To set up your own proxy server, you typically install and configure a dedicated proxy software like Squid for HTTP/HTTPS caching, 3proxy for lightweight HTTP/SOCKS, or Dante for robust SOCKS5, by defining listening ports, access controls, and authentication mechanisms on a Linux server.
Setting up a self-hosted proxy server provides control over network traffic, privacy, access to geo-restricted content, or enhanced security for internal networks. The choice of software depends on specific requirements, such as protocol support (HTTP, HTTPS, SOCKS), caching needs, and desired complexity.
General Prerequisites
Before configuring any proxy, ensure your server meets these basic requirements:
* Operating System: A Linux distribution (e.g., Ubuntu, Debian, CentOS) is commonly used.
* Network Access: The server must have appropriate network connectivity and a public IP address if external access is required.
* Firewall Configuration: Open the necessary ports (e.g., 3128 for HTTP, 1080 for SOCKS) on your server's firewall (e.g., ufw, firewalld).
Squid Proxy Server
Squid is a powerful, full-featured caching proxy for web clients, supporting HTTP, HTTPS, FTP, and other protocols. It excels at caching frequently accessed content, reducing bandwidth usage, and improving response times.
Installation (Debian/Ubuntu)
sudo apt update
sudo apt install squid
On CentOS/RHEL: sudo yum install squid or sudo dnf install squid.
Basic Configuration
The primary configuration file is typically located at /etc/squid/squid.conf.
1. Define Listening Port:
Locate or add the http_port directive.
http_port 3128
2. Access Control Lists (ACLs):
Squid uses ACLs to define network segments, users, or other criteria, and http_access rules to apply actions.
```
# Define a local network ACL (replace with your server's local subnet or client's IP)
acl localnet src 192.168.1.0/24 # Example: Allow clients from this subnet
acl localhost src 127.0.0.1/32
# Allow access for defined ACLs
http_access allow localhost
http_access allow localnet
# Deny all other access
http_access deny all
```
To allow access from any IP address (less secure, use with caution and authentication):
```
acl all src 0.0.0.0/0
http_access allow all
```
- Restart Squid:
bash sudo systemctl restart squid sudo systemctl enable squid sudo systemctl status squid
User Authentication (Basic Auth)
Implement basic username/password authentication for enhanced security.
1. Install Apache Utilities (for htpasswd):
bash
sudo apt install apache2-utils
2. Create Password File:
bash
sudo htpasswd -c /etc/squid/passwd yourusername
# Enter and confirm password. To add more users, omit -c:
# sudo htpasswd /etc/squid/passwd anotheruser
3. Configure Squid for Authentication:
Add these lines to squid.conf (e.g., at the top or in the AUTH section):
```
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5 startup=5 idle=1
auth_param basic realm "Squid Proxy Authentication"
auth_param basic credentialsttl 2 hours
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all
```
Ensure `http_access allow authenticated` appears *before* any `http_access deny all` rules that would block authenticated users.
- Restart Squid.
HTTPS Interception (Transparent Proxy)
Squid can intercept and decrypt HTTPS traffic, which requires generating and trusting a custom SSL certificate on client machines. This is a complex configuration primarily used for corporate environments for content filtering and monitoring, and is generally not recommended for personal use due to security and privacy implications.
3proxy Proxy Server
3proxy is a lightweight, versatile proxy server supporting HTTP, HTTPS (CONNECT), SOCKS4/5, FTP, and other protocols. It is known for its small footprint and flexible configuration.
Installation (Compile from Source)
3proxy is often compiled from source for the latest version and maximum control.
1. Install Build Tools:
bash
sudo apt update
sudo apt install build-essential git
2. Download and Compile:
bash
git clone https://github.com/z3APA3A/3proxy.git
cd 3proxy
make -f Makefile.Linux
sudo make -f Makefile.Linux install
The binaries will typically be installed to /usr/local/bin/3proxy.
Basic Configuration
Create a configuration file, e.g., /etc/3proxy/3proxy.cfg.
1. DNS Resolver:
nserver 8.8.8.8 # Google DNS
nserver 1.1.1.1 # Cloudflare DNS
2. Authentication (if desired):
auth strong
users yourusername:CL:yourpassword # CL for plain text, use hash for production
3. Define Proxies:
* HTTP Proxy:
proxy -p3128
* SOCKS5 Proxy:
socks -p1080
* Combined HTTP and SOCKS:
proxy -p3128
socks -p1080
4. Access Control:
After users and before proxy/socks lines:
allow yourusername # Allow only specified user
# Or to allow all authenticated users:
# allow *
# Or to allow from specific IP:
# allow 192.168.1.0/24
A basic, less secure configuration allowing anyone from anywhere:
allow * *
proxy -p3128
socks -p1080
5. Start 3proxy:
bash
/usr/local/bin/3proxy /etc/3proxy/3proxy.cfg
For background operation, use start 3proxy /etc/3proxy/3proxy.cfg within the config file, or use systemd for proper service management.
