Configure Squid Proxy for Multiple Outgoing IP Addresses
Setup Your Own Multiple-IP, Private Group of Proxies on a Single VPS Installation
After much researching online in forum discussions and some hair-pulling troubleshooting (and a nudge in the right direction from Ralf at Tradebit), we’ve assembled a fairly reliable set of instructions for configuring Squid Proxy to employ multiple outgoing IP addresses from a single Squid installation and (this is the key) allowing you to connect through any of the outbound IP addresses depending on the IP address by which you connect to the Squid Cache server.
There are a few incomplete ways to do this. Some of the existing tutorials like this one go only part of the way: they let client A from one IP address can connect through one outgoing IP address, and client B from a second IP address can connect through another outgoing IP address. This is limiting: client A can only use one outgoing IP. With our setup, we can use any of our many outgoing IP addresses.
Our Setup & Plan
We run Squid Cache on a basic VPS service running Linux. We are using Squid-3.2.1. Our VPS has six IP addresses, so we want to receive clients on any six of those IP addresses and direct Squid to use the same corresponding IP address for its outgoing connections. Because our VPS listens on all six IP addresses, we will designate separate ports for each inbound connection. It’s probably worth mentioning that we aren’t caching anything–we are simply using squid as a proxy.
Configuration
Obviously, we’ll be modifying the squid.conf file. We’ll be using the following configuration directives:
- http_port
- name=
- myportname
- acl
- http_access
- tcp_outgoing_address
First, we want to tell Squid what IPs and ports to listen on, and we want to use the “name=” option with http_port:
# Squid normally listens to port 3128 http_port 67.xxx.108.128:3128 name=3128 http_port 67.xxx.108.79:3129 name=3129 http_port 67.xxx.108.80:3130 name=3130 http_port 67.xxx.108.221:3131 name=3131 http_port 208.xxx.34.154:3132 name=3132 http_port 208.xxx.34.32:3133 name=3133
We just asked Squid to listen on sequential ports and to designate a name for each inbound connection. Now that we’ve named the inbound connections, we can designate an ACL based on each inbound connection name and assign an outgoing IP to each:
acl tasty3128 myportname 3128 src 24.xxx.210.0/24 http_access allow tasty3128 tcp_outgoing_address 67.xxx.108.128 tasty3128 acl tasty3129 myportname 3129 src 24.xxx.210.0/24 http_access allow tasty3129 tcp_outgoing_address 67.xxx.108.79 tasty3129 acl tasty3130 myportname 3130 src 24.xxx.210.0/24 http_access allow tasty3130 tcp_outgoing_address 67.xxx.108.80 tasty3130 acl tasty3131 myportname 3131 src 24.xxx.210.0/24 http_access allow tasty3131 tcp_outgoing_address 67.xxx.108.221 tasty3131 acl tasty3132 myportname 3132 src 24.xxx.210.0/24 http_access allow tasty3132 tcp_outgoing_address 208.xxx.34.154 tasty3132 acl tasty3133 myportname 3133 src 24.xxx.210.0/24 http_access allow tasty3133 tcp_outgoing_address 208.xxx.34.32 tasty3133
That’s it. You should now be able to connect to any of your six IP addresses through Squid.
What’s the primary use case for this? There are probably a lot of possibilities, but might this be useful for rank checking?
DING!
That’s exactly right, we use it for rank checking.
This was exactly what I needed, but once I found your post I did some research and you can do the same thing by using “myip” to determine the incoming IP address. No need to multiple ports.
Example:
act ip1 myip 1.2.3.4 # where 1.2.3.4 is a server ip
act ip2 myip 1.2.3.5 # where 1.2.3.5 is a server ip
tcp_outgoing_address 1.2.3.4 ip1
tcp_outgoing_address 1.2.3.5 ip2
tcp_outgoing_address 1.2.3.6 # default if coming in on another IP
Am i missing something here? This seems to be the more generic and flexible method.
Did you have success with your settings?
I did, and still going strong after several years.
I think its acl
Does this work for multiple https connections?
Nat incoming connections (443 to 3100)on single network ip (64.x.x.x). I’m having trouble using multiple certs for each domain with squid. Also, can they use different outgoing ports?
I’ve been trying to modify this script to work with one ipv4:port in and out to a unique IPv6.
I’ve pasted an example of what I did here at pastebin: pastebin.com/bpLYuY2D
The problem I’ve encountered is that squid always uses the same IPv6 to connect out, in my example it uses the IPv6 associated with user5 even if user5 is commented out.
do you have any idea how to get squid to assign a unique ipv6 per user for the outbound connection?
I have set 200 IP on my squid server as per your way “http_port 67.xxx.108.128:3128 name=3128” but only 128 is working rest of them not able to make connection. Any idea how we increase this 128 limit.
Did you ever find out how to get more than 128 working?
Vinod did you get this to work with copying his code exactly using your IP allocation and usable ips replacing his?
I have powermta and interspire running on our servers with 16 ips, will it affect them if i install squid on them ? any intereference between these services ? Or should i get fresh servers just for this ?
Hi David,
works well since 6 months, but now i have the problem, that some https connection didn’t work!
Do you have any idea? Can i find out, if it is an IP Block from the website?
Regards, Andreas
Useful for craigslist flagging & posting scripts
Thanks for the info, how i can use something like this http_port 67.xxx.108.128 3128 to change the http port to a specific ip?
Dear All,
I am new in the Proxy server configuration,
We are using one application which is allowed in login with single IP so we took two public IP with the same ISP.
We want to configure rules for LAN user & Remote user who can use my public IP login in Application.can we use Squid proxy for this scenario? Please help
What does the /etc/network/interfaces file look like?
I’ve been trying to modify this script to work with one ipv4:port in and out to a unique IPv6.
add below line to your config
dns_v4_first on