How to enable SOCKS5 for Squid proxy? – Server Fault
Squid’d default is to operate as an HTTP proxy; however, this FAQ says “No changes are necessary to use Squid with socks5. Simply add the usual -Dbind=SOCKSbind etc., to the compile line and -lsocks to the link line. ”
That sounds great and all except that I don’t code c/c++ beyond knowing the basic syntax so typically when I compile something, it’s. /configure and. /make. Occasionally I have to modify a makefile’s compile line but I’m not sure about linking here (Though I get the concept of linking).
It’s also a bit confusing to interpret exactly what to do by “add the usual X etc., ” so if someone could point out the exact steps here it would be a great help since they don’t seem to be detailed anywhere. It doesn’t sound hard.
I already have squid compiled and running properly for HTTP connections but SOCKS support is a must.
asked Dec 14 ’16 at 4:09
xendixendi3445 gold badges6 silver badges21 bronze badges
Have a look at this page. It talks about squid socks support and how you can build it to support SOCKS connections. The status is “testing”. So, you may need to think about using it for production.
When building squid, you need to define these variables:
export CFLAGS=” -Dbind=SOCKSbind ”
export CXXFLAGS=” -Dbind=SOCKSbind ”
export LDADD=” -lsocks ”
to modify build and link options.
Also, you can pass these variables to configure script. If you have already built squid, you can find out the current values using squid -v. This will show you squid version along with configure and build options.
answered Dec 14 ’16 at 8:17
KhaledKhaled34. 8k7 gold badges64 silver badges97 bronze badges
Not the answer you’re looking for? Browse other questions tagged proxy squid socks or ask your own question.
Squid (software) – Wikipedia
SquidDeveloper(s)Duane Wessels, Henrik Nordström, Amos Jeffries, Alex Rousskov, Francesco Chemolli, Robert Collins, Guido Serassio and volunteers[1]Initial releaseJuly 1996Stable release4. 15[2]
/ 10 May 2021; 4 months agoRepository inC++Operating systemBSD, Linux, Unix, Windows[3]TypeProxy serverLicenseGNU GPLv2[4]Website
Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including Internet Gopher, SSL, [6] TLS and HTTPS. Squid does not support the SOCKS protocol, unlike Privoxy, with which Squid can be used in order to provide SOCKS support.
Squid was originally designed to run as a daemon on Unix-like systems. A Windows port was maintained up to version 2. 7. New versions available on Windows use the Cygwin environment. [7] Squid is free software released under the GNU General Public License.
History[edit]
Squid was originally developed as the Harvest object cache, [8] part of the Harvest project at the University of Colorado Boulder. [9][10] Further work on the program was completed at the University of California, San Diego and funded via two grants from the National Science Foundation. [11] Duane Wessels forked the “last pre-commercial version of Harvest” and renamed it to Squid to avoid confusion with the commercial fork called Cached 2. 0, which became NetCache. [12][13] Squid version 1. 0. 0 was released in July 1996. [12]
Squid is now developed almost exclusively through volunteer efforts.
Basic functionality[edit]
After a Squid proxy server is installed, web browsers can be configured to use it as a proxy HTTP server, allowing Squid to retain copies of the documents returned, which, on repeated requests for the same documents, can reduce access time as well as bandwidth consumption. This is often useful for Internet service providers to increase speed to their customers, and LANs that share an Internet connection. Because the caching servers are controlled by the web service operator, caching proxies do not anonymize the user and should not be confused with anonymizing proxies.
A client program (e. g. browser) either has to specify explicitly the proxy server it wants to use (typical for ISP customers), or it could be using a proxy without any extra configuration: “transparent caching”, in which case all outgoing HTTP requests are intercepted by Squid and all responses are cached. The latter is typically a corporate set-up (all clients are on the same LAN) and often introduces the privacy concerns mentioned above.