Systemd Service (Optional)
Create /etc/systemd/system/3proxy.service:
[Unit]
Description=3proxy Proxy Server
After=network.target
[Service]
ExecStart=/usr/local/bin/3proxy /etc/3proxy/3proxy.cfg
Restart=always
User=nobody # Run as a non-privileged user
[Install]
WantedBy=multi-user.target
Then:
sudo systemctl daemon-reload
sudo systemctl enable 3proxy
sudo systemctl start 3proxy
sudo systemctl status 3proxy
Dante SOCKS Server
Dante is a robust SOCKS proxy server primarily supporting SOCKS4 and SOCKS5. It is known for its stability and performance, making it suitable for high-traffic SOCKS tunneling.
Installation (Debian/Ubuntu)
sudo apt update
sudo apt install dante-server
On CentOS/RHEL: sudo yum install dante-server or sudo dnf install dante-server.
Basic Configuration
The main configuration file is /etc/danted.conf.
1. Define Network Interfaces and Ports:
logoutput: stderr
internal: eth0 port = 1080 # Replace eth0 with your server's internal interface name
external: eth0 # Replace eth0 with your server's external interface name
If you only have one interface, use it for both internal and external.
2. User Privileges:
user.privileged: root
user.notprivileged: nobody
3. Authentication Methods:
For username/password authentication, Dante uses system users.
socksmethod: username none
username requires client authentication, none allows unauthenticated access.
4. Access Rules:
Define client rules (who can connect to the proxy) and socks rules (what traffic the proxy will forward).
```
# Client rule: Allow anyone to connect to the proxy
client pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
socksmethod: username none # Apply authentication methods defined above
}
# SOCKS rule: Allow proxy to forward traffic anywhere
socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
socksmethod: username none
}
```
To restrict client access to a specific IP range:
```
client pass {
from: 192.168.1.0/24 to: 0.0.0.0/0
socksmethod: username none
}
```
- Create System User for Authentication:
Ifsocksmethod: usernameis used, create a system user (without home directory or shell access for security).
bash sudo adduser --no-create-home --shell /usr/sbin/nologin proxyuser # Set a strong password for proxyuser - Restart Dante:
bash sudo systemctl restart danted sudo systemctl enable danted sudo systemctl status danted
Comparison Table: Squid vs. 3proxy vs. Dante
| Feature | Squid | 3proxy | Dante SOCKS Server |
|---|---|---|---|
| Type | HTTP/HTTPS, Caching, Forward/Reverse | HTTP, HTTPS (CONNECT), SOCKS4/5, FTP | SOCKS4/5 |
| Complexity | Medium to High (due to extensive features) | Low to Medium (compact configuration) | Medium (robust SOCKS implementation) |
| Primary Use | Web caching, content filtering, access control | Lightweight proxy, SOCKS gateway, versatile | High-performance SOCKS proxy, tunneling |
| Performance | High (especially with caching) | Very lightweight, efficient | High, optimized for SOCKS traffic |
| Authentication | Basic, Digest, NTLM, external helpers | Basic, NTLM, IP-based, external helpers | Username/password (system users), IP-based |
| OS Support | Linux, FreeBSD, Windows (via Cygwin) | Linux, Windows, BSD, macOS | Linux, FreeBSD, Solaris, macOS |
| Configuration | Extensive, granular, text-based | Compact, script-like, text-based | Text-based, clear sections |
General Security and Performance Considerations
- Firewall: Always configure your server's firewall (e.g.,
ufw,firewalld) to only allow incoming connections to the proxy port(s) from trusted IPs or IP ranges. - Authentication: Use strong, unique passwords for proxy authentication. For public-facing proxies, always enable authentication.
- Least Privilege: Run proxy services under a dedicated, non-privileged user (e.g.,
nobodyor a custom user) to limit potential damage in case of a compromise. - Monitoring: Regularly review proxy logs for unusual activity and monitor server resources (CPU, RAM, network I/O) to identify performance bottlenecks or potential attacks.
- Updates: Keep your proxy software and operating system up to date to patch security vulnerabilities.
- Hardware: Ensure the server has adequate CPU, RAM, and network bandwidth for the expected load. For Squid with heavy caching, SSD storage is beneficial.