Ultimate Security Proxy With Tor
Nowadays, within the growing web 2.0 environment you may want to have some anonymity, and use other IP addresses than your own IP. Or, for some special purposes – a few IPs or more, frequently changed. So no one will be able to track you. A solution exists, and it is called Tor Project, or simply tor. There are a lot of articles and howtos giving you the idea of how it works, I’m not going to describe here onion routing and its principles, I’ll rather tell you how practically pull out the maximum out of it.
Squid Proxy
Squid Proxy is an Open Source Proxy that could be configured in different ways, it is the standard for the open source proxies because it is widely developed and used. Here we will configure it as a Cache Proxy, where the request will be served from the cache if it is available saving bandwidth and increasing the rendering velocity of the page, obviously not everything it is cached for lot of reasons but it will increase the perception of the page velocity. This proxy will perform a basic security that will allow or deny networks and devices on your network to use the proxy, will allow or deny protocols and will define the cache storage, this proxy will listen on the port 8080.
It is recommended to visit the site and read the documentation because it is pretty flexible and could be pretty difficult to configure.
Privoxy
Privoxy is a non-caching proxy with an advanced filtering capabilities, HTTP header modification and access control. Once the requests are filtered by Squid there will be passed to Privoxy that will filter and modify the HTTP headers to enhance the privacy. It is also recommended to read the documentation because it is also very flexible and could lead to errors in the configuration or simply the privacy was raised to high that it does not allow the pages to render well in your browser.
TOR (The Onion Routing)
TOR is a network of relay nodes that conform a network that is used to route your packet through encrypted links, with this type of routing the packet is difficult to trace because the sender of the packet is not your computer but the exit node of the TOR network, also the communication between your computer and the entry node is encrypted as the links between relay nodes the only link that is no encrypted is the last one between the exit node and the receiver. This permits a certain level of anonymity while surfing Internet, also could be used to circumvent basic geo location detections implemented on webpages or servers because the relays nodes could be anywhere in the world so for the receiver the location of the source is the location of the TOR exit node. You could learn more about TOR here.
Installation
For the installation we are going to need an Ubuntu server up and running with OpenSSH configured, I am going to use Centos Server 6.8.
Installing squid, privoxy and tor
|
1 2 3 |
yum update yum install epel-release yum install squid privoxy tor |
Configuration
Squid
Squid has all the configuration files in the following directory /etc/squid/ while the cache directory is located at /var/spool/squid and the logs are located at /var/log/squid
First of all we need to configure squid to do this we should edit with your preferred text editor (nano, vim, etc..) the configuration file located at /etc/squid/squid.conf but that file it is very verbose so it is better to save a backup of the original configuration and create just another file by issuing the following commands:
|
1 2 |
mv /etc/squid/squid.conf /etc/squid/squid.bkp vi /etc/squid/squid.conf |
Then use the following configuration:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 |
# Access Lists defining networks and Ports acl home_network src 192.168.1.0/24 # Adapt it to your home network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl purge method PURGE # Command to match Purge method that permit to purge objects from ca acl CONNECT method CONNECT # Command to permit Connect tunnel Method through # ACL Permits and denies http_access allow home_network http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all icp_access deny all # http port configured 8080 http_port 8080 icp_port 0 hierarchy_stoplist cgi-bin ? # URL with this words are handled by this cache # How often the content matching the regex is refreshed by the cache refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # Connection to Privoxy port 8118 and do not send ICP queries to this Proxy cache_peer localhost parent 8118 0 no-query # Tell Squid that nothing should be send directly to the server, but all should be handled by the proxy never_direct allow all always_direct deny all # Disable the Via field from the request header to avoid leaking the use of a proxy via off # Disable the X-Forwarded-For field on the Request Header avoiding the leaking of the client ip address forwarded_for off follow_x_forwarded_for deny all # Directory definition to save coredumps and Cache coredump_dir /var/spool/squid cache_dir ufs /var/spool/squid 10000 16 256 # This line set the cache size to 10Gb (10000 MB) change it to your need # PID Filename Location pid_filename /var/run/squid.pid #Log Directory definition access_log /var/log/squid/access.log cache_store_log /var/log/squid/store.log cache_log /var/log/squid/cache.log # |
Privoxy
Once Squid is configured we need to configure Privoxy, the config files are located in the path /etc/privoxy/config lets make a backup of the configuration and create a new configuration with this commands:
|
1 2 |
mv /etc/privoxy/config /etc/privoxy/config.bkp vi /etc/privoxy/config |
Then copy the following configuration:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 |
