четверг, 26 апреля 2012 г.

HOW-TO: Highly anonymous proxy with multiple ip support

Today I completed proxy-related task which looks unique for me. So I decide to write a small how-to to memorize steps and have ability to use it in future as reference.

The main difficulty in this task was a deprecated CentOS installation on server. If you try simply try to run

yum search squid

then yum will complain about absent repodata.xml - centos 4 repos already removed from CentOS mirrors and I need to configure vault.centos.org repo in YUM. So I backup /etc/yum.repos.d/CentOS-Base.repo and edit it:

[base]
name=CentOS-4.8 - Base
baseurl=http://vault.centos.org/4.8/os/$basearch/
gpgcheck=1
gpgkey=http://vault.centos.org/RPM-GPG-KEY-centos4
priority=1
protect=1

#released updates
[update]
name=CentOS-4.8 - Updates
baseurl=http://vault.centos.org/4.8/updates/$basearch/
gpgcheck=1
gpgkey=http://vault.centos.org/RPM-GPG-KEY-centos4
priority=1
protect=1

#packages used/produced in the build but not released
[addons]
name=CentOS-4.8 - Addons
baseurl=http://vault.centos.org/4.8/addons/$basearch/
gpgcheck=1
gpgkey=http://vault.centos.org/RPM-GPG-KEY-centos4
priority=1
protect=1

#additional packages that may be useful
[extras]
name=CentOS-4.8 - Extras
baseurl=http://vault.centos.org/4.8/extras/$basearch/
gpgcheck=1
gpgkey=http://vault.centos.org/RPM-GPG-KEY-centos4
priority=1
protect=1

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-4.8 - Plus
baseurl=http://vault.centos.org/4.8/centosplus/$basearch/
gpgcheck=1
enabled=1
gpgkey=http://vault.centos.org/RPM-GPG-KEY-centos4
priority=2
protect=1

#contrib - packages by Centos Users
[contrib]
name=CentOS-4.8 - Contrib
baseurl=http://vault.centos.org/4.8/contrib/$basearch/
gpgcheck=1
enabled=1
gpgkey=http://vault.centos.org/RPM-GPG-KEY-centos4
priority=2
protect=1

Then I cleanup yum cache info and run search again

# yum clean all
# yum search squid

Now squid available for install, so installing it

# yum install squid

Next step is to setup authentication. I use only BASIC auth, so I uncomment related lines in /etc/squid/squid.conf

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/proxy.auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

Then I create file with password info:

# htpasswd -c /etc/squid/proxy.auth squid

Next step is to hide proxy info. After this step web sites lost ability to detect if you use proxy or not.

For this I added following lines in squid.conf

# Disable client ip forwarding
forwarded_for off

# Header control
header_access Allow allow all
header_access Authorization allow all
header_access Cache-Control allow all
header_access Content-Encoding allow all
header_access Content-Length allow all
header_access Content-Type allow all
header_access Date allow all
header_access Expires allow all
header_access Host allow all
header_access If-Modified-Since allow all
header_access Last-Modified allow all
header_access Location allow all
header_access Pragma allow all
header_access Accept allow all
header_access Accept-Encoding allow all
header_access Accept-Language allow all
header_access Accept-Charset allow all
header_access Content-Language allow all
header_access Mime-Version allow all
header_access Cookie allow all
header_access Set_Cookie allow all
header_access Retry-After allow all
header_access Title allow all
header_access Connection allow all
header_access Proxy-Connection allow all
header_access Proxy-Authorization allow all
header_access Proxy-Authenticate allow all
header_access WWW-Authenticate allow all
header_access User-Agent allow all
header_access All deny all

If you want to hide or spoof User-Agent, than replace last but one line to

header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)

The last step is to add ability to use multiple ip source address depending on proxy address currently used. For example if you use 192.168.17.43:3128 as proxy address then sites detect your ip address as 192.168.17.43.

For this I use file with ip list: one ip per line. Than I run script to generate config:

# i=0; for ip in `cat /tmp/squid-ips.txt`; do i+=1; echo "acl ip${i} myip ${ip}"; echo "tcp_outgoing_address ${ip} ip${i}"; done | tee -a /etc/squid/squid.conf

The last step is to reload squid conf and enable squid startup during system boot

# service squid reload
# chkconfig squid on

To check proxy info you can visit this link.

Комментариев нет:

Отправить комментарий