Blog karp0tt

GNU/Linux configs || Anime

Tor, Privoxy, Squid – a little HowTo

leave a comment »

Why did I take this step? Well, there are several reasons for using the Tor-Network.
The most important one to me is, I want to use the World Wide Web as an information source and want every bit of information, when I’m searching for something. I don’t need someone like the German BKA to tell me, which information I’m allowed to see and which not.
So, according to the guide at howtoforge.com, I’ve created my own local Tor node for my home network. (Besides I’ve been configuring a server to act as a relay a little while ago)

squidprivtor

This HowTo used the following software-versions:
net-proxy/privoxy-3.0.10 (with use-flag threads)
net-misc/tor-0.2.0.34
squid-2.7STABLE6 (built from source with these configure-options (alternative Link))

Before there are any questions:
Right now, I know how to use squid-2 and I haven’t yet found the time to get to know squid-3.

Having built all of the above, let’s have a look at the configuration. I’ll start with my torrcs
Here, we got eight nearly identical configuration files:

/etc/tor/torrc-1 to /etc/tor/torrc-8

These are the options, they all have in common:

SocksBindAddress 127.0.0.1 # accept connections only from localhost
AllowUnverifiedNodes middle,rendezvous
Log notice syslog
RunAsDaemon 1
User tor
Group tor
CircuitBuildTimeout 30
NumEntryGuards 6
KeepalivePeriod 60
NewCircuitPeriod 15

And these are the options that differ from file to file:

  • torrc-1
    SocksPort 9050 # what port to open for local application connections
    DataDirectory /var/lib/tor1
  • torrc-2
    SocksPort 9150
    ControlPort 9151
    DataDirectory /var/lib/tor2
  • torrc-3
    SocksPort 9250
    ControlPort 9251
    DataDirectory /var/lib/tor3
  • torrc-4
    SocksPort 9350
    ControlPort 9351
    DataDirectory /var/lib/tor4
  • torrc-5
    SocksPort 9450
    ControlPort 9451
    DataDirectory /var/lib/tor5
  • torrc-6
    SocksPort 9550
    ControlPort 9551
    DataDirectory /var/lib/tor6
  • torrc-7
    SocksPort 9650
    ControlPort 9651
    DataDirectory /var/lib/tor7
  • torrc-8
    SocksPort 9750
    ControlPort 9751
    DataDirectory /var/lib/tor8

    • As for the privoxy-configuration, which will be next, there are also some options, that differ from
    If you need logging for privoxy, use the following, else leave the logdir from the configuration files, I personally don’t need any logging from privoxy, since it’s running fine.

    /etc/privoxy/config-1 to /etc/privoxy/config-8

    But, at first the options every config-file has:

    confdir /etc/privoxy
    actionsfile standard.action # Internal purpose, recommended
    actionsfile default.action # Main actions file
    actionsfile user.action # User customizations
    actionsfile neilvandyke.action # http://neilvandyke.org/privoxy-rules/
    filterfile default.filter
    logfile logfile
    toggle 1
    enable-remote-toggle 0
    enable-remote-http-toggle 0
    enable-edit-actions 1
    enforce-blocks 0
    buffer-limit 4096
    forwarded-connect-retries 0
    accept-intercepted-requests 0
    allow-cgi-request-crunching 0
    split-large-forms 0

    And the rest as above:

  • config-1
    logdir /var/log/privoxy1
    listen-address 127.0.0.1:8118
    forward-socks4a / 127.0.0.1:9050 .
  • config-2
    logdir /var/log/privoxy2
    listen-address 127.0.0.1:8129
    forward-socks4a / 127.0.0.1:9150 .
  • config-3
    logdir /var/log/privoxy3
    listen-address 127.0.0.1:8230
    forward-socks4a / 127.0.0.1:9250 .
  • config-4
    logdir /var/log/privoxy4
    listen-address 127.0.0.1:8321
    forward-socks4a / 127.0.0.1:9350 .
  • config-5
    logdir /var/log/privoxy5
    listen-address 127.0.0.1:8421
    forward-socks4a / 127.0.0.1:9450 .
  • config-6
    logdir /var/log/privoxy6
    listen-address 127.0.0.1:8522
    forward-socks4a / 127.0.0.1:9550 .
  • config-7
    logdir /var/log/privoxy7
    listen-address 127.0.0.1:8623
    forward-socks4a / 127.0.0.1:9650 .
  • config-8
    logdir /var/log/privoxy8
    listen-address 127.0.0.1:8724
    forward-socks4a / 127.0.0.1:9750 .

    • Back then, while I was setting things up, I took a break at this point.

  • 1. Getting new coffee (very very very important!!!)
  • 2. Taking a look over those files recently created, there could be some mistyping, who knows?