# Location of the Privoxy User Manual. user-manual /usr/share/doc/privoxy/user-manual # The directory where the other configuration files are located. confdir /etc/privoxy # The directory where all logging takes place logdir /var/log/privoxy # The actions file(s) to use actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on. actionsfile default.action # Main actions file actionsfile user.action # User customizations # The filter file(s) to use filterfile default.filter filterfile user.filter # User customizations # The log file to use logfile logfile # The address and TCP port on which Privoxy will listen for client requests. listen-address localhost:8118 # Initial state of “toggle” status toggle 1 # Whether or not the web-based toggle feature may be used enable-remote-toggle 0 # Whether or not Privoxy recognizes special HTTP headers to change its behaviour. enable-remote-http-toggle 0 # Whether or not the web-based actions file editor may be used enable-edit-actions 1 # Whether the user is allowed to ignore blocks and can “go there anyway”. enforce-blocks 0 # Maximum size of the buffer for content filtering. buffer-limit 4096 # Through which SOCKS proxy (and optionally to which parent HTTPproxy) specific requests should be routed. forward-socks5 / 127.0.0.1:9050 . #TOR Proxy Configuration # How often Privoxy retries if a forwarded connection request fails. forwarded-connect-retries 0 # Whether intercepted requests should be treated as valid. accept-intercepted-requests 0 # Whether requests to Privoxy’s CGI pages can be blocked or redirected. allow-cgi-request-crunching 0 # Whether the CGI interface should stay compatible with broken HTTP clients. split-large-forms 0 # Number of seconds after which an open connection will no longer be reused. keep-alive-timeout 5 # Number of seconds after which a socket times out if no data is received. socket-timeout 300 # The status code Privoxy returns for pages blocked with +handle-as-empty-document. handle-as-empty-doc-returns-ok 1 # Access Lists defining networks and Ports |
The most important part of the configuration are the action and filter files, that are located on the same directory as the configuration, on this files you could set how restrictive will be privacy, you could edit this file manually or through a web interface by going to http://config.privoxy.org/show-status only when your browser is set to use the squid proxy (go to the Client Configuration section to learn more)
There are three action files on your system:
- match-all.action: This file contains all the actions applied to all the sites requested
- default.action: This file contains the actions that should be applied by default to certain type of traffic, for example ad blocking, deanimate gifs etc… in certain domains or sites
- user.action: This files contains the actions defined by the user
We are going to edit the match-all.action files to add a features that is not on by default and could lead to leaks about the type of browser and system you are using, that information is managed in the http request header by a field called user-agent (Go to http://en.wikipedia.org/wiki/User_agent and http://www.user-agents.org/ to learn about user agents), so to change the user-agent we are going to edit the match-all.action file and add a command, to do that issue the commands below:
|
1 |
vi /etc/privoxy/match-all.action |
On the file add the command:
|
1 |
+hide-user-agent{Netscape 6.1 (X11; I; Linux 2.4.18 i686)}\ |
Before the closing curly bracket, the final match-all.action file should be:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
{ \ +change-x-forwarded-for{block} \ +client-header-tagger{css-requests} \ +client-header-tagger{image-requests} \ +deanimate-gifs{last} \ +filter{refresh-tags} \ +filter{img-reorder} \ +filter{banners-by-size} \ +filter{webbugs} \ +filter{jumping-windows} \ +filter{ie-exploits} \ +hide-from-header{block} \ +hide-referrer{conditional-block} \ +session-cookies-only \ +set-image-blocker{pattern} \ +hide-user-agent{Netscape 6.1 (X11; I; Linux 2.4.18 i686)} \ } / # Match all URLs |
The Onion Router (TOR)
Now that we finished with the Privoxy configuration now we need to setup TOR, TOR will be configured as a SOCK5 Proxy listening locally on port 9050, that means that it is not only going to work as an HTTP server but it will also going to handle other types of TCP connections, to do that you should edit the configuration file /etc/tor/torrc by issuing the command:
|
1 |
vi /etc/tor/torrc |
at the end of the film please add the following configuration:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
# Specify the country where the exit node is in, # use the ISO 3166-1 apha-2 notation in brackets separated by comma {US},{UK},etc… # (https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) ExitNodes {US} #Specify the address and port we are listen for connections SocksBindAddress 127.0.0.1 # accept connections only from localhost SocksPort 9050 #The node is Verified, this is the recommended cofiguration AllowUnverifiedNodes middle,rendezvous #Tor Logging Log notice syslog #Run TOR as a daemon RunAsDaemon 1 #User used to run TOR User debian-tor #How much time to wait before giving up forming a Circuit CircuitBuildTimeout 30 #How many long-term entry servers we are saving NumEntryGuards 6 #Keepalive of the circuit to fool Exit Firewalls KeepalivePeriod 60 #how often you build a new circuit NewCircuitPeriod 15 #Where all the TOR data is saved DataDirectory /var/lib/tor |
With this configuration we are using the TOR network with all the exit nodes located in the US, allowing us to circumvent the basic ip address geo location checks. The last step to do is to restart all the service to do this issue the following commands:
|
1 2 3 |
service squid restart service privoxy restart service tor restart |
To see if all is working issue the command:
|
1 |
netstat --listen -np |
You should see that the system is listening on the ports 8080, 8118, and 9050
DONE
Source:
…