Squid has some features that can help anonymize connections, such as disabling or changing specific header fields in a client’s HTTP requests. Whether these are set, and what they are set to do, is up to the person who controls the computer running Squid. People requesting pages through a network which transparently uses Squid may not know whether this information is being logged. [14] Within UK organisations at least, users should be informed if computers or internet connections are being monitored. [15]
Reverse proxy[edit]
The above setup—caching the contents of an unlimited number of webservers for a limited number of clients—is the classical one. Another setup is “reverse proxy” or “webserver acceleration” (using _port 80 accel vhost). In this mode, the cache serves an unlimited number of clients for a limited number of—or just one—web servers.
As an example, if is a “real” web server, and is the Squid cache server that “accelerates” it, the first time any page is requested from, the cache server would get the actual page from, but later requests would get the stored copy directly from the accelerator (for a configurable period, after which the stored copy would be discarded). The end result, without any action by the clients, is less traffic to the source server, meaning less CPU and memory usage, and less need for bandwidth. This does, however, mean that the source server cannot accurately report on its traffic numbers without additional configuration, as all requests would seem to have come from the reverse proxy. A way to adapt the reporting on the source server is to use the X-Forwarded-For HTTP header reported by the reverse proxy, to get the real client’s IP address.
It is possible for a single Squid server to serve both as a normal and a reverse proxy simultaneously. For example, a business might host its own website on a web server, with a Squid server acting as a reverse proxy between clients (customers accessing the website from outside the business) and the web server. The same Squid server could act as a classical web cache, caching HTTP requests from clients within the business (i. e., employees accessing the internet from their workstations), so accelerating web access and reducing bandwidth demands.
Media-range limitations[edit]
For example, a feature of the HTTP protocol is to limit a request to the range of data in the resource being referenced. This feature is used extensively by video streaming websites such as YouTube, so that if a user clicks to the middle of the video progress bar, the server can begin to send data from the middle of the file, rather than sending the entire file from the beginning and the user waiting for the preceding data to finish loading.
Partial downloads are also extensively used by Microsoft Windows Update so that extremely large update packages can download in the background and pause halfway through the download, if the user turns off their computer or disconnects from the Internet.
The Metalink download format enables clients to do segmented downloads by issuing partial requests and spreading these over a number of mirrors.
Squid can relay partial requests to the origin web server. In order for a partial request to be satisfied at a fast speed from cache, Squid requires a full copy of the same object to already exist in its storage.
If a proxy video user is watching a video stream and browses to a different page before the video completely downloads, Squid cannot keep the partial download for reuse and simply discards the data. Special configuration is required to force such downloads to continue and be cached. [16]
Supported operating systems[edit]
Squid can run on the following operating systems:
AIX
BSDI
Digital Unix
FreeBSD
HP-UX
IRIX
Linux
macOS
NetBSD
NeXTStep
OpenBSD
OS/2 (including ArcaOS and eComStation)[17]
SCO OpenServer
Solaris
UnixWare
Windows[18]
See also[edit]
Web accelerator which discusses host-based HTTP acceleration
Proxy server which discusses client-side proxies
Reverse proxy which discusses origin-side proxies
Comparison of web servers
References[edit]
^ “Who looks after the Squid project? “.
^ “Squid version 4”. Retrieved 5 June 2021.
^ “What is the Best OS for Squid? “.
^ “Squid License”.
^ “Squid Project Logo”. Retrieved 6 July 2014.
^ “Squid FAQ: About Squid”. 13 February 2007. Archived from the original on 29 December 2007. Retrieved 13 February 2007.
