Mix Installation (FreeBSD Jail)
HowTo install the mix server software for FreeBSD/Jail
This HowTo describes the installtion of the mix server and related software for FreeBSD using Jails. We prefer the installation of releated software from ports (not packages), because compilation does not take not much time and ports are sometimes more up to date than packages. The software for mix servers for FreeBSD is distributed as source code.
To compile the mix sources the libraries OpenSSL (at least v.0.9.7) and Xerces-C++ are required. Additional a C++ compiler, automake and subversion are required too. It may be usefull to install subversion from ports, to disable BDB.
cd /usr/ports/security/openssl && make install clean cd /usr/ports/textproc/xerces-c2-devel && make install clean cd /usr/ports/devel/automake19 && make install clean cd /usr/ports/devel/subversion && make install WITHOUT_BDB=YES && make clean
For premium mixes PostgreSQL database server, client and C-libraries for PostgreSQL clients are requiered too.
cd /usr/ports/databases/postgresql84-client && make install clean cd /usr/ports/databases/postgresql84-server && make install clean cd /usr/ports/databases/postgresql-libpq++ && make install clean
Compile the source code
Checkout the latest stable version from our subversion repository. We recommend the use of the directory /home/mix for sources.
mkdir /home/mix cd /home/mix svn checkout https://svn.jondos.de/svn/proxytest/proxytest/branches/stable
Afterwards compile and install the mix software:
cd /home/mix/stable ./configure --enable-new-channel-encryption --enable-new-flow-control make make install
Enable additional features
Depending of the features needed by your mix, you can enable some more features for your mix:
./configure --enable-new-channel-encryption --enable-new-flow-control --enable-payment .... ....
Mandatory features for some cases:
- --enable-payment (Mandatory for premium mixes.) Specify if to build with payment support.
- --enable-user-bandwidth-limitation(Mandatory for free enty mixes.) Specify if to build with bandwith limitation for users (first mix). The limitation parameters can be specified in the mix configuration file.
Monitoring your mix:
- --enable-server_monitoring Specify if to build with state tracking for server monitoring. You can specify a monitor port in the mix configuration and fetch a XML file from this IP:port time by time to check your mix. A plug-in for Nagios, which is using the monitoring port, you will find in the mix source tree misc.
Additional Logging features:
- --enable-crime-detection Enable crime detection mode. Crime detection parameters can be specified in the mix configuration file. Do ONLY use it, if you are under constraint by authorities and law. For working well, all mixes of a cascade have to enable this feature.
- --enable-dataretentionlog Enable log messages according to German data retention law.
- --enable-bandwidth-limitation Specify if to build with last mix bandwidth limitation. The limitation parameters can be specified in the mix configuration file. (only exit mixes)
Create a system user account
It is not a good solution to run the mix server with root privileges. Create a new system user account (recommended name: mix) and specify this user account in the mix configuration file. After start up, the mix server will switch to this UID.
Create a system user account with useradd:
adduser --quiet --system --disabled-password --shell=/bin/false --group mix
Create a log directory
The directory and file for log messages will be specified in the mix configuration file. You have to create the directory and set safe permissions:
mkdir /var/log/mix chown mix:adm /var/log/mix chmod 0750 /var/log/mix
No logrotate configuration is necessary. The mix server creates a new file, if the log file size exceeded the configured limit.
Start the mix server
You have to create a mix configuration, became root, raise the number of max. open descriptors to the value specified in the mix configuration file and you can start the mix:
limit descriptors 32768 mix -c /path/to/config.xml
After startup the mix server will switch to the sytem UID specified in the mix configuration file.
Update the mix software
Like other software the mix is updated time by time. New features will be added, bugs will be fixed ... and so on. Join the operator mailing list to stay up-to-date about software updates. If an update is announced, run the following steps.
cd /home/mix/stable make distclean svn update ./configure --enable-new-channel-encryption --enable-new-flow-control --enable-server_monitoring --enable-payment .... .... make make install
After successful update restart the mix.
HowTo install squid proxy (only exit mixes)
The squid proxy can be installed by the package manager of your your operating system. Do NOT install squid3, please use the latest stable version of squid v.2.7. Only for testing purposes lynx may be installed too. Perl-Template-Toolkit is need to process the config template file. Alternativly you con do this job by hand.
cd /usr/ports/www/lynx && make install clean cd /ports/www/p5-Template-Toolkit && make install clean cd /usr/ports/www/squid && make install clean options for Squid are: SQUID_AUFS / SQUID_COSS / SQUID_LARGEFILE
Add a line to /etc/rc.conf
Make a backup of the original squid.conf.
cd /usr/local/etc/squid/ mv squid.conf squid.conf.orig
Replace the configuration file with an optimized configuration and add the block list squid-block.acl. You may find the squid configuration files provided by Jondos in the mix source code, subdirectory misc/FreeBSD/ of the mix source code. There are two squid.conf templates: one template for free services and one for premium services. Choose the suitable template and replace all occurrence of [% extIP %] by the extern IP address of your server. You may use tpage from the Perl Template Toolkit for this job. In the example the template for free services is used and the extern IP address is 22.214.171.124. Alternativly you may do this job by hand.
cd /home/mix/stable/misc/FreeBSD tpage --define extIP=126.96.36.199 squid.conf.free.template > /usr/local/etc/squid/squid.conf cp squid-block.acl /usr/local/etc/squid/
Afterward create the cache directories and wait, until the cache is created....
squid -z -d -3
... and start the squid proxy.
... and check if squid was working.
http_proxy=http://127.0.0.1:3128; lynx http://www.anonymous-proxy-servers.net
Update the squid blocklist
Von Zeit zu Zeit wird die Block-Liste aktualisiert. Betreiber von Webdiensten bitten JonDonym bei mehrfachem Missbrauch des Dienstes, den Zugriff uaf ihre Webseite zu unterbinden. Sie werden über die mix operator mailingliste über Aktualisierungen informiert.
cd /home/mix/stable svn update cp -f misc/FreeBSD/squid-block.acl /usr/local/etc/squid/squid-block.acl /usr/local/etc/rc.d/squid restart
HowTo install Dante SOCKS proxy (only premium exit mixes)
The Dante SOCKS proxy can be installed by the package manager of your your operating system. For FreeBSD it is recommeded to install dante from the ports tree.
cd /usr/ports/net/dante && make install clean
Add a line to /etc/rc.conf
Keep a copy of the original sockd.conf.
cd /usr/local/etc/ mv sockd.conf sockd.conf.orig
Install the configuration file sockd.conf provided by JonDos GmbH. It contains the JonDonym blocklist mix servers and blocks port 25. You will find the sample configuration file in the subdirectory misc/FreeBSD/ of the mix source code. Replace all occurrence of [% extIP %] by the extern IP address of your server. You may use tpage from the Perl Template Toolkit for this job. In the example the extern IP address is 188.8.131.52. Alternativly you may do this job by hand.
cd /home/mix/stable/misc/FreeBSD tpage --define extIP=184.108.40.206 sockd.conf.template > /usr/local/etc/sockd.conf
And start the Dante SOCKS proxy.
Update the blocklist
Time by time the JonDonym blocklist will be updated. You will receive a notice by the mix operator mailing list. In this case, you have to regenerate your sockd.conf.
cd /home/mix/stable svn update cd misc/FreeBSD tpage --define extIP=220.127.116.11 sockd.conf.template > /usr/local/etc/sockd.conf /usr/local/etc/rc.d/sockd restart