Thursday, April 4, 2013

Setup your own proxy with squid+privoxy+tor on debian like distros

We use 8 tor processes, each using separate spool directory and 8 privoxy processes, each configured to talk to separate tor (so calculating the route your requests takes is much more difficult)

Something about using this:
All configuration parts in [] need to be replaced with your own Information.
[YOURIPADDRESS] = 192.168.10.254
For Ubuntu you need to use sudo for most of the commands (or you do sudo -s at start)

1. After you installed your distribution do a update
Code: [Select]
apt-get update
apt-get upgrade && apt-get dist-upgrade

2. Install the needed software (Squid, Privoxy, Tor, Haproxy)
Code: [Select]
apt-get install tor privoxy squid haproxy

3. Stop all processes before you start editing configuration files
Code: [Select]
service squid3 stop
service privoxy stop
service tor stop

4. Now do the different Tor configuration files (/etc/tor/torrc-1 to /etc/tor/torrc-8) This is very basic and can be adjusted as you need

torrc-1
Code: [Select]
SocksBindAddress 127.0.0.1 # accept connections only from localhost
SocksBindAddress [YOURIPADDRESS]:9050 #This is needed for proxychains
SocksPolicy accept * # you can make this a bit more restrictive
AllowUnverifiedNodes middle,rendezvous
Log notice syslog
RunAsDaemon 1
User debian-tor
CircuitBuildTimeout 30
NumEntryGuards 6
KeepalivePeriod 60
NewCircuitPeriod 15
SocksPort 9050 # what port to open for local application connections
DataDirectory /var/lib/tor1
PidFile /var/run/tor/tor-1.pid

torrc-2
Code: [Select]
SocksBindAddress 127.0.0.1 # accept connections only from localhost
SocksBindAddress [YOURIPADDRESS]:9150 #This is needed for proxychains
SocksPolicy accept * # you can make this a bit more restrictive
AllowUnverifiedNodes middle,rendezvous
Log notice syslog
RunAsDaemon 1
User debian-tor
CircuitBuildTimeout 30
NumEntryGuards 6
KeepalivePeriod 60
NewCircuitPeriod 15
SocksPort 9150
ControlPort 9151
DataDirectory /var/lib/tor2
PidFile /var/run/tor/tor-2.pid

torrc-3
Code: [Select]
SocksBindAddress 127.0.0.1 # accept connections only from localhost
SocksBindAddress [YOURIPADDRESS]:9250 #This is needed for proxychains
SocksPolicy accept * # you can make this a bit more restrictive
AllowUnverifiedNodes middle,rendezvous
Log notice syslog
RunAsDaemon 1
User debian-tor
CircuitBuildTimeout 30
NumEntryGuards 6
KeepalivePeriod 60
NewCircuitPeriod 15
SocksPort 9250
ControlPort 9251
DataDirectory /var/lib/tor3
PidFile /var/run/tor/tor-3.pid

torrc-4
Code: [Select]
SocksBindAddress 127.0.0.1 # accept connections only from localhost
SocksBindAddress [YOURIPADDRESS]:9350 #This is needed for proxychains
SocksPolicy accept * # you can make this a bit more restrictive
AllowUnverifiedNodes middle,rendezvous
Log notice syslog
RunAsDaemon 1
User debian-tor
CircuitBuildTimeout 30
NumEntryGuards 6
KeepalivePeriod 60
NewCircuitPeriod 15
SocksPort 9350
ControlPort 9351
DataDirectory /var/lib/tor4
PidFile /var/run/tor/tor-4.pid

torrc-5
Code: [Select]
SocksBindAddress 127.0.0.1 # accept connections only from localhost
SocksBindAddress [YOURIPADDRESS]:9450 #This is needed for proxychains
SocksPolicy accept * # you can make this a bit more restrictive
AllowUnverifiedNodes middle,rendezvous
Log notice syslog
RunAsDaemon 1
User debian-tor
CircuitBuildTimeout 30
NumEntryGuards 6
KeepalivePeriod 60
NewCircuitPeriod 15
SocksPort 9450
ControlPort 9451
DataDirectory /var/lib/tor5
PidFile /var/run/tor/tor-5.pid

