How to Obfuscate Squid Proxy Detection for Anonymous Browsing from AWS


1 views

When routing traffic through a Squid proxy on AWS (especially across geo-restricted boundaries like UK→US), several detection vectors exist:

  • HTTP Headers: Squid adds X-Forwarded-For and Via headers by default
  • TCP Fingerprinting: Squid's connection handling differs from standard browsers
  • Behavioral Patterns: Proxy traffic often shows different request timing/distribution

Edit your /etc/squid/squid.conf with these critical directives:

# Remove identifying headers
forwarded_for delete
via off
# Spoof user-agent to match common browsers
request_header_replace User-Agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
# Disable proxy-specific headers
request_header_access X-Forwarded-For deny all
request_header_access Via deny all

Combine Squid with these tools for better stealth:

1. TLS Bridging with stunnel

# stunnel config (/etc/stunnel/stunnel.conf)
client = yes
[squid_proxy]
accept = 127.0.0.1:3128
connect = your-aws-instance:443
verifyChain = no

2. Traffic Shape Normalization

Use tc (Linux traffic control) to mimic residential patterns:

tc qdisc add dev eth0 root netem delay 100ms 20ms 25% duplicate 1% loss 0.3%

Modify Squid's DNS resolution behavior:

# In squid.conf
dns_nameservers 1.1.1.1 8.8.8.8
positive_dns_ttl 2 hours
negative_dns_ttl 30 seconds

Test your setup with these commands:

curl --proxy http://your-proxy-ip:3128 -I https://www.whatismyip.com/headers | grep -i 'x-forwarded\|via'
tshark -i eth0 -Y "tcp.port == 3128" -V | grep -A5 "HTTP headers"

For scenarios requiring maximum stealth:

ssh -N -D 127.0.0.1:1080 -p 22 user@aws-instance
# Then configure browser to use SOCKS5 proxy at 127.0.0.1:1080

When using Squid as a forward proxy on AWS to access geo-restricted content, your proxy server's HTTP headers and network patterns can reveal its identity. Major websites and network monitoring tools often employ proxy detection mechanisms that analyze:

  • X-Forwarded-For headers
  • Via headers
  • TCP fingerprinting
  • Request timing patterns

Modify your squid.conf to strip or randomize identifying headers:


# Remove Via header
via off

# Customize Server header
visible_hostname generic-proxy

# Modify X-Forwarded-For behavior
forwarded_for delete
forwarded_for transparent

Use sysctl to modify your EC2 instance's TCP stack behavior:


# Reduce TCP timestamp visibility
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

# Modify initial window size
echo "8192 65535 65535" > /proc/sys/net/ipv4/tcp_rmem

Implement randomized request delays using Squid's delay pools:


delay_pools 1
delay_class 1 3
delay_access 1 allow all
delay_parameters 1 16000/16000 -1/-1 500/500

For HTTPS traffic, consider using a middleware like squid-ssl-bump with custom cipher suites:


ssl_bump splice all
sslproxy_cipher ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
sslproxy_options NO_SSLv3,NO_TLSv1,NO_TLSv1.1

Test your proxy's detectability using online tools:

  • Browserleaks.com
  • IPQS proxy detection
  • Whoer.net

Remember that complete anonymity requires multiple layers of protection and constant adaptation to detection methods.