Mix Installation (FreeBSD Jail)

From JonDonym Wiki
(Difference between revisions)
Jump to: navigation, search
(Update the mix software)
 
(34 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[Category:FreeBSD]]
+
[[Category:MixOpFreeBSD]]
 +
JonDos GmbH thanks [http://www.secure-internet.org www.secure-internet.org]  for the right to publish the following article. We made some changes in it but the original text was provided www.secure-internet.org
 +
 
 +
<iimg>[[Mix Installation (FreeBSD Jail)]]![[Image:en2.png]]</iimg><iimg>[[Mix Installation für FreeBSD im Jail]]![[Image:de2.png]]</iimg>&nbsp;&nbsp;&nbsp;[[Mix Installation for other Linux based systems|<- prev]] | [[MixOperatorTutorials|Content]] | [[Squid and Dante on Linux|next ->]]
 
== HowTo install the mix server software for FreeBSD/Jail ==
 
== HowTo install the mix server software for FreeBSD/Jail ==
This HowTo describes the installtion of the mix server and related software for FreeBSD using Jails. We prefer the installation of releated software from ports (not packages), because compilation does not take not much time and ports are sometimes more up to date than packages. The software for mix servers for FreeBSD is distributed as source code.
+
This HowTo describes the installation of the mix server and related software for FreeBSD using Jails. We prefer the installation of related software from ports (not packages), because compilation does not take much time and ports are sometimes more up to date than packages. The software for mix servers for FreeBSD is distributed as source code.
 +
 
 
==== Requirements ====
 
==== Requirements ====
To compile the mix sources the libraries [http://www.openssl.org OpenSSL] (at least v.0.9.7) and [http://xml.apache.org/xerces-c/index.html Xerces-C++] are required. Additional a ''C++ compiler'', ''automake'' and ''subversion'' are required too. It may be usefull to install ''subversion'' from ports, to disable BDB.
+
To compile the mix sources the libraries [http://www.openssl.org OpenSSL] (at least v.0.9.7) and [http://xml.apache.org/xerces-c/index.html Xerces-C++] are required. Additionally a ''C++ compiler'', ''automake'' and ''subversion'' are required, too. It may be useful to install ''subversion'' from ports, to disable BDB.
  
 
  <code>cd /usr/ports/security/openssl && make install clean
 
  <code>cd /usr/ports/security/openssl && make install clean
Line 10: Line 14:
 
  cd /usr/ports/devel/subversion && make install WITHOUT_BDB=YES && make clean</code>
 
  cd /usr/ports/devel/subversion && make install WITHOUT_BDB=YES && make clean</code>
  
For premium mixes PostgreSQL database server, client and C-libraries for PostgreSQL clients are requiered too.
+
For premium mixes PostgreSQL database server, client and C-libraries for PostgreSQL clients are required, too.
  
 
  <code>cd /usr/ports/databases/postgresql84-client && make install clean
 
  <code>cd /usr/ports/databases/postgresql84-client && make install clean
Line 31: Line 35:
  
 
==== Enable additional features ====
 
==== Enable additional features ====
Depending of the features needed by your mix, you can enable some more features for your mix:
+
Depending on the features needed by your mix, you can enable some more features for your mix:
  
  <code> ./configure --enable-new-channel-encryption --enable-new-flow-control --enable-payment .... ....</code>
+
  <code> ./configure --enable-payment .... ....</code>
  
Mandatory features for some cases:
 
  
* '''--enable-payment''' (Mandatory for <u>premium mixes</u>.) Specify if to build with payment support.  
+
Mandatory feature for premium services:
* '''--enable-user-bandwidth-limitation'''(Mandatory for <u>free enty mixes</u>.) Specify if to build with bandwith limitation for users (first mix). The limitation parameters can be specified in the mix configuration file.
+
* '''--enable-payment''' Specifies to build with payment support.  
 +
 
  
 
Monitoring your mix:
 
Monitoring your mix:
 +
* '''--enable-server_monitoring''' Specifies to build with state tracking for server monitoring. You can specify a monitor port in the mix configuration (usually port 8080) and fetch a XML file from this IP:port time by time to check your mix. A plug-in for Nagios, which is using the monitoring port, will be found in the mix source tree ''misc/nagios''.
  