torrc-6
Code: [Select]
SocksBindAddress 127.0.0.1 # accept connections only from localhost
SocksBindAddress [YOURIPADDRESS]:9550 #This is needed for proxychains
SocksPolicy accept * # you can make this a bit more restrictive
AllowUnverifiedNodes middle,rendezvous
Log notice syslog
RunAsDaemon 1
User debian-tor
CircuitBuildTimeout 30
NumEntryGuards 6
KeepalivePeriod 60
NewCircuitPeriod 15
SocksPort 9550
ControlPort 9551
DataDirectory /var/lib/tor6
PidFile /var/run/tor/tor-6.pid

torrc-7
Code: [Select]
SocksBindAddress 127.0.0.1 # accept connections only from localhost
SocksBindAddress [YOURIPADDRESS]:9650 #This is needed for proxychains
SocksPolicy accept * # you can make this a bit more restrictive
AllowUnverifiedNodes middle,rendezvous
Log notice syslog
RunAsDaemon 1
User debian-tor
CircuitBuildTimeout 30
NumEntryGuards 6
KeepalivePeriod 60
NewCircuitPeriod 15
SocksPort 9650
ControlPort 9651
DataDirectory /var/lib/tor7
PidFile /var/run/tor/tor-7.pid

torrc-8
Code: [Select]
SocksBindAddress 127.0.0.1 # accept connections only from localhost
SocksBindAddress [YOURIPADDRESS]:9750 #This is needed for proxychains
SocksPolicy accept * # you can make this a bit more restrictive
AllowUnverifiedNodes middle,rendezvous
Log notice syslog
RunAsDaemon 1
User debian-tor
CircuitBuildTimeout 30
NumEntryGuards 6
KeepalivePeriod 60
NewCircuitPeriod 15
SocksPort 9750
ControlPort 9751
DataDirectory /var/lib/tor8
PidFile /var/run/tor/tor-8.pid

5. Create tor lib directories /var/lib/tor1 to /var/lib/tor8

Code: [Select]
install -o debian-tor -g debian-tor -m 700 -d /var/lib/tor1
install -o debian-tor -g debian-tor -m 700 -d /var/lib/tor2
install -o debian-tor -g debian-tor -m 700 -d /var/lib/tor3
install -o debian-tor -g debian-tor -m 700 -d /var/lib/tor4
install -o debian-tor -g debian-tor -m 700 -d /var/lib/tor5
install -o debian-tor -g debian-tor -m 700 -d /var/lib/tor6
install -o debian-tor -g debian-tor -m 700 -d /var/lib/tor7
install -o debian-tor -g debian-tor -m 700 -d /var/lib/tor8

6. replace /etc/init.d/tor with this

Code: [Select]
cp /etc/init.d/tor /etc/init.d/tor.orig
rm /etc/init.d/tor
nano /etc/init.d/tor
chmod +x /etc/init.d/tor

Code: [Select]
#! /bin/bash
 
### BEGIN INIT INFO
# Provides:          tor
# Required-Start:    $local_fs $remote_fs $network $named $time
# Required-Stop:     $local_fs $remote_fs $network $named $time
# Should-Start:      $syslog
# Should-Stop:       $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Starts The Onion Router daemon processes
# Description:       Start The Onion Router, a TCP overlay
#                    network client that provides anonymous
#                    transport.
### END INIT INFO
 
set -e
 
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/tor
NAME=tor
DESC="tor daemon"
CONFDIR=/etc/tor
TORPIDDIR=/var/run/tor
TORPID=$TORPIDDIR/tor
DEFAULTSFILE=/etc/default/$NAME
WAITFORDAEMON=60
ARGS="--quiet -f "$CONFDIR/torrc
# Let's try to figure our some sane defaults:
if [ -r /proc/sys/fs/file-max ]; then
    system_max=`cat /proc/sys/fs/file-max`
    if [ "$system_max" -gt "80000" ] ; then
        MAX_FILEDESCRIPTORS=32768
    elif [ "$system_max" -gt "40000" ] ; then
        MAX_FILEDESCRIPTORS=16384
    elif [ "$system_max" -gt "10000" ] ; then
        MAX_FILEDESCRIPTORS=8192
    else
        MAX_FILEDESCRIPTORS=1024
        cat << EOF
 
Warning: Your system has very few filedescriptors available in total.
 