^ “Squid 3. 5 for Windows”. February 2019. Current build is based on Squid 3. 5. 1 build for Cygwin Windows 64 bit
^ Bowman, Peter B. Danzig, Darren R. Hardy, Udi Manper, Michael F. Schwartz, The Harvest information discovery and access system, Computer Networks and ISDN Systems, Volume 28, Issues 1–2, December 1995, Pages 119–125. doi:10. 1016/0169-7552(95)00098-5
^ Squid intro, on the Squid website
^ Harvest cache now available as an “d accelerator”, by Mike Schwartz on the -wg mailing list, Tue, 4 April 1995, as forwarded by Brian Behlendorf to the Apache HTTP Server developers’ mailing list
^ “Squid Sponsors”. Archived from the original on 11 May 2007. Retrieved 13 February 2007. The NSF was the primary funding source for Squid development from 1996–2000. Two grants (#NCR-9616602, #NCR-9521745) received through the Advanced Networking Infrastructure and Research (ANIR) Division were administered by the University of California San Diego
^ a b Duane Wessels Squid and ICP: Past, Present, and Future, Proceedings of the Australian Unix Users Group. September 1997, Brisbane, Australia
^ “”. Archived from the original on 12 November 1996. Retrieved 7 August 2012.
^ See the documentation for header_access and header_replace for further details.
^ See, for example, Computer Monitoring In The Workplace and Your Privacy
^ “Squid Configuration Reference”. Retrieved 26 November 2012.
^ OS/2 Ports by Paul Smedley, OS/2 Ports
^
Further reading[edit]
Wessels, Duane (2004). Squid: The Definitive Guide. O’Reilly Media. ISBN 978-0-596-00162-9.
Saini, Kulbir (2011). Squid Proxy Server 3. 1: Beginner’s Guide. Packt Publishing. ISBN 978-1-849-51390-6.
External links[edit]
Official website
Squid Blog
Squid User’s Guide
Squid Transparent Proxy For DD-WRT
Squid reverse proxy — Create a reverse proxy with Squid
Configuration Manual — ViSolve Squid Configuration Manual Guide
Configuration Manual — Authoritative Squid Configuration Options
“Solaris Setup”. Archived from the original on 15 January 2008. — Setup squid on solaris
SQUID – Installation on CentOS, Fedora and Red Hat
SOCKS – Wikipedia
SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded.
SOCKS performs at Layer 5 of the OSI model (the session layer, an intermediate layer between the presentation layer and the transport layer). A SOCKS server accepts incoming client connection on TCP port 1080, as defined in RFC 1928. [1]
History[edit]
The protocol was originally developed/designed by David Koblas, a system administrator of MIPS Computer Systems. After MIPS was taken over by Silicon Graphics in 1992, Koblas presented a paper on SOCKS at that year’s Usenix Security Symposium, [2] making SOCKS publicly available. [3] The protocol was extended to version 4 by Ying-Da Lee of NEC.
The SOCKS reference architecture and client are owned by Permeo Technologies, [4] a spin-off from NEC. (Blue Coat Systems bought out Permeo Technologies. )
The SOCKS5 protocol was originally a security protocol that made firewalls and other security products easier to administer. It was approved by the IETF in 1996 as RFC 1928 (authored by: M. Leech, M. Ganis, Y. Lee, R. Kuris, D. Koblas, and L. Jones). The protocol was developed in collaboration with Aventail Corporation, which markets the technology outside of Asia. [5]
Usage[edit]
SOCKS is a de facto standard for circuit-level gateways (level 5 gateways). [6]
The circuit/session level nature of SOCKS make it a versatile tool in forwarding any TCP (or UDP since SOCKS5) traffic, creating a good interface for all types of routing tools. It can be used as:
A circumvention tool, allowing traffic to bypass Internet filtering to access content otherwise blocked, e. g., by governments, workplaces, schools, and country-specific web services. [7] Since SOCKS is very detectable, a common approach is to present a SOCKS interface for more sophisticated protocols:
The Tor onion proxy software presents a SOCKS interface to its clients. [8]
Providing similar functionality to a virtual private network, allowing connections to be forwarded to a server’s “local” network:
Some SSH suites, such as OpenSSH, support dynamic port forwarding that allows the user to create a local SOCKS proxy. [9] This can free the user from the limitations of connecting only to a predefined remote port and server.
