Privoxy, add a new friend to the battle.
So, we've got now three browsers using three differents socks port to access the Tor network, and the last of ours browsers building a special doble circuit in the tor network combining different countries (this is not bad at all). Remember, we were here .
But...the situation is so difficult...we've to protect us with more layers.
Let's introduce the layer 7 firewall Privoxy.
What is a layer 7 firewall? It's a firewall that work at the last layer of the ISO/OSI network stack, that in no technical user speaking is the URI, www.facebook.com, steemit.com/@npna ...
Matryoshka are sexis
.
We like Russia, and we like матрёшка.
In this case we're doing the exact thing, encapsulate layer after layer our information to protect it from the privacy cannibals.
Our dolls start from the navigator, go through privoxy and the will be routed to the Tor network.
Let install privoxy from the OpenBSD precompiled packages with a simple command:
$ doas pkg_add -U privoxy
It will install those files and binaries:
$ pkg_info -L privoxy
Information for inst:privoxy-3.0.26
Files:
/usr/local/bin/privoxy-log-parser.pl
/usr/local/bin/privoxy-regression-test.pl
/usr/local/bin/uagen.pl
/usr/local/bin/url-pattern-translator.pl
/usr/local/man/man1/privoxy.1
/usr/local/sbin/privoxy
/usr/local/share/doc/privoxy/AUTHORS
/usr/local/share/doc/privoxy/ChangeLog
/usr/local/share/doc/privoxy/LICENSE
/usr/local/share/doc/privoxy/README
/usr/local/share/examples/privoxy/config
/usr/local/share/examples/privoxy/default.action
/usr/local/share/examples/privoxy/default.filter
/usr/local/share/examples/privoxy/match-all.action
/usr/local/share/examples/privoxy/regression-tests.action
/usr/local/share/examples/privoxy/templates/blocked
/usr/local/share/examples/privoxy/templates/cgi-error-404
/usr/local/share/examples/privoxy/templates/cgi-error-bad-param
/usr/local/share/examples/privoxy/templates/cgi-error-disabled
/usr/local/share/examples/privoxy/templates/cgi-error-file
/usr/local/share/examples/privoxy/templates/cgi-error-file-read-only
/usr/local/share/examples/privoxy/templates/cgi-error-modified
/usr/local/share/examples/privoxy/templates/cgi-error-parse
/usr/local/share/examples/privoxy/templates/cgi-style.css
/usr/local/share/examples/privoxy/templates/client-tags
/usr/local/share/examples/privoxy/templates/connect-failed
/usr/local/share/examples/privoxy/templates/connection-timeout
/usr/local/share/examples/privoxy/templates/default
/usr/local/share/examples/privoxy/templates/edit-actions-add-url-form
/usr/local/share/examples/privoxy/templates/edit-actions-for-url
/usr/local/share/examples/privoxy/templates/edit-actions-for-url-filter
/usr/local/share/examples/privoxy/templates/edit-actions-list
/usr/local/share/examples/privoxy/templates/edit-actions-list-button
/usr/local/share/examples/privoxy/templates/edit-actions-list-section
/usr/local/share/examples/privoxy/templates/edit-actions-list-url
/usr/local/share/examples/privoxy/templates/edit-actions-remove-url-form
/usr/local/share/examples/privoxy/templates/edit-actions-url-form
/usr/local/share/examples/privoxy/templates/forwarding-failed
/usr/local/share/examples/privoxy/templates/mod-local-help
/usr/local/share/examples/privoxy/templates/mod-support-and-service
/usr/local/share/examples/privoxy/templates/mod-title
/usr/local/share/examples/privoxy/templates/mod-unstable-warning
/usr/local/share/examples/privoxy/templates/no-server-data
/usr/local/share/examples/privoxy/templates/no-such-domain
/usr/local/share/examples/privoxy/templates/show-request
/usr/local/share/examples/privoxy/templates/show-status
/usr/local/share/examples/privoxy/templates/show-status-file
/usr/local/share/examples/privoxy/templates/show-url-info
/usr/local/share/examples/privoxy/templates/show-version
/usr/local/share/examples/privoxy/templates/toggle
/usr/local/share/examples/privoxy/templates/toggle-mini
/usr/local/share/examples/privoxy/templates/untrusted
/usr/local/share/examples/privoxy/templates/url-info-osd.xml
/usr/local/share/examples/privoxy/user.action
/usr/local/share/examples/privoxy/user.filter
/etc/rc.d/privoxy
We've only a little problem respect to Tor with privoxy. To concatenate three privoxy ports to three Tor ports we've to launch three differents privoxy instances. But with OpenBSD and to his clearness this is very simple.
Let's go deep in the configuration:
- cd to the privoxy configuration directory:
$ cd /etc/privoxy
- copy default config file into three diferentes:
$ doas cp config firefox && doas cp config chrome && doas cp config torbrowser
- go to the OpenBSD rc.d directory:
$ cd /etc/rc.d
- copy the default privoxy init script in three diffents:
$ doas cp privoxy privoxyfirefox && doas cp privoxy privoxychrome && doas cp privoxy privoxytorbrowser
Ok all it's simple and without complications. Good, i love OpenBSD.