Maybe you should try raising that by adding 'fs.file-max=100000' to your
/etc/sysctl.conf file.  Feel free to pick any number that you deem appropriate.
Then run 'sysctl -p'.  See /proc/sys/fs/file-max for the current value, and
file-nr in the same directory for how many of those are used at the moment.
 
EOF
    fi
else
    MAX_FILEDESCRIPTORS=8192
fi
 
NICE=""
 
test -x $DAEMON || exit 0
 
# Include tor defaults if available
if [ -f $DEFAULTSFILE ] ; then
    . $DEFAULTSFILE
fi
 
wait_for_deaddaemon () {
    pid=$1
    sleep 1
    if test -n "$pid"
    then
        if kill -0 $pid 2>/dev/null
        then
            echo -n "."
            cnt=0
            while kill -0 $pid 2>/dev/null
            do
                cnt=`expr $cnt + 1`
                if [ $cnt -gt $WAITFORDAEMON ]
                then
                    echo " FAILED."
                    return 1
                fi
                sleep 1
                echo -n "."
            done
        fi
    fi
    return 0
}
 
 
check_torpiddir () {
    if test ! -d $TORPIDDIR; then
        #echo "There is no $TORPIDDIR directory.  Creating one for you."
        mkdir -m 02750 "$TORPIDDIR"
        chown debian-tor:debian-tor "$TORPIDDIR"
    fi
 
    if test ! -x $TORPIDDIR; then
        echo "Cannot access $TORPIDDIR directory, are you root?" >&2
        exit 1
    fi
}
 
check_config () {
    if ! $DAEMON --verify-config > /dev/null; then
        echo "ABORTED: Tor configuration invalid:" >&2
        $DAEMON --verify-config >&2
        exit 1
    fi
}
 
 
case "$1" in
  start)
    if [ "$RUN_DAEMON" != "yes" ]; then
        echo "Not starting $DESC (Disabled in $DEFAULTSFILE)."
        exit 0
    fi
 
    if [ -n "$MAX_FILEDESCRIPTORS" ]; then
        echo -n "Raising maximum number of filedescriptors (ulimit -n) to $MAX_FILEDESCRIPTORS"
        if ulimit -n "$MAX_FILEDESCRIPTORS" ; then
            echo "."
        else
            echo ": FAILED."
        fi
    fi
 
    check_torpiddir
 
    echo "Starting $DESC: $NAME..."
    check_config
         for c in {1..8}
                do
    start-stop-daemon --start --quiet --oknodo \
        --pidfile $TORPID-$c.pid \
        $NICE \
        --exec $DAEMON -- $ARGS-$c
    echo "$NAME $c done."
              done
    ;;
  stop)
    echo -n "Stopping $DESC: "
        for c in {1..8}
        do
    pid=`cat $TORPID-$c.pid 2>/dev/null` || true
 
    if test ! -f $TORPID-$c.pid -o -z "$pid"; then
        echo "not running (there is no $TORPID-$c.pid)."
        exit 0
    fi
 
    if start-stop-daemon --stop --signal INT --quiet --pidfile $TORPID-$c.pid --exec $DAEMON; then
        wait_for_deaddaemon $pid
        echo "$NAME $c stopped."
    elif kill -0 $pid 2>/dev/null
    then
        echo "FAILED (Is $pid not $NAME?  Is $DAEMON a different binary now?)."
    else
        echo "FAILED ($DAEMON died: process $pid not running; or permission denied)."
    fi
    done
    ;;
  reload|force-reload)
    for c in {1..8}
    do
    echo -n "Reloading $DESC configuration: "
    pid=`cat $TORPID-$c.pid 2>/dev/null` || true
 
    if test ! -f $TORPID-$c.pid -o -z "$pid"; then
        echo "not running (there is no $TORPID-$c.pid)."
        exit 0
    fi
 
    check_config
 
    if start-stop-daemon --stop --signal 1 --quiet --pidfile $TORPID-$c.pid --exec $DAEMON
    then
        echo "$NAME $c."
    elif kill -0 $pid 2>/dev/null
    then
        echo "FAILED (Is $pid not $NAME?  Is $DAEMON a different binary now?)."
    else
        echo "FAILED ($DAEMON died: process $pid not running; or permission denied)."
    fi
    done
    ;;
  restart)
    check_config
 