Protocol[edit]
SOCKS4[edit]
A typical SOCKS4 connection request looks like this:
First packet to server
VER
CMD
DSTPORT
DSTIP
ID
Byte Count
1
2
4
Variable
SOCKS version number, 0x04 for this version
command code:
0x01 = establish a TCP/IP stream connection
0x02 = establish a TCP/IP port binding
2-byte port number (in network byte order)
DESTIP
IPv4 Address, 4 bytes (in network byte order)
the user ID string, variable length, null-terminated.
Response packet from server
VN
REP
reply version, null byte
reply code
Byte
Meaning
0x5A
Request granted
0x5B
Request rejected or failed
0x5C
Request failed because client is not running identd (or not reachable from server)
0x5D
Request failed because client’s identd could not confirm the user ID in the request
destination port, meaningful if granted in BIND, otherwise ignore
destination IP, as above – the ip:port the client should bind to
For example, this a SOCKS4 request to connect Fred to 66. 102. 7. 99:80, the server replies with an “OK”:
Client: 0x04 | 0x01 | 0x00 0x50 | 0x42 0x66 0x07 0x63 | 0x46 0x72 0x65 0x64 0x00
The last field is “Fred” in ASCII, followed by a null byte.
Server: 0x00 | 0x5A | 0xXX 0xXX | 0xXX 0xXX 0xXX 0xXX
0xXX can be any byte value. The SOCKS4 protocol specifies that the values of these bytes should be ignored.
From this point onwards, any data sent from the SOCKS client to the SOCKS server is relayed to 66. 99, and vice versa.
The command field may be 0x01 for “connect” or 0x02 for “bind”; the “bind” command allows incoming connections for protocols such as active FTP.
SOCKS4a[edit]
SOCKS4a extends the SOCKS4 protocol to allow a client to specify a destination domain name rather than an IP address; this is useful when the client itself cannot resolve the destination host’s domain name to an IP address. It was proposed by Ying-Da Lee, the author of SOCKS4. [10]
The client should set the first three bytes of DSTIP to NULL and the last byte to a non-zero value. (This corresponds to IP address 0. 0. x, with x nonzero, an inadmissible destination address and thus should never occur if the client can resolve the domain name. ) Following the NULL byte terminating USERID, the client must send the destination domain name and terminate it with another NULL byte. This is used for both “connect” and “bind” requests.
Client to SOCKS server:
SOCKS4_C
DOMAIN
8+variable
variable
SOCKS4 client handshake packet (above)
the domain name of the host to contact, variable length, null (0x00) terminated
Server to SOCKS client: (Same as SOCKS4)
A server using protocol SOCKS4a must check the DSTIP in the request packet. If it represents address 0. x with nonzero x, the server must read in the domain name that the client sends in the packet. The server should resolve the domain name and make connection to the destination host if it can.
SOCKS5[edit]
The SOCKS5 protocol is defined in RFC 1928. It is an incompatible extension of the SOCKS4 protocol; it offers more choices for authentication and adds support for IPv6 and UDP, the latter of which can be used for DNS lookups. The initial handshake consists of the following:
Client connects and sends a greeting, which includes a list of authentication methods supported.
Server chooses one of the methods (or sends a failure response if none of them are acceptable).
Several messages may now pass between the client and the server, depending on the authentication method chosen.
Client sends a connection request similar to SOCKS4.
Server responds similar to SOCKS4.
