Server Preparation

Update Packages

Get all your existing software up to date.

apt-get updateapt-get upgradeapt autoremove

Implement Firewall

Whitelist your own ISP (11.22.00.00/16 in the example that follows) for access to port 22 (the SSH or PuTTY port):

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -p tcp --dport 22 -s 11.22.00.00/16 -j ACCEPTiptables -P INPUT DROPapt-get install iptables-persistent

Set Up Editor

apt-get install vimvi ~/.vimrc

Insert contents:

Write the file to disk, and quit the editor.

Change Root Password

Change the root password:

Reboot

Not strictly necessary, but:

Install Squid

Open Firewall

Whitelist your own ISP (11.22.00.00/16 in the example that follows) for access to port 3128, the port on which Squid receives input:

iptables -A INPUT -p tcp --dport 3128 -s 11.22.00.00/16 -j ACCEPTdpkg-reconfigure iptables-persistent

Install

We will install Squid.

On Ubuntu 18.04, this installs Squid 3.5.

Configure

Edit the Squid configuration file:

At approximately line 980, add a line to define an access control list (acl) that will be used later to specify who has access to the Internet. For example, if your ISP is 11.22.00.00/16:

acl myisp src 11.22.00.00/16

At approximately line 1176, add a line to give yourself access out from Squid to the Internet:

At approximately line 5118, turn the via http headers off:

At approximately line 5229, add lines to deny access to revealing headers:

request_header_access Forwarded-For deny allrequest_header_access From deny allrequest_header_access Referer deny allrequest_header_access User-Agent deny allrequest_header_access Via deny allrequest_header_access X-Forwarded-For deny allrequest_header_access Accept allow allrequest_header_access Accept-Charset allow allrequest_header_access Accept-Encoding allow allrequest_header_access Accept-Language allow allrequest_header_access Authorization allow allrequest_header_access Cache-Control allow allrequest_header_access Connection allow allrequest_header_access Content-Length allow allrequest_header_access Content-Type allow allrequest_header_access Date allow allrequest_header_access Host allow allrequest_header_access If-Modified-Since allow allrequest_header_access Pragma allow allrequest_header_access Proxy-Authorization allow allrequest_header_access All deny all

At approximately line 6819, disable caching for domains you want to access directly rather than from and old, cached copy on your Squid server. For example:

acl headercheck1 dstdomain manytools.orgalways_direct allow headercheck1acl headercheck2 dstdomain xhaus.comalways_direct allow headercheck2acl headercheck3 dstdomain www.piliapp.comalways_direct allow headercheck3acl headercheck4 dstdomain myhttpheader.comalways_direct allow headercheck4

At approximately line 7737, delete the X-Forwarded-For headers

At the very bottom of the Squid configuration file, specify your server’s public IP address as the outgoing IP address. For example, if your server is 55.66.77.88:

acl ip1 myip 55.66.77.88tcp_outgoing_address 55.66.77.88 ip1

Write the file to disk, and quit the editor.

Restart

Restart Squid to pick up these changes:

The command to restart Squid takes a while to run.

Check

When the restart has completed, check that Squid is active (running) and listening:

systemctl status squidqss -tulpn | grep 3128

Browser

Turn Off WebRTC

The method of doing this various from browser to browser.

In Firefox, type in the address bar about:config. If necessary, click on I accept the risk! Search for peerconnect and turn media.peerconnection.enabled to false.

If you are not using Firefox, consult the support website for your browser.

Turn On System Proxy

In Windows 10, open the Settings app. Go to Network & Internet. On the left-hand side, click on Proxy.

Under Manual proxy setup, turn on Use a proxy server.

Fill in the address of your server. For port, put the Squid port, 3128.

Make sure you click Save!

Now open your browser and check the http request headers you are sending out to sites like these:

https://manytools.org/http-html-text/http-request-headers/

http://xhaus.com/headers

https://www.piliapp.com/what-is-my/http-request-headers/

http://myhttpheader.com/