    $0 stop
    sleep 1
    $0 start
    ;;
  status)
        for c in {1..8}
    do
    if test ! -r $(dirname $TORPID-$c.pid); then
        echo "cannot read tor PID file"
        exit 4
    fi
    pid=`cat $TORPID-$c.pid 2>/dev/null` || true
    if test ! -f $TORPID-$c.pid -o -z "$pid"; then
        echo "tor is not running"
        exit 3
    fi
    if ps "$pid" >/dev/null 2>&1; then
        echo "tor $c is running"
    else
        echo "tor is not running"
        exit 1
    fi
    done
        exit 0
    ;;
  *)
    echo "Usage: $0 {start|stop|restart|reload|force-reload|status}" >&2
    exit 1
    ;;
esac
 
exit 0

Now you can start tor with service tor start to see if 8 tor instances are starting

7. Do the privoxy configuration /etc/privoxy/config-1 through /etc/privoxy/config-8

config-1
Code: [Select]
user-manual /usr/share/doc/privoxy/user-manual
confdir /etc/privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action # Main actions file
actionsfile user.action # User customizations
filterfile default.filter
logfile logfile
toggle 1
enable-remote-toggle 0
enable-remote-http-toggle 0
enable-edit-actions 0
enforce-blocks 0
buffer-limit 4096
forwarded-connect-retries 0
accept-intercepted-requests 0
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 5
socket-timeout 300
handle-as-empty-doc-returns-ok 1
logdir /var/log/privoxy1
listen-address localhost:8118
forward-socks5 / 127.0.0.1:9050 .

config-2
Code: [Select]
user-manual /usr/share/doc/privoxy/user-manual
confdir /etc/privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action # Main actions file
actionsfile user.action # User customizations
filterfile default.filter
logfile logfile
toggle 1
enable-remote-toggle 0
enable-remote-http-toggle 0
enable-edit-actions 0
enforce-blocks 0
buffer-limit 4096
forwarded-connect-retries 0
accept-intercepted-requests 0
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 5
socket-timeout 300
handle-as-empty-doc-returns-ok 1
logdir /var/log/privoxy2
listen-address localhost:8129
forward-socks5 / 127.0.0.1:9150 .

config-3
Code: [Select]
user-manual /usr/share/doc/privoxy/user-manual
confdir /etc/privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action # Main actions file
actionsfile user.action # User customizations
filterfile default.filter
logfile logfile
toggle 1
enable-remote-toggle 0
enable-remote-http-toggle 0
enable-edit-actions 0
enforce-blocks 0
buffer-limit 4096
forwarded-connect-retries 0
accept-intercepted-requests 0
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 5
socket-timeout 300
handle-as-empty-doc-returns-ok 1
logdir /var/log/privoxy3
listen-address localhost:8230
forward-socks5 / 127.0.0.1:9250 .

config-4
Code: [Select]
user-manual /usr/share/doc/privoxy/user-manual
confdir /etc/privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action # Main actions file
actionsfile user.action # User customizations
filterfile default.filter
logfile logfile
toggle 1
enable-remote-toggle 0
enable-remote-http-toggle 0
enable-edit-actions 0
enforce-blocks 0
buffer-limit 4096
forwarded-connect-retries 0
accept-intercepted-requests 0
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 5
socket-timeout 300
handle-as-empty-doc-returns-ok 1
logdir /var/log/privoxy4
listen-address localhost:8321
forward-socks5 / 127.0.0.1:9350 .

config-5
Code: [Select]
user-manual /usr/share/doc/privoxy/user-manual
confdir /etc/privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action # Main actions file
actionsfile user.action # User customizations
filterfile default.filter
logfile logfile
toggle 1
enable-remote-toggle 0
enable-remote-http-toggle 0
enable-edit-actions 0
enforce-blocks 0
buffer-limit 4096
forwarded-connect-retries 0
accept-intercepted-requests 0
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 5
socket-timeout 300
handle-as-empty-doc-returns-ok 1
logdir /var/log/privoxy5
listen-address localhost:8421
forward-socks5 / 127.0.0.1:9450 .