The initial greeting from the client is:
Client greeting
NAUTH
AUTH
Byte count
SOCKS version (0x05)
Number of authentication methods supported, uint8
Authentication methods, 1 byte per method supported
The authentication methods supported are numbered as follows:
0x00: No authentication
0x01: GSSAPI (RFC 1961
0x02: Username/password (RFC 1929)
0x03–0x7F: methods assigned by IANA[11]
0x03: Challenge-Handshake Authentication Protocol
0x04: Unassigned
0x05: Challenge-Response Authentication Method
0x06: Secure Sockets Layer
0x07: NDS Authentication
0x08: Multi-Authentication Framework
0x09: JSON Parameter Block
0x0A–0x7F: Unassigned
0x80–0xFE: methods reserved for private use
Server choice
CAUTH
chosen authentication method, or 0xFF if no acceptable methods were offered
The subsequent authentication is method-dependent. Username and password authentication (method 0x02) is described in RFC 1929:
Client authentication request, 0x02
IDLEN
PWLEN
PW
(1-255)
0x01 for current version of username/password authentication
IDLEN, ID
Username length, uint8; username as bytestring
PWLEN, PW
Password length, uint8; password as bytestring
Server response, 0x02
STATUS
0x00 success, otherwise failure, connection must be closed
After authentication the connection can proceed. We first define an address datatype as:
SOCKS5 address
TYPE
ADDR
type of the address. One of:
0x01: IPv4 address
0x03: Domain name
0x04: IPv6 address
the address data that follows. Depending on type:
4 bytes for IPv4 address
1 byte of name length followed by 1–255 bytes for the domain name
16 bytes for IPv6 address
Client connection request
RSV
DSTADDR
0x01: establish a TCP/IP stream connection
0x02: establish a TCP/IP port binding
0x03: associate a UDP port
reserved, must be 0x00
destination address, see the address structure above.
port number in a network byte order
BNDADDR
BNDPORT
status code:
0x00: request granted
0x01: general failure
0x02: connection not allowed by ruleset
0x03: network unreachable
0x04: host unreachable
0x05: connection refused by destination host
0x06: TTL expired
0x07: command not supported / protocol error
0x08: address type not supported
server bound address (defined in RFC 1928) in the “SOCKS5 address” format specified above
server bound port number in a network byte order
Since clients are allowed to use either resolved addresses or domain names, a convention from cURL exists to label the domain name variant of SOCKS5 “socks5h”, and the other simply “socks5”. A similar convention exists between SOCKS4a and SOCKS4. [12]
Software[edit]
Servers[edit]
SOCKS proxy server implementations[edit]
Sun Java System Web Proxy Server is a caching proxy server running on Solaris, Linux and Windows servers that support HTTPS, NSAPI I/O filters, dynamic reconfiguration, SOCKSv5 and reverse proxy.
WinGate is a multi-protocol proxy server and SOCKS server for Microsoft Windows which supports SOCKS4, SOCKS4a and SOCKS5 (including UDP-ASSOCIATE and GSSAPI auth). It also supports handing over SOCKS connections to the HTTP proxy, so can cache and scan HTTP over SOCKS.
Socksgate5 SocksGate5 is an application-SOCKS firewall with inspection feature on Layer 7 of the OSI model, the Application Layer. Because packets are inspected at 7 OSI Level the application-SOCKS firewall may search for protocol non-compliance and blocking specified content.
Dante is a circuit-level SOCKS server that can be used to provide convenient and secure network connectivity, requiring only the host Dante runs on to have external network connectivity. [13]
Other programs providing SOCKS server interface[edit]
OpenSSH allows dynamic creation of tunnels, specified via a subset of the SOCKS protocol, supporting the CONNECT command.
PuTTY is a Win32 SSH client that supports local creation of SOCKS (dynamic) tunnels through remote SSH servers.
ShimmerCat[14] is a web server that uses SOCKS5 to simulate an internal network, allowing web developers to test their local sites without modifying their /etc/hosts file.
Tor is a system intended to enable online anonymity. Tor offers a TCP-only SOCKS server interface to its clients.
Shadowsocks is a circumvent censorship tool. It provides a SOCKS5 interface.
Clients[edit]
Client software must have native SOCKS support in order to connect through SOCKS. There are programs that allow users to circumvent such limitations:
Socksifiers[edit]
Socksifiers allow applications to access the networks to use a proxy without needing to support any proxy protocols. The most common way is to set up a virtual network adapter and appropriate routing tables to send traffic through the adapter.
