ Fix │
├──────────────────────────┼───────────────────────────────┼─────────────────────────────────┤
│ curl times out │ Firewall closed │ Step 10 — OS and cloud rule │
├──────────────────────────┼───────────────────────────────┼─────────────────────────────────┤
│ 407 error │ Bad creds / wrong helper path │ Re-check Step 5 + Step 6 path │
├──────────────────────────┼───────────────────────────────┼─────────────────────────────────┤
│ Squid won't start │ Config typo │ sudo squid -k parse, read error │
├──────────────────────────┼───────────────────────────────┼─────────────────────────────────┤
│ Works local, not remote │ Cloud security group │ Add port in provider dashboard │
├──────────────────────────┼───────────────────────────────┼─────────────────────────────────┤
│ Slow / random IPs in log │ Proxy open to world │ Lock source IP, change port │
└──────────────────────────┴───────────────────────────────┴─────────────────────────────────┘
---
Tell me your provider name ("tube host" = which one?) and I give the exact dashboard firewall steps. Also can add: HTTPS-encrypted proxy (stunnel), caching tuning, or whitelist-only sites.