config-6
Code: [Select]
user-manual /usr/share/doc/privoxy/user-manual
confdir /etc/privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action # Main actions file
actionsfile user.action # User customizations
filterfile default.filter
logfile logfile
toggle 1
enable-remote-toggle 0
enable-remote-http-toggle 0
enable-edit-actions 0
enforce-blocks 0
buffer-limit 4096
forwarded-connect-retries 0
accept-intercepted-requests 0
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 5
socket-timeout 300
handle-as-empty-doc-returns-ok 1
logdir /var/log/privoxy6
listen-address localhost:8522
forward-socks5 / 127.0.0.1:9550 .

config-7
Code: [Select]
user-manual /usr/share/doc/privoxy/user-manual
confdir /etc/privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action # Main actions file
actionsfile user.action # User customizations
filterfile default.filter
logfile logfile
toggle 1
enable-remote-toggle 0
enable-remote-http-toggle 0
enable-edit-actions 0
enforce-blocks 0
buffer-limit 4096
forwarded-connect-retries 0
accept-intercepted-requests 0
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 5
socket-timeout 300
handle-as-empty-doc-returns-ok 1
logdir /var/log/privoxy7
listen-address localhost:8623
forward-socks5 / 127.0.0.1:9650 .

config-8
Code: [Select]
user-manual /usr/share/doc/privoxy/user-manual
confdir /etc/privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action # Main actions file
actionsfile user.action # User customizations
filterfile default.filter
logfile logfile
toggle 1
enable-remote-toggle 0
enable-remote-http-toggle 0
enable-edit-actions 0
enforce-blocks 0
buffer-limit 4096
forwarded-connect-retries 0
accept-intercepted-requests 0
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 5
socket-timeout 300
handle-as-empty-doc-returns-ok 1
logdir /var/log/privoxy8
listen-address localhost:8724
forward-socks5 / 127.0.0.1:9750 .

8. Create privoxy log directories /var/log/privoxy1 to /var/log/privoxy8

Code: [Select]
install -o privoxy -g nogroup -m 750 -d /var/log/privoxy1
install -o privoxy -g nogroup -m 750 -d /var/log/privoxy2
install -o privoxy -g nogroup -m 750 -d /var/log/privoxy3
install -o privoxy -g nogroup -m 750 -d /var/log/privoxy4
install -o privoxy -g nogroup -m 750 -d /var/log/privoxy5
install -o privoxy -g nogroup -m 750 -d /var/log/privoxy6
install -o privoxy -g nogroup -m 750 -d /var/log/privoxy7
install -o privoxy -g nogroup -m 750 -d /var/log/privoxy8

9. Replace /etc/init.d/privoxy with this

Code: [Select]
cp /etc/init.d/privoxy /etc/init.d/privoxy.orig
rm /etc/init.d/privoxy
nano /etc/init.d/privoxy
chmod +x /etc/init.d/privoxy

Code: [Select]
#! /bin/bash
### BEGIN INIT INFO
# Provides:          privoxy
# Required-Start:    $local_fs $remote_fs $network $time
# Required-Stop:     $local_fs $remote_fs $network $time
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Privacy enhancing HTTP Proxy
# Description:       Privoxy is a web proxy with advanced filtering
#                    capabilities for protecting privacy, filtering
#                    web page content, managing cookies, controlling
#                    access, and removing ads, banners, pop-ups and
#                    other obnoxious Internet junk.
### END INIT INFO
 
# Author: Roland Rosenfeld <roland@debian.org>
 
# Do NOT "set -e"
 
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="filtering proxy server"
NAME=privoxy
DAEMON=/usr/sbin/$NAME
PIDFILE=/var/run/$NAME
OWNER=privoxy
CONFIGFILE=/etc/privoxy/config
SCRIPTNAME=/etc/init.d/$NAME
LOGDIR=/var/log/privoxy
DEFAULTSFILE=/etc/default/$NAME
 
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
 
# Read configuration variable file if it is present
[ -r $DEFAULTSFILE ] && . $DEFAULTSFILE
 
# Create log directory if it does not exist
if [ ! -d "$LOGDIR" ]; then
    mkdir -m 750 $LOGDIR
    chown $OWNER:adm $LOGDIR
fi
 
