Openbsd, Tor, Privoxy and the browsers.

in #openbsd7 years ago

Privoxy, add a new friend to the battle.

So, we've got now three browsers using three differents socks port to access the Tor network, and the last of ours browsers building a special doble circuit in the tor network combining different countries (this is not bad at all). Remember, we were here .
But...the situation is so difficult...we've to protect us with more layers.

Let's introduce the layer 7 firewall Privoxy.

What is a layer 7 firewall? It's a firewall that work at the last layer of the ISO/OSI network stack, that in no technical user speaking is the URI, www.facebook.com, steemit.com/@npna ...

Matryoshka are sexis

Russian Matrioska.

We like Russia, and we like матрёшка.

In this case we're doing the exact thing, encapsulate layer after layer our information to protect it from the privacy cannibals.
Our dolls start from the navigator, go through privoxy and the will be routed to the Tor network.
Let install privoxy from the OpenBSD precompiled packages with a simple command:

$ doas pkg_add -U privoxy

It will install those files and binaries:

$ pkg_info -L privoxy
Information for inst:privoxy-3.0.26
Files:
/usr/local/bin/privoxy-log-parser.pl
/usr/local/bin/privoxy-regression-test.pl
/usr/local/bin/uagen.pl
/usr/local/bin/url-pattern-translator.pl
/usr/local/man/man1/privoxy.1
/usr/local/sbin/privoxy
/usr/local/share/doc/privoxy/AUTHORS
/usr/local/share/doc/privoxy/ChangeLog
/usr/local/share/doc/privoxy/LICENSE
/usr/local/share/doc/privoxy/README
/usr/local/share/examples/privoxy/config
/usr/local/share/examples/privoxy/default.action
/usr/local/share/examples/privoxy/default.filter
/usr/local/share/examples/privoxy/match-all.action
/usr/local/share/examples/privoxy/regression-tests.action
/usr/local/share/examples/privoxy/templates/blocked
/usr/local/share/examples/privoxy/templates/cgi-error-404
/usr/local/share/examples/privoxy/templates/cgi-error-bad-param
/usr/local/share/examples/privoxy/templates/cgi-error-disabled
/usr/local/share/examples/privoxy/templates/cgi-error-file
/usr/local/share/examples/privoxy/templates/cgi-error-file-read-only
/usr/local/share/examples/privoxy/templates/cgi-error-modified
/usr/local/share/examples/privoxy/templates/cgi-error-parse
/usr/local/share/examples/privoxy/templates/cgi-style.css
/usr/local/share/examples/privoxy/templates/client-tags
/usr/local/share/examples/privoxy/templates/connect-failed
/usr/local/share/examples/privoxy/templates/connection-timeout
/usr/local/share/examples/privoxy/templates/default
/usr/local/share/examples/privoxy/templates/edit-actions-add-url-form
/usr/local/share/examples/privoxy/templates/edit-actions-for-url
/usr/local/share/examples/privoxy/templates/edit-actions-for-url-filter
/usr/local/share/examples/privoxy/templates/edit-actions-list
/usr/local/share/examples/privoxy/templates/edit-actions-list-button
/usr/local/share/examples/privoxy/templates/edit-actions-list-section
/usr/local/share/examples/privoxy/templates/edit-actions-list-url
/usr/local/share/examples/privoxy/templates/edit-actions-remove-url-form
/usr/local/share/examples/privoxy/templates/edit-actions-url-form
/usr/local/share/examples/privoxy/templates/forwarding-failed
/usr/local/share/examples/privoxy/templates/mod-local-help
/usr/local/share/examples/privoxy/templates/mod-support-and-service
/usr/local/share/examples/privoxy/templates/mod-title
/usr/local/share/examples/privoxy/templates/mod-unstable-warning
/usr/local/share/examples/privoxy/templates/no-server-data
/usr/local/share/examples/privoxy/templates/no-such-domain
/usr/local/share/examples/privoxy/templates/show-request
/usr/local/share/examples/privoxy/templates/show-status
/usr/local/share/examples/privoxy/templates/show-status-file
/usr/local/share/examples/privoxy/templates/show-url-info
/usr/local/share/examples/privoxy/templates/show-version
/usr/local/share/examples/privoxy/templates/toggle
/usr/local/share/examples/privoxy/templates/toggle-mini
/usr/local/share/examples/privoxy/templates/untrusted
/usr/local/share/examples/privoxy/templates/url-info-osd.xml
/usr/local/share/examples/privoxy/user.action
/usr/local/share/examples/privoxy/user.filter
/etc/rc.d/privoxy

We've only a little problem respect to Tor with privoxy. To concatenate three privoxy ports to three Tor ports we've to launch three differents privoxy instances. But with OpenBSD and to his clearness this is very simple.
Let's go deep in the configuration:

  • cd to the privoxy configuration directory:
    • $ cd /etc/privoxy
  • copy default config file into three diferentes:
    • $ doas cp config firefox && doas cp config chrome && doas cp config torbrowser
  • go to the OpenBSD rc.d directory:
    • $ cd /etc/rc.d
  • copy the default privoxy init script in three diffents:
    • $ doas cp privoxy privoxyfirefox && doas cp privoxy privoxychrome && doas cp privoxy privoxytorbrowser

Ok all it's simple and without complications. Good, i love OpenBSD.
The privoxy main configuration file is full of options and you have to dedicate a couple of ours to understand all the voices, or to simply read it. For now we use this basic configuration (in ours next chapters probably we will do some changes to it). Let's see together the one that will be used in the firefox environment:

