Squid and Dante on Linux
HowTo install Squid proxy (only exit mixes)
The squid proxy can be installed by the package manager of your operating system. Do NOT install squid3, please use the latest stable version of squid v.2.7. Only for testing purposes lynx may be installed, too. If you were using the Debian packages from the JonDos repository, you can skip this. All is done by the install routine of the mix packages.
RedHat: yum install squid lynx
Stop the squid proxy if it was running after installation and make a backup of the original configuration.
invoke-rc.d squid stop cd /etc/squid mv squid.conf squid.conf.orig
Replace the configuration file with an optimized configuration and add the block list squid-block.acl. You may find the squid configuration files provided by Jondos GmbH in the mix source code, subdirectory misc/Linux. Choose the suitable squid config for your cascade (premium or free) and put the file to /etc/squid. The example uses the config for free exit mixes.
cd /home/mix/stable/misc/Linux cp -f squid.conf.free /etc/squid/squid.conf cp -f squid-block.acl /etc/squid/squid-block.acl touch /etc/squid/squid-block.acl.local
Use a fixed IP address for exit traffic: If your server uses more than one external IP address you have to set a fixed IP address in the squid configuration file for exit traffic. Otherwise user may run trouble by using websites with IP address check. Remove the comment char of the following line in the squid configuration and use one of your IP addresses:
Local extensions of the blocklist: If you extended the squid-blocklist.acl for your mix, please use the file /etc/squid/squid-blocklist.acl.local. It will not be overwritten by updates of the JonDonym blocklist. At least you have to create an empty file because it will included in squid.conf. For local blocked websites a special error message will be displayed to the user. It gives the information about possible access to the website by other cascades.
Error messages: The Squid configuration provided by JonDos GmbH replace the default error messages of Squid by special pages for JonDonym. The HTML pages are part of the mix source. You will find it in the subdirectory misc/squid-messages. Because some error pages are added, you have to use these messages. If you did not checkout the mix sources to the directory /home/mix/stable you have to edit your squid.conf. The value of error_directory has to point to the error message directory.
For high traffic exit mixes it is recommended to increase the max. open filedescriptors for Squid. Please edit the file /etc/default/squid and set a more suiteable limit:
Afterward create the cache directories, wait, until the cache is created....
squid -z -d -3
... and start the squid proxy.
invoke-rc.d squid start
... and check if squid is working.
http_proxy=http://127.0.0.1:3128; lynx http://www.anonymous-proxy-servers.net
Updating the JonDonym blocklist
Time by time the JonDonym blocklist will be updated. You will receive a notice by the mix operator mailing list.
cd /home/mix/stable svn update cp -f misc/Linux/squid-block.acl /etc/squid/squid-block.acl invoke-rc.d squid reload
HowTo install bind9 (only exit mixes)
For exit mixes it is recommeded to use a local bind9 DNS resolver. First install the package resolvconf and afterwards the package bind9. It is recommeded to use two steps for this. Sometimes you will run into trouble, if resolvconf and bind9 were installed in one step together.
# aptitude install resolvconf # aptitude install bind9
We have prepared a configuration for bind9 version >= 9.7. The configuration contains DNSSEC support for high secure resolving of DNS names. For Linux server you may find the prepared configuration files in the mix source code in the subdirectory misc/linux. Download and copy the two configuration files named.conf.options and named.conf.keys to /etc/bind, include these configuration files in the main configuration of /etc/bind/named.conf and restart bind9.
To include both configuration files in the main config file /etc/bind/named.conf please add:
include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.keys";
At least you can verify the DNSSEC validation with dig. This programm is part of the package dnsutils. You can use the domains isc.org or wikileaks.de for testing.
# dig +dnssec isc.org ; <<>> DiG 9.7.2-P3 <<>> +dnssec isc.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22729 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ... ;; Query time: 17 msec ;; SERVER: 127.0.0.1#53(127.0.0.1)
The flad ad has to be set. It indicates the DBSSEC validation. Additional the server has to be SERVER: 127.0.0.1#53.
Update bind9 for Debian 5.0 lenny
Debian 5.0 lenny contains bind9 version 9.6.x which is not compatible with our configuration. We recommend an upgrade to version 9.7.2 provided by debian-backports. To use the Debian backports repository, you have to add the following line to your /etc/apt/sources.lst:
deb http://backports.debian.org/debian-backports lenny-backports main
Afterwards you can install the new packages for bind9 and depencies:
apt-get update aptitude -t lenny-backports install bind9 dnsutils
To get future security updates for bind9 from the backports repository, it is hardly recommeded to edit /etc/apt/preferences and add the following lines:
Package: * Pin: release a=lenny-backports Pin-Priority: 200
HowTo install Dante SOCKS proxy (only premium exit mixes)
The Dante SOCKS proxy can be installed by the package manager of your operating system.
RedHat: yum install dante-server
Install the configuration files provided by JonDos GmbH. The template for the configuration is part of the stable mix source. You may find it in misc/Linux/danted.conf.template or download it here: danted.conf.template. Replace the template string [% extIP %] in line 9 with your external IP address (you may use the editor pico), copy the file to /etc/danted.conf and restart dante. It contains the block list for JonDonym mix servers and blocks port 25 for spam reasons.
cd /home/mix/stable/misc/Linux pico danted.conf.template cp -f danted.conf.template /etc/danted.conf invoke-rc.d danted restart
Updating the JonDonym blocklist
Time by time the JonDonym blocklist will be updated. You will receive a notice by the mix operator mailing list. Checkout the latest stable mix source and update your danted.conf. Please note: You have to replace the template string [% extIP %] again with your external IP address.
cd /home/mix/stable svn update cd misc/Linux pico danted.conf.template cp -f danted.conf.template /etc/danted.conf invoke-rc.d danted restart