The privoxy main configuration file is full of options and you have to dedicate a couple of ours to understand all the voices, or to simply read it. For now we use this basic configuration (in ours next chapters probably we will do some changes to it). Let's see together the one that will be used in the firefox environment:
$ cat /etc/privoxy/firefox
#
# $Id: config,v 1.112 2016/08/26 13:14:18 fabiankeil Exp $
#
# Copyright (C) 2001-2016 Privoxy Developers https://www.privoxy.org/
#
user-manual https://www.privoxy.org/user-manual/
trust-info-url https://learn.canva.com/wp-content/uploads/2015/06/50-Of-The-Most-Creative-404-Pages-On-The-Web-01.png
admin-address [email protected]
#config guide
#proxy-info-url http://www.example.com/proxy-service.html
confdir /etc/privoxy
templdir /etc/privoxy/templates
logdir /var/log/privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action # Main actions file
actionsfile user.action # User customizations
filterfile default.filter
filterfile user.filter # User customizations
logfile privoxyfirefox.log
#if set all deny but the ones listed on [use ~ like *]
#trustfile trust
#
# debug 1 # Log the destination for each request Privoxy let through. See also debug 1024
# debug 2 # show each connection status
# debug 4 # show I/O status
# debug 8 # show header parsing
# debug 16 # log all data written to the network
# debug 32 # debug force feature
# debug 64 # debug regular expression filters
# debug 128 # debug redirects
# debug 256 # debug GIF de-animation
# debug 512 # Common Log Format
# debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why.
# debug 2048 # CGI user interface
# debug 4096 # Startup banner and warnings.
# debug 8192 # Non-fatal errors
# debug 32768 # log all data read from the network
# debug 65536 # Log the applying actions
debug 1 # Log the destination for each request Privoxy let through. See also debug 1024.
#debug 1024 # Actions that are applied to all sites and maybe overruled later on.
#debug 4096 # Startup banner and warnings
#debug 8192 # Non-fatal errors
single-threaded 0
hostname Lutetia.unknown_domain
listen-address 127.0.0.1:8800
#filter mode
toggle 1
enable-remote-toggle 0
#filter by X-filter http header
enable-remote-http-toggle 0
enable-edit-actions 0
enforce-blocks 1
# src_addr[:port][/src_masklen] [dst_addr[:port][/dst_masklen]]
permit-access 127.0.0.1
buffer-limit 8192
#enable if there's a parent proxy
enable-proxy-authentication-forwarding 0
forward-socks5 / 127.0.0.1:9900 .
forwarded-connect-retries 0
#transparent proxy
accept-intercepted-requests 0
#
allow-cgi-request-crunching 0
split-large-forms 0
# grow up to 300 (if browser hang stop)
keep-alive-timeout 5
# disable if problems
tolerate-pipelining 1
#default-server-timeout 60
connection-sharing 0
# try to reduce to 5 sec
socket-timeout 300
#max-client-connections 256
handle-as-empty-doc-returns-ok 0
#enable-compression 1
#compression-level 3
#client-header-order Host \
# Accept \
# Accept-Language \
# Accept-Encoding \
# Proxy-Connection \
# Referer \
# Cookie \
# DNT \
# If-Modified-Since \
# Cache-Control \
# Content-Length \
# Content-Type
#
#client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions
# disable-content-filters Disable content-filters but do not affect other actions
#
#
# client-tag-lifetime 180
# # IP address with a X-Forwarded-For header.
# trust-x-forwarded-for 1
Ok simply change admin-address
and hostname
with the yours.
Privoxy send in every configuration file the http proxy port
to a distinct socks port
.
To create the others two execute this command:
# sed s/privoxyfirefox/privoxychrome/g privoxyfirefox | sed s/9900/9901/g > privoxychrome
# sed s/privoxychrome/privoxytorbrowser/g privoxychrome | sed s/9901/9902/g > privoxytorbrowser
Now create the missing logs files with:
$ doas touch /var/log/privoxy/privoxyfirefox.log
$ doas touch /var/log/privoxy/privoxychrome.log
$ doas touch /var/log/privoxy/privoxytorbrowser.log
And enable all the three at boot:
$ doas rcctl enable privoxyfirefox
$ doas rcctl set privoxyfirefox user _privoxy
$ doas rcctl set privoxyfirefox flags /etc/privoxy/firefox
$ doas rcctl enable privoxychrome
$ doas rcctl set privoxychrome user _privoxy
$ doas rcctl set privoxychrome flags /etc/privoxy/chrome
$ doas rcctl enable privoxytorbrowser
$ doas rcctl set privoxytorbrowser user _privoxy
$ doas rcctl set privoxytorbrowser flags /etc/privoxy/torbrowser
At last start the three daemons:
$ doas rcctl start privoxyfirefox
$ doas rcctl start privoxychrome
$ doas rcctl start privoxytorbrowser
Browsers configurations
Now we've got the correct setup of privoxy, but remember without any rule of layer 7 firewalling, that we will see in our next chapter.
We've to change the configuration of the three browsers to use privoxy and not directly the tor socks.
- Firefox:
- Chrome: simply change
--proxy-server="socks5://127.0.0.1:9901"
with-proxy-server="http://127.0.0.1:8801"
- Torbrowser:
Preparing the chicken soup
Ok, the cooking is started, but one last little hack
to disturb our favorites cannibals. Let's eliminate the HTTP header
Refer:
# cat >> /etc/privoxy/user.filter << EOF
{ +crunch-client-header{Referer:} }
/
EOF
And yes...for today is EOF
thank you and #changeNOW . please.
@originalwork
@originalworks