$ cat /etc/privoxy/firefox
#
# $Id: config,v 1.112 2016/08/26 13:14:18 fabiankeil Exp $
#
# Copyright (C) 2001-2016 Privoxy Developers https://www.privoxy.org/
#



user-manual https://www.privoxy.org/user-manual/
trust-info-url https://learn.canva.com/wp-content/uploads/2015/06/50-Of-The-Most-Creative-404-Pages-On-The-Web-01.png
admin-address [email protected]
#config guide
#proxy-info-url http://www.example.com/proxy-service.html
confdir /etc/privoxy
templdir /etc/privoxy/templates
logdir /var/log/privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action   # Main actions file
actionsfile user.action      # User customizations
filterfile default.filter
filterfile user.filter      # User customizations
logfile privoxyfirefox.log
#if set all deny but the ones listed on [use ~ like *]
#trustfile trust
#
#        debug     1 # Log the destination for each request Privoxy let through. See also debug 1024
#        debug     2 # show each connection status
#        debug     4 # show I/O status
#        debug     8 # show header parsing
#        debug    16 # log all data written to the network
#        debug    32 # debug force feature
#        debug    64 # debug regular expression filters
#        debug   128 # debug redirects
#        debug   256 # debug GIF de-animation
#        debug   512 # Common Log Format
#        debug  1024 # Log the destination for requests Privoxy didn't let through, and the reason why.
#        debug  2048 # CGI user interface
#        debug  4096 # Startup banner and warnings.
#        debug  8192 # Non-fatal errors
#        debug 32768 # log all data read from the network
#        debug 65536 # Log the applying actions
debug     1 # Log the destination for each request Privoxy let through. See also debug 1024.
#debug  1024 # Actions that are applied to all sites and maybe overruled later on.
#debug  4096 # Startup banner and warnings
#debug  8192 # Non-fatal errors
single-threaded 0
hostname Lutetia.unknown_domain
listen-address  127.0.0.1:8800
#filter mode
toggle  1
enable-remote-toggle  0
#filter by X-filter http header
enable-remote-http-toggle  0
enable-edit-actions 0
enforce-blocks 1
#      src_addr[:port][/src_masklen] [dst_addr[:port][/dst_masklen]]
permit-access  127.0.0.1
buffer-limit 8192
#enable if there's a parent proxy
enable-proxy-authentication-forwarding 0
forward-socks5 / 127.0.0.1:9900 .
forwarded-connect-retries  0
#transparent proxy
accept-intercepted-requests 0
#
allow-cgi-request-crunching 0
split-large-forms 0
# grow up to 300 (if browser hang stop)
keep-alive-timeout 5
# disable if problems
tolerate-pipelining 1
#default-server-timeout 60
connection-sharing 0
# try to reduce to 5 sec
socket-timeout 300
#max-client-connections 256
handle-as-empty-doc-returns-ok 0
#enable-compression 1
#compression-level 3
#client-header-order Host \
#   Accept \
#   Accept-Language \
#   Accept-Encoding \
#   Proxy-Connection \
#   Referer \
#   Cookie \
#   DNT \
#   If-Modified-Since \
#   Cache-Control \
#   Content-Length \
#   Content-Type
#
#client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions
#          disable-content-filters Disable content-filters but do not affect other actions
#
#
#            client-tag-lifetime 180
#            # IP address with a X-Forwarded-For header.
#            trust-x-forwarded-for 1

Ok simply change admin-addressand hostname with the yours.
Privoxy send in every configuration file the http proxy port to a distinct socks port.
To create the others two execute this command:

# sed s/privoxyfirefox/privoxychrome/g privoxyfirefox | sed s/9900/9901/g > privoxychrome
# sed s/privoxychrome/privoxytorbrowser/g privoxychrome | sed s/9901/9902/g > privoxytorbrowser    

Now create the missing logs files with:

$ doas touch /var/log/privoxy/privoxyfirefox.log
$ doas touch /var/log/privoxy/privoxychrome.log
$ doas touch /var/log/privoxy/privoxytorbrowser.log

And enable all the three at boot:

$ doas rcctl enable privoxyfirefox
$ doas rcctl set privoxyfirefox user _privoxy
$ doas rcctl set privoxyfirefox flags /etc/privoxy/firefox
$ doas rcctl enable privoxychrome
$ doas rcctl set privoxychrome user _privoxy
$ doas rcctl set privoxychrome flags /etc/privoxy/chrome
$ doas rcctl enable privoxytorbrowser
$ doas rcctl set privoxytorbrowser user _privoxy
$ doas rcctl set privoxytorbrowser flags /etc/privoxy/torbrowser

At last start the three daemons:

$ doas rcctl start privoxyfirefox
$ doas rcctl start privoxychrome
$ doas rcctl start privoxytorbrowser

Browsers configurations

browsers configuration with privoxy
Now we've got the correct setup of privoxy, but remember without any rule of layer 7 firewalling, that we will see in our next chapter.
We've to change the configuration of the three browsers to use privoxy and not directly the tor socks.

  1. Firefox:
    Firefox privoxy
  2. Chrome: simply change --proxy-server="socks5://127.0.0.1:9901"with -proxy-server="http://127.0.0.1:8801"
  3. Torbrowser:
    Tor browser privoxy

Preparing the chicken soup

chicken soup
Ok, the cooking is started, but one last little hackto disturb our favorites cannibals. Let's eliminate the HTTP header Refer:

# cat  >> /etc/privoxy/user.filter << EOF
{ +crunch-client-header{Referer:} }
/
EOF

And yes...for today is EOF

thank you and #changeNOW . please.