    • Now, that we’ve got the Privoxy and Tor configurations, let’s have a look at the squid configuration file:
    /etc/squid/squid.conf

    acl all src all
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32
    acl home_network src 192.168.2.0/24
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl Safe_ports port 901 # SWAT
    acl purge method PURGE
    acl CONNECT method CONNECT
    http_access allow home_network
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    acl malware_domains url_regex '/etc/squid/Malware-domains.txt'
    http_access deny malware_domains
    http_access allow localhost
    http_access deny all
    icp_access deny all
    http_port 3400
    icp_port 0
    hierarchy_stoplist cgi-bin ?
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern . 0 20% 4320
    cache_peer localhost parent 8118 0 round-robin no-query
    cache_peer localhost2 parent 8129 0 round-robin no-query
    cache_peer localhost3 parent 8230 0 round-robin no-query
    cache_peer localhost4 parent 8321 0 round-robin no-query
    cache_peer localhost5 parent 8421 0 round-robin no-query
    cache_peer localhost6 parent 8522 0 round-robin no-query
    cache_peer localhost7 parent 8623 0 round-robin no-query
    cache_peer localhost8 parent 8724 0 round-robin no-query
    never_direct allow all
    always_direct deny all
    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache
    forwarded_for off
    coredump_dir /home/squid-cache # where squid stores the cache
    cache_dir ufs /home/squid-cache 20000 16 256 # cache-size in MB, Directory-Structure 1, Directory-Structure below 1
    pid_filename /var/run/squid-in.pid
    access_log /var/log/squid/access.squid-in.log
    cache_store_log /var/log/squid/store.squid-in.log
    cache_log /var/log/squid/cache.squid-in.log

    Now, we need to add some lines to /etc/hosts, so that squid can be fooled with eight entities of Privoxy:
    127.0.0.1 localhost
    127.0.0.1 localhost2
    127.0.0.1 localhost3
    127.0.0.1 localhost4
    127.0.0.1 localhost5
    127.0.0.1 localhost6
    127.0.0.1 localhost7
    127.0.0.1 localhost8

    Creating the needed directories and the init-scripts is needed to be done at the end, so let’s start with the init-scripts first.
    I’m going to link these, since they’re rather big:
    /etc/init.d/thor (alternative Link)
    /etc/init.d/privo (alternative Link)

    I know, stopping those processes could and should be more regulated, but, why use a different thing, when the one you wrote in five minutes works?

    Now, let’s get to the interesting part, creating the needed directories, and there are a bunch of them:
    As earlier pointed out, my squid-cache directory is in /home so I created it right there:
    # mkdir /home/squid-cache

    And since this directory needs to be writable by the user nobody, I changed the ownership and the group from root:root to nobody:nobody
    # chown -R nobody:nobody /home/squid-cache

    Also the squid-logdir should be writable by the user nobody, but after creating it, I only changed its group to nobody and made it writable for the group:
    # mkdir /var/log/squid
    # chown -R root:nobody /var/log/squid
    # chmod g+w /var/log/squid

    If there is someone out there, that decides he/she needs to use logging with privoxy, here’s a quick and dirty solution:
    # for i in 1 2 3 4 5 6 7 8; do mkdir /var/log/privoxy$i; done
    # chown -R privoxy:privoxy /var/log/privoxy*

    I personally used logging with privoxy for the first day, after that, those logdir-lines in the privoxy-configuration-files went somehow “missing”

    The attentive reader would now say: “Wait! I saw something like Malware-domains.txt a little bit up ahead. What’s going on with that thing?”

    This one’s already to short to mention, but, the Malware-domains.txt is just another security measure, that has been taken:
    # touch /etc/squid/Malware-domains.txt

    Yeah, I know, “Now we got an empty file, what’s with you?”.
    # cd /usr/local/bin
    # wget 1 or 2
    # tar xfvj update-domains.tar.bz2
    # chmod +x update-domains.sh
    # ./update-domains.sh

    And that’s it, have a look at /etc/squid/Malware-domains.txt now and see, how it’s been filled with Malware-domains. If you want to know, how the script works, just take a look under the hood and see, that it’s another quick and dirty thing.

    Well, all that’s left, is to start those things, adding them to your default runlevel at bootup and configuring your browser to use the squid-port 3400 on the configured machine (IP).
    But those are the things, I won’t explain. Those are basic linux skills, everyone should know.
    I’m also not covering anything needed for iptables, if your using it, you should know how to configure it.

    Written by body0r

    June 24, 2009 at 8:00 pm

    Posted in GNU/Linux

    Tagged with , , , , , , ,

    «
    »

    Leave a Reply