How do I make a squid proxy not appear as a proxy online?

Question

So I'm trying to set up a squid proxy that doesn't show up as a proxy on websites, I've tried different settings on my squid.conf but its not working. Im getting confused with the terms transparent proxy and anonymous proxy so I'm not really sure what settings I'm looking for. The settings I currently have on my conf apart from me allowing myself to use the proxy and what port I want to use are:

via off
forwarded_for off

header_access From deny all
header_access Server deny all
header_access WWW-Authenticate deny all
header_access Link deny all
header_access Cache-Control deny all
header_access Proxy-Connection deny all
header_access X-Cache deny all
header_access X-Cache-Lookup deny all
header_access Via deny all
header_access Forwarded-For deny all
header_access X-Forwarded-For deny all
header_access Pragma deny all
header_access Keep-Alive deny all

I'm not sure what all of these do but after adding these it did affect the http://www.whatsmyip.org/more-info-about-you/ page displaying less information so I guess its a start. More specifically I would like the proxy to appear like a normal user on the web.

Any help would be appreciated, Thanks.

Answer 1

First, I think it would help to understand the difference between HTTP request headers and reply headers. Request headers are built mostly by your browser, and identify the type of browser, its capabilities, the object being requested, the responses it is prepared to request, and sometimes supply things like authentication credentials and cookies. Response headers are returned by the web server to the client, and can also be added/changed by intermediate systems along the way, usually loadbalancers and proxies. To get an idea, use the Inspect Element tool in Firefox or Chrome, switch to the network tab, then surf your favourite site. Click on an object that's been requested and have a look at the Response & Request headers to get an idea of the typical information found in there. A good guide is here.

To clear up another point of confusion, the difference between a transparent proxy and anonymizing proxy:

A transparent proxy is one which is connected inline, usually to avoid needing any specific configuration on the client. One common approach is to run Squid on a Linux box which is also performing NAT, and redirect outbound web requests into the Squid process using iptables. An alternative approach is to set up a Cisco router to deliver traffic to Squid using WCCP. In both cases, a client will only know it has been routed through a proxy by examining of the HTTP response headers, usually by looking at the Via: line. Each proxy which serves a request will append its hostname to this header field as it passes the request back to the client. It's possible to configure Squid to not append itself to this header, or to avoid passing specific header data back to the client entirely, thus "hiding" itself from view, of the client at least. See Squid's documentation for reply_header_access for more information.

In contrast to the focus on the responses above (ie, what gets returned to the client), an anonymising proxy is just a proxy which has been configured with the aim of not passing any information about clients upstream to foreign websites. In a similar way to the Via: HTTP reply header described above, by default a proxy will include an "X-Forwarded-For" HTTP request header to identify the local IP of the client which initiated the request. Often, this will send private IP addressing to remote websites, which some network administrators consider to be a security risk. For this reason, Squid includes an option to turn it off (forwarded_for), which your configuration snippet takes advantage of.

The rest of your config snippet just identifies a bunch of HTTP headers and prevents Squid from sending them upstream. If the aim is to prevent leakage of information from your local network up to external websites, then preventing some of these from being sent makes sense (Forwarded-For, X-Forwarded-For). Omission of other headers would likely interfere with effective co-ordination between the browser & webserver, eg Link, Pragma and Keep-Alive, and should be avoided. And I'm not sure why Via: is in there, as it's a reply (not a request) header.

Let's flip it around. Start with the basics: prevent Squid sending the X-Forwarded-For header by specifying forwarded_for off (which you have already done). Then identify the websites you don't trust, along with the headers you don't want to send to them, and limit that behaviour to just those domains, eg:

acl untrusted-domains dstdomain .baddomain.com .anotherbaddomain.net
header_access X-Cache-Lookup deny untrusted-domains

if there are some websites you didn't trust, I could understand preventing their transmission to specific destinations, but as it stands your configuration would strip all those headers from every request travelling through your proxy, and likely cause a lot of compatibility problems, without providing any appreciable benefit in terms of privacy or security.