Comments on Ultimate Security Proxy With Tor

Ultimate Security Proxy With Tor Nowadays, within the growing web 2.0 environment you may want to have some anonymity, and use other IP addresses than your own IP. Or, for some special purposes - a few IPs or more, frequently changed. So no one will be able to track you. A solution exists, and it is called Tor Project, or simply tor. There are a lot of articles and howtos giving you the idea of how it works, I'm not going to describe here onion routing and its principles, I'll rather tell you how practically pull out the maximum out of it.

31 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Bohdan Turkynewych
Reply  

Sorry about that, I've forgot to add /etc/hosts file in the article...

That is how i fooled squid.

 

Here is the file:

 

127.0.0.1  localhost

127.0.0.1 localhost2

127.0.0.1 localhost3 

127.0.0.1 localhost4

127.0.0.1 localhost5

127.0.0.1 localhost6

127.0.0.1 localhost7

127.0.0.1 localhost8

By: Pete Ashdown
Reply  

Yes, but you can run HAProxy off of Privoxy and SOCKS quite well.  I've cut out squid entirely for a client server.  Here is a config:

global
    maxconn 4096
    ulimit-n 65536
    quiet
    daemon
    nbproc 2
    user haproxy
    group haproxy

defaults
    retries    3
    redispatch
    maxconn    2000
    contimeout    5000
    clitimeout    50000
    srvtimeout    50000

listen privoxytor :8118,:443
    mode tcp
    balance roundrobin

    server privoxy 127.0.0.1:8119
    server privoxy1 127.0.0.1:8129
    server privoxy2 127.0.0.1:8230
    server privoxy3 127.0.0.1:8321
    server privoxy4 127.0.0.1:8421
    server privoxy5 127.0.0.1:8522
    server privoxy6 127.0.0.1:8623
    server privoxy7 127.0.0.1:8724
    server privoxy8 127.0.0.1:8825

listen socks :9050
    mode tcp
    balance roundrobin

    server tor 127.0.0.1:9052
    server tor1 127.0.0.1:9150
    server tor2 127.0.0.1:9250
    server tor3 127.0.0.1:9350
    server tor4 127.0.0.1:9450
    server tor5 127.0.0.1:9550
    server tor6 127.0.0.1:9650
    server tor7 127.0.0.1:9750
    server tor8 127.0.0.1:9850

By:
Reply  

Interesting idea. Thanks for the good read!

By: Woods
Reply  

Very interesting indeed. A good privacy service is a MUST have on todays internet.Jiff

www.online-anonymity.kr.tc 

By:
Reply  

let me thank you for that interesting and intriguing idea.

By: syniack
Reply  

nice tutorials thanks dude for sharing such a nice tutorial.

By: Anonymous
Reply  

Damn, forgot the picture to make it somewhat clearer:

 http://img300.imageshack.us/img300/636/torprivoxysquid.png

By: Anonymous
Reply  

Well I have some questions for my setup.

Internet ? Router ? FreeBSD ? Local machines

FreeBSD currently contains only Squid. But i would love to include tor as shown in the tutorial above. Currently I am having all local users to have the HTTP proxy set up in browsers to use squid on FreeBSD port 3128 ( default by squid ).

If I add tor to it, how the users connect to this server ?  What port and configurations required for browser / client. How the load of single client is handled by the network of tor, as you mentioned to disable the squid

Thanks

 

By: Anonymous
Reply  

First, let me thank you for that interesting and intriguing idea. Tried it in a VM and came across some problems, so i thought i'd share the solutions and improvements with the rest of you. I'm sorry for any grammar-related fuck-ups, as i'm a non-native english speaker.

Software used: Arch i686 2.6.29-3, Tor v0.2.0.34 r18423, Privoxy 3.0.12, Squid 2.7 STABLE6

I only used Squid-IN as caching proxy collecting from the 8 Privoxy instances. Next step will be inlcuding havp into the chain.

1. Tor config

- The "Group" option is deprecated an no longer needed.
- What exactly is the ControlPort for? I didn't see it used anywhere, just Tor throwing a warning about the ControlPort used without authorization. I simply deleted the line, everything still works fine.
- Once everything runs smoothly, logging isn't really needed any longer, is it? Same goes for the other log files.

2. Privoxy config

- The "standard.action" is now called "match-all.action". Privoxy won't start with "standard.action"

3. Privoxy startup script

- The "$PRIVOXY_ARGS" when starting the Privoxy instances needs to be removed. Privoxy won't start, but without them they work as expected.
- For testing purposes and as i'm only using one squid, i deleted the havp and squid lines and used the existing /etc/rc.d/squid, so every chain link can be started/stopped seperately.

4. Squid config

I had a problem getting your config up and running, haven't found out exactly where it hangs. I edited the squid.conf.default to mainly do the same.

- "cache_peer localhost2 parent 8129 0 round-robin no-query" won't work, as squid understandably can't resolve "localhost2".