Win2Socks, which enables applications to access the network through SOCKS5, HTTPS or Shadowsocks.
tun2socks, an open source tool that creates virtual TCP TUN adapters from a SOCKS proxy. Works on Linux and Windows, [15] has a macOS port and a UDP-capable reimplementation in Golang.
proxychains, a Unix program that forces TCP traffic through SOCKS or HTTP proxies on (dynamically-linked) programs it launches. Works on various Unix-like systems. [16]
Translating proxies[edit]
Polipo, a forwarding and caching HTTP/1. 1 proxy server with IPv4 support. Open Source running on Linux, OpenWrt, Windows, Mac OS X, and FreeBSD. Almost any Web browser can use it.
Privoxy, a non-caching SOCKS-to-HTTP proxy.
Docker based[edit]
multsocks, [17] an approach based on Docker which would run on any platform that runs Docker, using client, server, or both to translate proxies.
Security[edit]
Due to lack of request and packets exchange encryption it makes SOCKS practically vulnerable to man-in-the-middle attacks and IP addresses eavesdropping which in consequence clears a way to censorship by governments.
References[edit]
^ “Service Name and Transport Protocol Port Number Registry”. Internet Assigned Numbers Authority. 19 May 2017. Retrieved 23 May 2017.
^ Koblas, David; Koblas, Michelle R. SOCKS (PDF). USENIX UNIX Security Symposium III. Retrieved 16 November 2019.
^ Darmohray, Tina. “Firewalls and fairy tales”. ;LOGIN:. Vol 30, no. 1.
^ Archive index at the Wayback Machine
^ CNET: Cyberspace from outer space
^ Oppliger, Rolf (2003). “Circuit-level gateways”. Security technologies for the World Wide Web (2nd ed. ). Artech House. ISBN 1580533485. Retrieved 21 January 2020.
^ “2010 Circumvention Tool Usage Report” (PDF). The Berkman Center for Internet & Society at Harvard University. October 2010.
^ “Tor FAQ”.
^ “OpenSSH FAQ”. Archived from the original on 2002-02-01.
^ Ying-Da Lee. “SOCKS 4A: A Simple Extension to SOCKS 4 Protocol”. OpenSSH. Retrieved 2013-04-03.
^
^ “CURLOPT_PROXY”. Retrieved 20 January 2020.
^ “Products developed by Inferno Nettverk A/S”.. Retrieved 2021-03-20.
^ “Easy Net with SOCKS5”. ShimmerCat. Archived from the original on 2018-09-13. Retrieved 20 April 2016.
^ Bizjak, Ambroz (20 January 2020). “ambrop72/badvpn: NCD scripting language, tun2socks proxifier, P2P VPN”. GitHub. Retrieved 20 January 2020.
^ Hamsik, Adam (20 January 2020). “proxychains: a tool that forces any TCP connection made by any given application to follow through proxy like TOR or any other SOCKS4, SOCKS5 or HTTP(S) proxy”. Retrieved 20 January 2020.
^ Momm, Gregorio (2020-08-24), gregoriomomm/docker-multsocks, retrieved 2020-08-29
External links[edit]
RFC 1928: SOCKS Protocol Version 5
RFC 1929: Username/Password Authentication for SOCKS V5
RFC 1961: GSS-API Authentication Method for SOCKS Version 5
RFC 3089: A SOCKS-based IPv6/IPv4 Gateway Mechanism
Draft-ietf-aft-socks-chap, Challenge-Handshake Authentication Protocol for SOCKS V5
SOCKS: A protocol for TCP proxy across firewalls, SOCKS Protocol Version 4 (NEC)
Frequently Asked Questions about socks proxy squid
Is Squid a SOCKS proxy?
Squid is a caching and forwarding HTTP web proxy. … Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including Internet Gopher, SSL, TLS and HTTPS. Squid does not support the SOCKS protocol, unlike Privoxy, with which Squid can be used in order to provide SOCKS support.
What are SOCKS in scamming?
SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server.
Is SOCKS and proxy the same?
Unlike HTTP proxies, which can only interpret and work with HTTP and HTTPS webpages, SOCKS5 proxies can work with any traffic. HTTP proxies are high-level proxies usually designed for a specific protocol. … SOCKS proxies are low-level proxies that can handle any program or protocol and any traffic without limitations.