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
 
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions
 
#
# Function that starts the daemon/service
#
do_start()
{
    # Return
    #   0 if daemon has been started
    #   1 if daemon was already running
    #   2 if daemon could not be started
 
    stats=0
    for c in {1..8}
    do
    DAEMON_ARGS="--pidfile $PIDFILE-$c.pid $CONFIGFILE-$c"
    start-stop-daemon --start --quiet --pidfile $PIDFILE-$c.pid --exec $DAEMON --test > /dev/null \
        || stats=1
    start-stop-daemon --start --quiet --pidfile $PIDFILE-$c.pid --exec $DAEMON -- \
        $DAEMON_ARGS \
        || stats=2
    done
    return "$stats"
    # Add code here, if necessary, that waits for the process to be ready
    # to handle requests from services started subsequently which depend
    # on this one.  As a last resort, sleep for some time.
}
 
#
# Function that stops the daemon/service
#
do_stop()
{
    for c in {1..8}
    do
    # Return
    #   0 if daemon has been stopped
    #   1 if daemon was already stopped
    #   2 if daemon could not be stopped
    #   other if a failure occurred
    start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE-$c.pid --name $NAME
    RETVAL="$?"
    [ "$RETVAL" = 2 ] && return 2
    # Wait for children to finish too if this is a daemon that forks
    # and if the daemon is only ever run from this initscript.
    # If the above conditions are not satisfied then add some other code
    # that waits for the process to drop all resources that could be
    # needed by services started subsequently.  A last resort is to
    # sleep for some time.
    start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
    [ "$?" = 2 ] && return 2
    # Many daemons don't delete their pidfiles when they exit.
    rm -f $PIDFILE-$c.pid
    done
    return "$RETVAL"
}
 
#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
    #
    # If the daemon can reload its configuration without
    # restarting (for example, when it is sent a SIGHUP),
    # then implement that here.
    #
    start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
    return 0
}
 
 
case "$1" in
  start)
    if [ "$RUN_DAEMON" = "no" ]; then
            [ "$VERBOSE" != no ] && log_warning_msg "Not starting $DESC (disabled in $DEFAULTSFILE)."
            exit 0
    fi
 
    [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
    do_start
    case "$?" in
        0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
        2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
    esac
    ;;
  stop)
    [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
    do_stop
    case "$?" in
        0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
        2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
    esac
    ;;
  #reload|force-reload)
    #
    # If do_reload() is not implemented then leave this commented out
    # and leave 'force-reload' as an alias for 'restart'.
    #
    #log_daemon_msg "Reloading $DESC" "$NAME"
    #do_reload
    #log_end_msg $?
    #;;
  restart|force-reload)
    #
    # If the "reload" option is implemented then remove the
    # 'force-reload' alias
    #
    if [ "$RUN_DAEMON" = "no" ]; then
            [ "$VERBOSE" != no ] && log_warning_msg "Not restarting $DESC (disabled in $DEFAULTSFILE)."
            exit 0
    fi
 
    log_daemon_msg "Restarting $DESC" "$NAME"
    do_stop
    case "$?" in
      0|1)
        do_start
        case "$?" in
            0) log_end_msg 0 ;;
            1) log_end_msg 1 ;; # Old process is still running
            *) log_end_msg 1 ;; # Failed to start
        esac
        ;;
      *)
          # Failed to stop
        log_end_msg 1
        ;;
    esac
    ;;
  status)
        status_of_proc "$DAEMON" "$NAME"
        exit $?
        ;;
 
  *)
    #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
    echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2
    exit 3
    ;;
esac
 
:

Now you can start privoxy with service privoxy start and have a look at it with netstat --listening

