Configure Squid Proxy for Multiple Outgoing IP Addresses

Setup Your Own Multiple-IP, Private Group of Proxies on a Single VPS Installation

After much researching online in forum discussions and some hair-pulling troubleshooting (and a nudge in the right direction from Ralf at Tradebit), we’ve assembled a fairly reliable set of instructions for configuring Squid Proxy to employ multiple outgoing IP addresses from a single Squid installation and (this is the key) allowing you to connect through any of the outbound IP addresses depending on the IP address by which you connect to the Squid Cache server.

Squid CacheThere are a few incomplete ways to do this. Some of the existing tutorials like this one go only part of the way: they let client A from one IP address can connect through one outgoing IP address, and client B from a second IP address can connect through another outgoing IP address. This is limiting: client A can only use one outgoing IP. With our setup, we can use any of our many outgoing IP addresses.

Our Setup & Plan

We run Squid Cache on a basic VPS service running Linux. We are using Squid-3.2.1. Our VPS has six IP addresses, so we want to receive clients on any six of those IP addresses and direct Squid to use the same corresponding IP address for its outgoing connections. Because our VPS listens on all six IP addresses, we will designate separate ports for each inbound connection. It’s probably worth mentioning that we aren’t caching anything–we are simply using squid as a proxy.

Configuration

Obviously, we’ll be modifying the squid.conf file. We’ll be using the following configuration directives:

  • http_port
  • name=
  • myportname
  • acl
  • http_access
  • tcp_outgoing_address

First, we want to tell Squid what IPs and ports to listen on, and we want to use the “name=” option with http_port:

# Squid normally listens to port 3128
http_port 67.xxx.108.128:3128 name=3128
http_port 67.xxx.108.79:3129 name=3129
http_port 67.xxx.108.80:3130 name=3130
http_port 67.xxx.108.221:3131 name=3131
http_port 208.xxx.34.154:3132 name=3132
http_port 208.xxx.34.32:3133 name=3133

We just asked Squid to listen on sequential ports and to designate a name for each inbound connection.  Now that we’ve named the inbound connections, we can designate an ACL based on each inbound connection name and assign an outgoing IP to each:

acl tasty3128 myportname 3128 src 24.xxx.210.0/24
http_access allow tasty3128
tcp_outgoing_address 67.xxx.108.128 tasty3128

acl tasty3129 myportname 3129 src 24.xxx.210.0/24
http_access allow tasty3129
tcp_outgoing_address 67.xxx.108.79 tasty3129

acl tasty3130 myportname 3130 src 24.xxx.210.0/24
http_access allow tasty3130
tcp_outgoing_address 67.xxx.108.80 tasty3130

acl tasty3131 myportname 3131 src 24.xxx.210.0/24
http_access allow tasty3131
tcp_outgoing_address 67.xxx.108.221 tasty3131

acl tasty3132 myportname 3132 src 24.xxx.210.0/24
http_access allow tasty3132
tcp_outgoing_address 208.xxx.34.154 tasty3132

acl tasty3133 myportname 3133 src 24.xxx.210.0/24
http_access allow tasty3133
tcp_outgoing_address 208.xxx.34.32 tasty3133

That’s it. You should now be able to connect to any of your six IP addresses through Squid.

 

18 replies
  1. Jon Coulter
    Jon Coulter says:

    This was exactly what I needed, but once I found your post I did some research and you can do the same thing by using “myip” to determine the incoming IP address. No need to multiple ports.

    Example:


    act ip1 myip 1.2.3.4 # where 1.2.3.4 is a server ip
    act ip2 myip 1.2.3.5 # where 1.2.3.5 is a server ip

    tcp_outgoing_address 1.2.3.4 ip1
    tcp_outgoing_address 1.2.3.5 ip2
    tcp_outgoing_address 1.2.3.6 # default if coming in on another IP

    Am i missing something here? This seems to be the more generic and flexible method.

    Reply
  2. annon
    annon says:

    Does this work for multiple https connections?

    Nat incoming connections (443 to 3100)on single network ip (64.x.x.x). I’m having trouble using multiple certs for each domain with squid. Also, can they use different outgoing ports?

    Reply
  3. Jason
    Jason says:

    I’ve been trying to modify this script to work with one ipv4:port in and out to a unique IPv6.

    I’ve pasted an example of what I did here at pastebin: pastebin.com/bpLYuY2D

    The problem I’ve encountered is that squid always uses the same IPv6 to connect out, in my example it uses the IPv6 associated with user5 even if user5 is commented out.

    do you have any idea how to get squid to assign a unique ipv6 per user for the outbound connection?

    Reply
  4. vinod
    vinod says:

    I have set 200 IP on my squid server as per your way “http_port 67.xxx.108.128:3128 name=3128” but only 128 is working rest of them not able to make connection. Any idea how we increase this 128 limit.

    Reply
  5. abey
    abey says:

    I have powermta and interspire running on our servers with 16 ips, will it affect them if i install squid on them ? any intereference between these services ? Or should i get fresh servers just for this ?

    Reply
  6. Andreas
    Andreas says:

    Hi David,

    works well since 6 months, but now i have the problem, that some https connection didn’t work!

    Do you have any idea? Can i find out, if it is an IP Block from the website?

    Regards, Andreas

    Reply
  7. Deepak Chakravarti
    Deepak Chakravarti says:

    Dear All,

    I am new in the Proxy server configuration,

    We are using one application which is allowed in login with single IP so we took two public IP with the same ISP.

    We want to configure rules for LAN user & Remote user who can use my public IP login in Application.can we use Squid proxy for this scenario? Please help

    Reply
  8. hosein
    hosein says:

    I’ve been trying to modify this script to work with one ipv4:port in and out to a unique IPv6.
    add below line to your config
    dns_v4_first on

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.