Squid and Dante on Linux

From JonDonym Wiki
Revision as of 12:44, 22 March 2013 by Kn (Talk | contribs)
Jump to: navigation, search

En2.png De2.png    <- prev | Content | next ->

Contents

HowTo install Squid proxy (only exit mixes)

The squid proxy can be installed by the package manager of your operating system. Do NOT install squid3, please use the latest stable version of squid v.2.7. Only for testing purposes lynx may be installed, too. If you were using the Debian packages from the JonDos repository, you can skip this. All is done by the install routine of the mix packages.

RedHat:  yum install squid lynx

Stop the squid proxy if it was running after installation and make a backup of the original configuration.

invoke-rc.d squid stop
cd /etc/squid
mv squid.conf squid.conf.orig

Replace the configuration file with an optimized configuration and add the block list squid-block.acl. You may find the squid configuration files provided by Jondos GmbH in the mix source code, subdirectory misc/Linux. Choose the suitable squid config for your cascade (premium or free) and put the file to /etc/squid. The example uses the config for free exit mixes.

cd /home/mix/stable/misc/Linux
cp -f squid.conf.free /etc/squid/squid.conf
cp -f squid-block.acl /etc/squid/squid-block.acl
touch /etc/squid/squid-block.acl.local

Local extensions of the blocklist: If you extended the squid-blocklist.acl for your mix, please use the file /etc/squid/squid-blocklist.acl.local. It will not be overwritten by updates of the JonDonym blocklist. At least you have to create an empty file because it will included in squid.conf. For local blocked websites a special error message will be displayed to the user. It gives the information about possible access to the website by other cascades.

Error messages: The Squid configuration provided by JonDos GmbH replace the default error messages of Squid by special pages for JonDonym. The HTML pages are part of the mix source. You will find it in the subdirectory misc/squid-messages. Because some error pages are added, you have to use these messages. If you did not checkout the mix sources to the directory /home/mix/stable you have to edit your squid.conf. The value of error_directory has to point to the error message directory.

error_directory /home/mix/stable/misc/squid-messages

For high traffic exit mixes it is recommended to increase the max. open filedescriptors for Squid. Please edit the file /etc/default/squid and set a more suiteable limit:

SQUID_MAXFD=1024

Afterward create the cache directories, wait, until the cache is created....

squid -z -d -3

... and start the squid proxy.

invoke-rc.d squid start

... and check if squid is working.

http_proxy=http://127.0.0.1:3128; lynx http://www.anonymous-proxy-servers.net

Updating the JonDonym blocklist

Time by time the JonDonym blocklist will be updated. You will receive a notice by the mix operator mailing list.

cd /home/mix/stable
svn update
cp -f misc/Linux/squid-block.acl /etc/squid/squid-block.acl
invoke-rc.d squid reload


HowTo install bind9 (only exit mixes)

For exit mixes it is recommeded to use a local bind9 DNS resolver. First install the package resolvconf and afterwards the package bind9. It is recommeded to use two steps for this. Sometimes you will run into trouble, if resolvconf and bind9 were installed in one step together.

# aptitude install resolvconf
# aptitude install bind9

We have prepared a configuration for bind9 version >= 9.7. The configuration contains DNSSEC support for high secure resolving of DNS names. For Linux server you may find the prepared configuration files in the mix source code in the subdirectory misc/linux. Download and copy the two configuration files named.conf.options and named.conf.keys to /etc/bind, include these configuration files in the main configuration of /etc/bind/named.conf and restart bind9.

To include both configuration files in the main config file /etc/bind/named.conf please add:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.keys";

At least you can verify the DNSSEC validation with dig. This programm is part of the package dnsutils. You can use the domains isc.org or wikileaks.de for testing.

# dig +dnssec isc.org
; <<>> DiG 9.7.2-P3 <<>> +dnssec isc.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22729
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
...
;; Query time: 17 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)

The flad ad has to be set. It indicates the DBSSEC validation. Additional the server has to be SERVER: 127.0.0.1#53.

Update bind9 for Debian 5.0 lenny

Debian 5.0 lenny contains bind9 version 9.6.x which is not compatible with our configuration. We recommend an upgrade to version 9.7.2 provided by debian-backports. To use the Debian backports repository, you have to add the following line to your /etc/apt/sources.lst:

deb http://backports.debian.org/debian-backports lenny-backports main

Afterwards you can install the new packages for bind9 and depencies:

apt-get update
aptitude -t lenny-backports install bind9 dnsutils

To get future security updates for bind9 from the backports repository, it is hardly recommeded to edit /etc/apt/preferences and add the following lines:

Package: *
Pin: release a=lenny-backports
Pin-Priority: 200

HowTo install Dante SOCKS proxy (only premium exit mixes)

The Dante SOCKS proxy can be installed by the package manager of your operating system.

RedHat:  yum install dante-server

Install the configuration files provided by JonDos GmbH. The template for the configuration is part of the stable mix source. You may find it in misc/Linux/danted.conf.template or download it here: danted.conf.template. Replace the template string [% extIP %] in line 9 with your external IP address (you may use the editor pico), copy the file to /etc/danted.conf and restart dante. It contains the block list for JonDonym mix servers and blocks port 25 for spam reasons.

cd /home/mix/stable/misc/Linux
pico danted.conf.template
cp -f danted.conf.template /etc/danted.conf
invoke-rc.d danted restart

Updating the JonDonym blocklist

Time by time the JonDonym blocklist will be updated. You will receive a notice by the mix operator mailing list. Checkout the latest stable mix source and update your danted.conf. Please note: You have to replace the template string [% extIP %] again with your external IP address.

cd /home/mix/stable
svn update
cd misc/Linux
pico danted.conf.template
cp -f danted.conf.template /etc/danted.conf
invoke-rc.d danted restart
Personal tools