Squid and Dante on Linux

From JonDonym Wiki
Revision as of 13:16, 4 April 2014 by Kn (Talk | contribs)
Jump to: navigation, search

En2.png De2.png    <- prev | Content | next ->


HowTo install Squid proxy (only exit mixes)

The squid proxy can be installed by the package manager of your operating system. Do NOT install squid, please use the latest stable version of squid3. Only for testing purposes lynx may be installed, too. If you were using the Debian packages from the JonDos repository, you can skip this. All is done by the install routine of the mix packages.

RedHat:  yum install squid3 lynx

Stop the squid proxy if it was running after installation and make a backup of the original configuration.

invoke-rc.d squid3 stop
cd /etc/squid3
mv squid.conf squid.conf.orig

Replace the configuration file with an optimized configuration and add the block list squid-block.acl. You may find the squid configuration files provided by Jondos GmbH in the mix source code, subdirectory misc/Linux. Choose the suitable squid config for your cascade (premium or free) and put the file to /etc/squid. The example uses the config for free exit mixes.

cd /home/mix/stable/misc/Linux
cp -f squid3.conf.free /etc/squid3/squid.conf
cp -f squid3-block.acl /etc/squid3/squid3-block.acl
touch /etc/squid3/squid-block.acl.local

Use a fixed IP address for exit traffic: If your server uses more than one external IP address you have to set a fixed IP address in the squid configuration file for exit traffic. Otherwise user may run trouble by using websites with IP address check. Remove the comment char of the following line in the squid configuration and use one of your IP addresses. Replace with your IPv4 address and 2000::1 with your IPv6 address:

tcp_outgoing_address !to_ipv6
tcp_outgoing_address 2000::1 to_ipv6

Local extensions of the blocklist: If you extended the squid-blocklist.acl for your mix, please use the file /etc/squid/squid-blocklist.acl.local. It will not be overwritten by updates of the JonDonym blocklist. At least you have to create an empty file because it will included in squid.conf. For local blocked websites a special error message will be displayed to the user. It gives the information about possible access to the website by other cascades.

Error messages: The Squid configuration provided by JonDos GmbH replace the default error messages of Squid by special pages for JonDonym. The HTML pages are part of the mix source. You will find it in the subdirectory misc/squid-messages. Because some error pages are added, you have to use these messages. If you did not checkout the mix sources to the directory /home/mix/stable you have to edit your squid.conf. The value of error_directory has to point to the error message directory.

error_directory /home/mix/stable/misc/squid-messages

Afterwards start the squid proxy.

invoke-rc.d squid3 start

... and check if squid is working.

http_proxy=; lynx http://www.anonymous-proxy-servers.net

Updating the JonDonym blocklist

Time by time the JonDonym blocklist will be updated. You will receive a notice by the mix operator mailing list.

cd /home/mix/stable
svn update
cp -f misc/Linux/squid3-block.acl /etc/squid3/squid3-block.acl
invoke-rc.d squid3 reload

HowTo install bind9 (only exit mixes)

For exit mixes it is recommeded to use a local bind9 DNS resolver. First install the package resolvconf and afterwards the package bind9. It is recommeded to use two steps for this. Sometimes you will run into trouble, if resolvconf and bind9 were installed in one step together.

# aptitude install resolvconf
# aptitude install bind9

We have prepared a configuration for bind9 version >= 9.7. The configuration contains DNSSEC support for high secure resolving of DNS names. For Linux server you may find the prepared configuration files in the mix source code in the subdirectory misc/linux. Download and copy the two configuration files named.conf.options and named.conf.keys to /etc/bind, include these configuration files in the main configuration of /etc/bind/named.conf and restart bind9.

To include both configuration files in the main config file /etc/bind/named.conf please add:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.keys";

At least you can verify the DNSSEC validation with dig. This programm is part of the package dnsutils. You can use the signed domains isc.org or wikileaks.de for testing.

# dig +dnssec isc.org
; <<>> DiG 9.7.2-P3 <<>> +dnssec isc.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22729
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; Query time: 17 msec

The flad ad has to be set. It indicates the DBSSEC validation. Additional the server has to be SERVER:

HowTo install Dante SOCKS proxy (only premium exit mixes)

The Dante SOCKS proxy can be installed by the package manager of your operating system.

RedHat:  yum install dante-server

Install the configuration files provided by JonDos GmbH. The template for the configuration is part of the stable mix source. You may find it in misc/Linux/danted.conf.template or download it here: danted.conf.template. Replace the template string [% extIP %] in line 9 with your external IP address (you may use the editor pico), copy the file to /etc/danted.conf and restart dante. It contains the block list for JonDonym mix servers and blocks port 25 for spam reasons.

cd /home/mix/stable/misc/Linux
pico danted.conf.template
cp -f danted.conf.template /etc/danted.conf
invoke-rc.d danted restart

Updating the JonDonym blocklist

Time by time the JonDonym blocklist will be updated. You will receive a notice by the mix operator mailing list. Checkout the latest stable mix source and update your danted.conf. Please note: You have to replace the template string [% extIP %] again with your external IP address.

cd /home/mix/stable
svn update
cd misc/Linux
pico danted.conf.template
cp -f danted.conf.template /etc/danted.conf
invoke-rc.d danted restart
Personal tools