* '''--enable-server_monitoring''' Specify if to build with state tracking for server monitoring. You can specify a monitor port in the mix configuration and fetch a XML file from this IP:port time by time to check your mix. A plug-in for Nagios, which is using the monitoring port, you will find in the mix source tree ''misc''.
 
  
 
Additional Logging features:
 
Additional Logging features:
* '''--enable-crime-detection''' Enable crime detection mode. Crime detection parameters can be specified in the mix configuration file. Do ONLY use it, if you are under constraint by authorities and law. For working well, all mixes of a cascade have to enable this feature.
+
* '''--enable-crime-detection''' Enable crime detection mode. Crime detection parameters can be specified in the mix configuration file. Do ONLY use it, if you are under constraint by authorities and law. For working properly, all mixes of a cascade have to enable this feature.
* '''--enable-dataretentionlog''' Enable log messages according to German data retention law.
+
* '''--enable-dataretentionlog''' Enable log messages according to data retention law.
  
Other features:
 
  
* '''--enable-bandwidth-limitation''' Specify if to build with last mix bandwidth limitation. The limitation parameters can be specified in the mix configuration file. (only exit mixes)
+
Other features:
 +
* '''--enable-bandwidth-limitation''' Specifies to build with last mix bandwidth limitation. The limitation parameters can be specified in the mix configuration file. (only exit mixes)
  
 
==== Create a system user account ====
 
==== Create a system user account ====
It is not a good solution to run the mix server with root privileges. Create a new system user account (recommended name: ''mix'') and specify this user account in the mix configuration file. After start up, the mix server will switch to this UID.
+
It is not a good solution to run the mix server with root privileges. Create a new system user account (recommended name: ''mix'') and specify this user account in the mix configuration file. After startup, the mix server will switch to this UID.
  
 
Create a system user account with ''useradd'':
 
Create a system user account with ''useradd'':
Line 69: Line 73:
  
 
==== Start the mix server ====
 
==== Start the mix server ====
You have to [[Mix Configuration Guide |create a mix configuration]], became root, raise the number of max. open descriptors to the value specified in the mix configuration file and you can start the mix:
+
You have to [[Mix Server Configuration Guide|create a mix configuration]], become root, raise the number of max. open descriptors to the value specified in the mix configuration file and you can start the mix.
  
  <code>ulimit -SHn 32768
+
For Csh (FreeBSD default) use:
 +
 
 +
<code>limit descriptors 32768
 +
mix -c /path/to/config.xml</code>
 +
 
 +
If Bash is installed and preferred, use:
 +
  <code>ulimit -HSn 32768
 
  mix -c /path/to/config.xml</code>
 
  mix -c /path/to/config.xml</code>
  
Line 82: Line 92:
 
  make distclean
 
  make distclean
 
  svn update
 
  svn update
  ./configure --enable-new-channel-encryption --enable-new-flow-control --enable-server_monitoring --enable-payment .... ....
+
  ./configure --enable-server_monitoring --enable-payment .... ....
 
  make
 
  make
 
  make install</code>
 
  make install</code>
  
 
After successful update restart the mix.
 
After successful update restart the mix.
 
== HowTo install squid proxy (only exit mixes) ==
 
The squid proxy can be installed by the package manager of your your operating system. Do NOT install ''squid3'', please use the latest stable version of squid v.2.7. Only for testing purposes ''lynx'' may be installed too. Perl-Template-Toolkit is need to process the config template file. Alternativly you con do this job by hand.
 