10. Edit your squid configuration file /etc/squid/squid.conf
Code: [Select]
acl all src all 
acl manager proto cache_object 
acl localhost src 127.0.0.1/32 
acl home_network src [YOURNETWORK/CIDRSUBNETNOTATION] 
acl to_localhost dst 127.0.0.0/8 
acl SSL_ports port 443 
acl Safe_ports port 80 # http 
acl Safe_ports port 21 # ftp 
acl Safe_ports port 443 # https 
acl Safe_ports port 70 # gopher 
acl Safe_ports port 210 # wais 
acl Safe_ports port 1025-65535 # unregistered ports 
acl Safe_ports port 280 # http-mgmt 
acl Safe_ports port 488 # gss-http 
acl Safe_ports port 591 # filemaker 
acl Safe_ports port 777 # multiling http 
acl Safe_ports port 901 # SWAT 
acl purge method PURGE 
acl CONNECT method CONNECT 
http_access allow noAuth 
http_access allow home_network 
http_access allow manager localhost 
http_access deny manager 
http_access allow purge localhost 
http_access deny purge 
http_access deny !Safe_ports 
http_access deny CONNECT !SSL_ports 
http_access allow localhost 
http_access deny all 
icp_access deny all 
http_port 3400 
icp_port 0 
hierarchy_stoplist cgi-bin ? 
refresh_pattern ^ftp: 1440 20% 10080 
refresh_pattern ^gopher: 1440 0% 1440 
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 
refresh_pattern . 0 20% 4320 
cache_peer localhost parent 8118 0 round-robin no-query 
cache_peer localhost2 parent 8129 0 round-robin no-query 
cache_peer localhost3 parent 8230 0 round-robin no-query 
cache_peer localhost4 parent 8321 0 round-robin no-query 
cache_peer localhost5 parent 8421 0 round-robin no-query 
cache_peer localhost6 parent 8522 0 round-robin no-query 
cache_peer localhost7 parent 8623 0 round-robin no-query 
cache_peer localhost8 parent 8724 0 round-robin no-query 
never_direct allow all 
always_direct deny all 
acl apache rep_header Server ^Apache 
broken_vary_encoding allow apache 
forwarded_for off 
coredump_dir /home/squid-cache # where squid stores the cache 
pid_filename /var/run/squid-in.pid 
access_log /var/log/squid3/access.squid-in.log 
cache_store_log /var/log/squid3/store.squid-in.log 
cache_log /var/log/squid3/cache.squid-in.log

to start squid for the first time use squid3 -z

11. Edit your host configuration file /etc/hosts
Code: [Select]
127.0.0.1 localhost 
127.0.0.1 localhost2 
127.0.0.1 localhost3 
127.0.0.1 localhost4 
127.0.0.1 localhost5 
127.0.0.1 localhost6 
127.0.0.1 localhost7 
127.0.0.1 localhost8

12. Edit the haproxy configuration file /etc/haproxy/haproxy.cfg

Code: [Select]
# this config needs haproxy-1.1.28 or haproxy-1.2.1

global
        log 127.0.0.1   local0
        log 127.0.0.1   local1 notice
        #log loghost    local0 info
        maxconn 4096
        #chroot /usr/share/haproxy
        user haproxy
        group haproxy
        daemon
        #debug
        #quiet

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        retries 3
        option redispatch
        maxconn 2000
        contimeout      5000
        clitimeout      50000
        srvtimeout      50000

listen socks 192.168.222.134:9058
    mode tcp
    balance roundrobin

    server tor0 127.0.0.1:9050
    server tor1 127.0.0.1:9150
    server tor2 127.0.0.1:9250
    server tor3 127.0.0.1:9350
    server tor4 127.0.0.1:9450
    server tor5 127.0.0.1:9550
    server tor6 127.0.0.1:9650
    server tor7 127.0.0.1:9750

13. Allow the init script to start haproxy

Code: [Select]
# Set ENABLED to 1 if you want the init script to start haproxy.
ENABLED=1

now you can start haproxy with service haproxy start

14. Using haproxy/tor with proxychains

on your client computer install proxychains and edit /etc/proxychains.conf

Code: [Select]
apt-get install proxychains
nano /etc/proxychains.conf

make the following entry at the bottom

Code: [Select]
socks4 [PROXYIPADDRESS] 9058

now you can run something like
Code: [Select]
proxychains nmap -P0 -sS -sV -v  [TARGETADDRESS]

15. Using your proxy in a browser

In your browser you need to set the proxyserver with the following values

IP: [PROXYIPADDRESS] Port: 3400


source
Posted by at

1 comment:

  1. AnonymousMay 11, 2013 at 6:56 PM

    Good howto.

    I have a couple of questions:
    1. Why so many tor processes?
    2. Why proxychains?
    I understand the need for haproxy (thats quite clever & and haproxy is such a sweet piece of software.
    I want a similar configuration, however I want to have a server that just listens on say port 9999 for connections and then forwards the data to the tor nodes. In other words I want all my hosts on my network to be able to proxy to this host when I want to use tor.

    I am thinking:
    squid --> privoxy --> tor

    That's why I wanted to know why so many tor processes were needed.

    ReplyDelete

Subscribe to: Post Comments (Atom)