Squid proxy server has a directive called forwarded_for. If set, Squid will include your system’s IP address or a name of the HTTP requests it forwards. By default it looks like
this:
X-Forwarded-For: 191.1.2.5If you disable this (set to “off“), it will appear as
X-Forwarded-For: unknownIf set to “transparent“, Squid will not alter the X-Forwarded-For header in any way. If set to “delete“, Squid will delete the entire X-Forwarded-For header. If set to “truncate“, Squid will remove all existing X-Forwarded-For entries, and place the client IP as the sole entry.
Configuration
Open squid.conf file:
# vi squid.conf
Or (for squid version 3)
# vi /etc/squid3/squid.conf
Set forwarded_for to off:
forwarded_for off
OR set it to delete:
forwarded_for delete
Save and close the file.
Reload squid server
You need to restart the squid server, enter:
# /etc/init.d/squid restart
OR
# squid -k reconfigure
For squid version 3, run:
# squid3 -k reconfigure
Here are my options:
# Hide client ip # forwarded_for delete # Turn off via header # via off # Deny request for original source of a request follow_x_forwarded_for deny all # See below request_header_access X-Forwarded-For deny all
Say hello to request_header_access
By default, all headers are allowed (no anonymizing is performed for privacy). You can anonymize outgoing HTTP headers (i.e. headers sent by Squid to the following HTTP hop such as a cache peer or an origin server) to create the standard or paranoid experience. The following option are only tested on squid server version 3.x:
Squid standard anonymizer privacy experience
Set the following options in squid3.conf:
request_header_access From deny all request_header_access Referer deny all request_header_access User-Agent deny all
Save and close the file. Do not forget to restart the squid3 as described above.
Squid standard privacy experience
Set the following options in squid3.conf:
request_header_access Authorization allow all request_header_access Proxy-Authorization allow all request_header_access Cache-Control allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Connection allow all request_header_access All deny all
Save and close the file. Do not forget to restart the squid3 as described above.
🐧 9 comments so far... add one ↓
| Category | List of Unix and Linux commands |
|---|---|
| File Management | cat |
| Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
another way of doing this is to just block most of the headers generated by squid , except for a few that are really necessary.
Look for the “paranoid” header_access configuration in squid.conf
hi, friends!
Very good.
Thank you!!!
Its better to use ‘squid -k reconfigure’ rather thant restarting squid as it wont have to stop the cache, so its almost instant.
Agree with Protocol, I prefer to use ‘squid -k reconfigure’, fast and much better than restarting squid
I’m also trying to hide my WAN ip. When I go to whatismyip.com, it still shows my WAN IP no matter what. Any additional ideas to try?
I run squid on the same local machine I use to browse the web. So squid runs on 127.0.0.1:3128
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access All deny all
This ip is not sent in the http header, it comes from the ip-connection direct and cannot be hidden;
so running squid anonymous or hide IP is not possible using an IP-connection?
I have the below mentioned setup:
User Machine>>>>>>Proxy Server>>>>>Firewall>>>>Internet
a.a.a.a b.b.b.b
When i use the Proxy on Agent Machine traffic to Firewall hits from Proxy Public IP. I want the machine Local IP to Hit the Firewall instead of Proxy IP required for Compliance . Can this be achievable if Yes then what needs to be changed in the Squid Configuration
If you do not want header “X-Forwarded-For: unknown” at all to use proxy anonymously use:
forwarded_for delete