 
<code>cd /usr/ports/www/lynx && make install clean
 
cd /ports/www/p5-Template-Toolkit && make install clean
 
cd /usr/ports/www/squid && make install clean
 
options for Squid are: SQUID_AUFS / SQUID_COSS / SQUID_LARGEFILE</code>
 
 
Add a line to ''/etc/rc.conf''
 
 
<code>squid_enable="YES"</code>
 
 
Make a backup of the original squid.conf.
 
 
<code>cd /usr/local/etc/squid/
 
mv squid.conf squid.conf.orig</code>
 
 
Replace the configuration file with an optimized configuration and add the block list ''squid-block.acl''. You may find the squid configuration files provided by Jondos in the mix source code, subdirectory ''misc/FreeBSD/'' of the mix source code. There are two squid.conf templates: one template for free services and one for premium services. Choose the suitable template and replace all occurrence of [% extIP %] by the extern IP address of your server. You may use ''tpage'' from the Perl Template Toolkit for this job. In the example the template for free services is used and the extern IP address is 123.123.123.123.
 
 
<code>cd /home/mix/stable/misc/FreeBSD
 
tpage --define extIP=123.123.123.123 squid.conf.free.template > /usr/local/etc/squid/squid.conf
 
cp squid-block.acl /usr/local/etc/squid/</code>
 
 
Afterward create the cache directories and wait, until the cache is created....
 
<code>squid -z -d -3</code>
 
 
... and start the squid proxy.
 
<code>/usr/local/etc/rc.d/squid start</code>
 
 
... and check if ''squid'' was working.
 
<code>http_proxy=http://127.0.0.1:3128; lynx http://www.anonymous-proxy-servers.net</code>
 
 
==== Update the squid blocklist ====
 
Time by time the JonDonym blocklist will be updated. You will receive a notice by the mix operator mailing list.
 
 
<code>cd /home/mix/stable
 
svn update
 
cp -f misc/FreeBSD/squid-block.acl /usr/local/etc/squid/squid-block.acl
 
/usr/local/etc/rc.d/squid restart</code>
 
 
== HowTo install Dante SOCKS proxy (only premium exit mixes) ==
 
The Dante SOCKS proxy can be installed by the package manager of your your operating system. For FreeBSD it is recommeded to install dante from the ports tree.
 
 
<code>cd /usr/ports/net/dante && make install clean</code>
 
 
Add a line to ''/etc/rc.d''
 
 
<code>sockd_enable=“YES“</code>
 
 
Keep a copy of the original ''sockd.conf''.
 
 
<code>cd /usr/local/etc/
 
mv sockd.conf sockd.conf.orig</code>
 
 
Install the configuration file ''sockd.conf'' provided by JonDos GmbH. It contains the JonDonym blocklist mix servers and blocks port 25. You will find the sample configuration file in the subdirectory ''misc/FreeBSD/'' of the mix source code. Replace all occurrence of [% extIP %] by the extern IP address of your server. You may use ''tpage'' from the Perl Template Toolkit for this job. In the example the extern IP address is 123.123.123.123.
 
 
<code>cd /home/mix/stable/misc/FreeBSD
 
tpage --define extIP=123.123.123.123 sockd.conf.template > /usr/local/etc/sockd.conf</code>
 
 
And start the Dante SOCKS proxy.
 
 
<code>/usr/local/etc/rc.d/sockd start</code>
 
 
==== Update the blocklist ====
 
Time by time the JonDonym blocklist will be updated. You will receive a notice by the mix operator mailing list. In this case, you have to regenerate your ''sockd.conf''.
 
 
<code>cd /home/mix/stable
 
svn update
 
cd misc/FreeBSD
 
tpage --define extIP=123.123.123.123 sockd.conf.template > /usr/local/etc/sockd.conf
 
/usr/local/etc/rc.d/sockd restart</code>
 

Latest revision as of 08:47, 28 October 2011

JonDos GmbH thanks www.secure-internet.org for the right to publish the following article. We made some changes in it but the original text was provided www.secure-internet.org

En2.png De2.png    <- prev | Content | next ->

Contents

HowTo install the mix server software for FreeBSD/Jail

This HowTo describes the installation of the mix server and related software for FreeBSD using Jails. We prefer the installation of related software from ports (not packages), because compilation does not take much time and ports are sometimes more up to date than packages. The software for mix servers for FreeBSD is distributed as source code.

