(tested on Debian)

needed packages:

* squid

* privoxy

* tor

* socat

the tor solution

Prevent packet headers from sending a lot of unwanted informations to the internet. Anonymise your connection with a squid-privoxy-tor combination. Bounce your packets through an anonimous and encrypted chain of servers.
Anonimity is never 100% secure, but here we work out a good solution for being anonimous for someone sniffing us from the internet. That means: neither "what we do" nor "where we go" gets anonymised, just "where do we come from"; somebody controlling what we do from the internet cannot see who we are (but it doesn't work if somebody is controlling our internal network, ex. through wireless, or our connection from our network until the first tor router, ex. controlling through our internet provider).
So if somebody in Turkey is sniffing my emails, he/she will not be able to understand where do I write from, but will still be able to intercept what I do write on the mail; if somebody got the authorisation from my internet-provider to sniff all my traffic on the internet, than the anonimisation we use here will be unuseful.

Another very interesting toping using the tor solution is the possibility of setting up HIDDEN SERVICES: we can run an http/https, irc, whatever we want server on the internet, and clients connecting to it DO NOT contact the server itself, but CLIENT AND SERVER MEET IN THE MIDDLE OF AN ONION ROUTER CHAIN - that means that nobody will know where are we comeing from, and also that nobody will understand where the service we are using is hosted from!!!

here a little explanation on how the combination works for html pages:

Browser <> squid host:8888 <> privoxy host:8118 <> tor host:9050 <> tor onion router chains <> webserver

TOR (The Onion Routing, http://tor.eff.org) is a sistem that uses an entry point, than communications are bounced around a distributed network of servers going finally out through an exit point. Each "onion router" nows only the server before and the server after him in the chain, and communicates with an AES128 key to them.

1-) install tor and privoxy

Debian packages have been uploaded to the set of official unstable Debian packages. If you are running stable (woody) or testing (sarge), you must first add these lines to /etc/apt/sources.list:

deb http://mirror.noreply.org/pub/tor stable main
deb-src http://mirror.noreply.org/pub/tor stable main

To install the packages, issue the following commands:

$ apt-get update
$ apt-get install tor privoxy socat

2) configure privoxy for use with tor

After installing and starting Privoxy, privoxy works standard at port 8118. The privoxy configuration can also be managed through a webinterface, at the address http://p.p/ To be able to use privoxy with tor, we have to edit the /etc/privoxy/config

interesting configuration variables:

5.2. forward-socks4 and forward-socks4a / Weiterleitung an einen SOCKS4/SOCKS4a Proxy

forward-socks4a / .

Forwarding all requests to TOR - don't forget the dot (.) at the end!

3) set up the squid cahce

squid is a normal http-caching program, what we really like at squid, is it's configurable feature to remove http headers, that means informations send to the internet by your web browser.

$apt-get install squid

client mode configuration: suitable for a workstation with caching proxy in stand alone mode (Privoxy on localhost:8118).

Squid requires some configuration values to be modified in order to function as a caching proxy.

vi ~/etc/squid.conf

Search for the following key values and set them accordingly: #

http_port 8888

http_access allow localhost

cache_peer localhost parent 8118 7 no-query default

force the use of privoxy/tor in all cases:

never_direct allow all

visible_hostname localhost

If transparent gateway mode is used, the following must also be set: # (actually it is not a good idea to use a transparent gateway!!!) #(insert your subnets as required): #

acl home_network src

http_access allow home_network

httpd_accel_port 80

httpd_accel_host virtual

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

The following settings are helpful in removing some sensitive # HTTP headers which could divulge unwanted information: #

header_access From deny all

header_access Referer deny all

header_access Server deny all

header_access User-Agent deny all

header_access WWW-Authenticate deny all

header_access Link deny all

NOTE: some sites may require a User-Agent or Referer to # function correctly.

Be sure to run '~/sbin/squid -z' to create the cache directories before starting the Squid proxy with '~/bin/RunCache'.

Using your browser configuration utility update the HTTP/HTTPS proxy settings to point to localhost at port 8888. At this point all of your web traffic will be going through the Squid proxy, into Privoxy for protocol cleaning, and finally into Tor for delivery of requests and responses. The reduced latency of Squid serving cached pages should be readily visible as you browse various sites.

squid without caching

You can use the no_cache access list to make Squid never cache any response:

acl all src 0/0

no_cache deny all

With Squid-2.4 and later you can use the ``null'' storage module to avoid having a cache directory:

cache_dir null /tmp

Note: a null cache_dir does not disable caching, but it does save you from creating a cache structure if you have disabled caching with no_cache. Note: the directory (e.g., /tmp) must exist so that squid can chdir to it, unless you also use the coredump_dir option. To configure Squid for the ``null'' storage module, specify it on the configure command line:

./configure --enable-storeio=ufs,null ...

disable log files
To disable access.log:

cache_access_log none

To disable store.log:

cache_store_log none

To disable cache.log:

cache_log /dev/null

Note : It is a bad idea to disable the cache.log because this file contains many important status and debugging messages. However, if you really want to, you can. Warning : If /dev/null is specified to any of the above log files, logfile rotate must also be set to 0 or else risk Squid rotating away /dev/null making it a plain log file.

4) check if everything is working fine: http://leader.ru/secure/who.html

REMEMBER: your DNS request could still leak informations, if they don't go through tor (ex. with SOCKS4a). you can still use tor-resolve to eliminate this problem...

5) torify your software: instructions for various applications (ssh, irc, fetchmail, gaim, ...) in http://wiki.noreply.org/noreply/TheOnionRouter/TorifyHOWTO

if you are running tor for your ssh connections, remember to disable the proxy configuration for your internal network, otherwise you will not be able to ssh to your lan machines:

vi /etc/ssh/ssh

Host 192.168.*
Proxycommand none

if you cannot reach your LAN machines/services anymore, just say the programs to use NO PROXY for your internal ip's or domains (ex. in mozilla, proxy settings, you can find a NO PROXY FOR line)

if privoxy cannot contact an hidden service (ex, the hidden wiki: http://6sxoyfb3h2nvok2d.onion/tor/ ), just click on "try it again", and you will be able to connect... Remember: hidden services are reacheable only if you are running a privoxy - tor combination.

-- OtmMto - 01 Jun 2005