Instead use:

"cache_peer localhost parent 8129 0 round-robin no-query name=localhost2" and corresponding, which will work just fine.

Problem with the first line: it works, but only the first entry (which correctly reads "localhost" as host), so it doesn't really improve anonymity with only one Tor-session effectively used.

Using this config i got the whole chain up and running quite stable. Btw, i'm using encryption for the VM-disk, one never knows when it may come in handy. Hope this helps someone who tried it and ran into the same problems.

By: Anonymous
Reply  

Or nginx.

By: Anonymous
Reply  

Tor is fine as far as security, but it's so slow, you'll give up really fast. I know 'cause I've tried it. There's also a Firefox addon for Tor.

By: HeroicLife
Reply  

It would be great if someone provided this setup as a virtual machine.  I'd like to be able to fire it up in VMware and just set up a proxy in Firefox.

By: Anonymous
Reply  

Yes, someone, please do this! also add that the DNS requests go to OpenDNS. (suggested by poster below)

By: Anonymous
Reply  

Here here! That would be great, or if you could make a windows installer instead!!!!! PIMPIN! I would totally settle for a VM! If anybody can make one and megaupload it or something Id be so grateful!

By: crazyfag
Reply  

Its really great to have a Megaupload automatic filler, thanks!

By: Anonymous
Reply  

dont forget, your ISP can record your DNS lookups. so be sure to route your DNS to keep it private.

By: David Nielsen
Reply  

This seems like the perfect use case for appliances.

You should easily be able to make one or several of the required components along with configuration using one of the many appliance tools Linux now offers.

http://www.rpath.com/rbuilder/

http://studio.suse.com

http://fedoraproject.org/wiki/CustomSpins

This would allow you to post a working set of images to go along with the tutorial which have all the required packages and configuration. SuSE Studio here is especially smart since it lets you boot the appliance and customize the configuration before making the final images. This would also add the additional security of encapulating everything so no unneeded components were installed and it would allow you to run everything virtualized.

By: baby
Reply  

Maybe you could also give tips for n00bs..

Your idea sounds great.

By: Anonymous
Reply  

Why not just give torvm to every user for their browsing safety? The malware_domains.txt contains what? And, that's an old version of tor, it appears 0.2.0.31 is current.

By: Yaminashi
Reply  

This is great for noobs that need to get on websites at work or at school, everybody is looking for proxys and this is a great way to get on websites.

By: Anonymous
Reply  

Set one up in a virtual machine using Debian, but surfing is still quite slow. Any way to speed things up? The problem appears to be latency, not bandwidth.

By: Nick
Reply  

Hi There,

Seems like a bit of  resource waste running a privoxy process for each tor listener, I would suggest load balancing tor with haproxy would be a less intensive approach :)

 an example haproxy config would be something like..... 

listen tor :9100
        mode tcp
        option tcplog
        balance roundrobin

        server tor1 127.0.0.1:9150 check
        server tor2 127.0.0.1:9250 check
        server tor3 127.0.0.1:9350 check
        server tor4 127.0.0.1:9450 check
        server tor5 127.0.0.1:9550 check

By: Aries
Reply  

Because tor is not a http proxy.

By: Bill
Reply  

It's a lot easier to just use web proxies  here's a few working ones

Proxy Bypass
Web Anonymous
Hidden Proxy
Web Proxies
IP Hide
Internet Bypass
How to Bypass

By: Anonymous
Reply  

I am kind of surprised this hasn't been built into an image.  Back in High School I was pretty into linux and looking at this I imagine that one day I would have been able to understand it and implement it fairly easily.  However, those days have passed, and now I am sitting here scratching my head, praying that someone would be kind enough to blow this into an image and post it somewhere...

 Alas...

By: tb0hdan
Reply  

Hello, All

I'm happy to announce that this article was finally used to create a loosely based LiveCD with most features, described here.

 Source code (GPLv3) is available here: http://github.com/tb0hdan/4n0n

And there's an ISO, too: http://4n0n.org.ua/4n0n-6.1.2.iso

 This can be interesting for linux developers, bash scripters,

and security professionals.

Have phun!

By: Anonymous
Reply  

Hi I am using ubuntu 11.04

 The domain list updator script would not work. it spits out errors about the decode function. appears there are syntax errors in the script.

 Thank You.

By: us&
Reply  

prob with squid3,i'm on linux mint & i have /etc/rc0d rc1d etc...

pls a tuto for mint :)

By: chris neumaier
Reply  

Is there a tutorial to make this work on ubuntu? 

maybe only the scripts and configs need adaption. Does anybody know about this ?

 

By: renne
Reply  

Since TOR 2.4.0 you can just use multiple SOCKSPort directives in torrc to get multiple SOCKS-ports with separate virtual circuits. ;)

By: Anonymous
Reply  

very impressive stuff, im gonna try that sometime soon, very interesting read..