Requirements

To compile the mix sources the libraries OpenSSL (at least v.0.9.7) and Xerces-C++ are required. Additionally a C++ compiler, automake and subversion are required, too. It may be useful to install subversion from ports, to disable BDB.

cd /usr/ports/security/openssl && make install clean
cd /usr/ports/textproc/xerces-c2-devel && make install clean
cd /usr/ports/devel/automake19 && make install clean
cd /usr/ports/devel/subversion && make install WITHOUT_BDB=YES && make clean

For premium mixes PostgreSQL database server, client and C-libraries for PostgreSQL clients are required, too.

cd /usr/ports/databases/postgresql84-client && make install clean
cd /usr/ports/databases/postgresql84-server && make install clean
cd /usr/ports/databases/postgresql-libpq++ && make install clean  

Compile the source code

Checkout the latest stable version from our subversion repository. We recommend the use of the directory /home/mix for sources.

mkdir /home/mix
cd /home/mix
svn checkout https://svn.jondos.de/svn/proxytest/proxytest/branches/stable

Afterwards compile and install the mix software:

cd /home/mix/stable
./configure --enable-new-channel-encryption --enable-new-flow-control
make
make install

Enable additional features

Depending on the features needed by your mix, you can enable some more features for your mix:

 ./configure --enable-payment .... ....


Mandatory feature for premium services:

  • --enable-payment Specifies to build with payment support.


Monitoring your mix:

  • --enable-server_monitoring Specifies to build with state tracking for server monitoring. You can specify a monitor port in the mix configuration (usually port 8080) and fetch a XML file from this IP:port time by time to check your mix. A plug-in for Nagios, which is using the monitoring port, will be found in the mix source tree misc/nagios.


Additional Logging features:

  • --enable-crime-detection Enable crime detection mode. Crime detection parameters can be specified in the mix configuration file. Do ONLY use it, if you are under constraint by authorities and law. For working properly, all mixes of a cascade have to enable this feature.
  • --enable-dataretentionlog Enable log messages according to data retention law.


Other features:

  • --enable-bandwidth-limitation Specifies to build with last mix bandwidth limitation. The limitation parameters can be specified in the mix configuration file. (only exit mixes)

Create a system user account

It is not a good solution to run the mix server with root privileges. Create a new system user account (recommended name: mix) and specify this user account in the mix configuration file. After startup, the mix server will switch to this UID.

Create a system user account with useradd:

adduser --quiet --system --disabled-password --shell=/bin/false --group mix

Create a log directory

The directory and file for log messages will be specified in the mix configuration file. You have to create the directory and set safe permissions:

mkdir /var/log/mix
chown mix:adm /var/log/mix
chmod 0750 /var/log/mix

No logrotate configuration is necessary. The mix server creates a new file, if the log file size exceeded the configured limit.

Start the mix server

You have to create a mix configuration, become root, raise the number of max. open descriptors to the value specified in the mix configuration file and you can start the mix.

For Csh (FreeBSD default) use:

limit descriptors 32768
mix -c /path/to/config.xml

If Bash is installed and preferred, use:

ulimit -HSn 32768
mix -c /path/to/config.xml

After startup the mix server will switch to the sytem UID specified in the mix configuration file.

Update the mix software

Like other software the mix is updated time by time. New features will be added, bugs will be fixed ... and so on. Join the operator mailing list to stay up-to-date about software updates. If an update is announced, run the following steps.

cd /home/mix/stable
make distclean
svn update
./configure --enable-server_monitoring --enable-payment .... ....
make
make install

After successful update restart the mix.

Personal tools