Это старая версия документа!

, ,

Squid+Privoxy+Tor

squid

Squid

nano /etc/squid/squid.conf 

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl ftp proto FTP
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 3128
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access allow all

http_port 3128

hierarchy_stoplist cgi-bin ?

cache_peer 127.0.0.1 parent 8118 7 no-query no-digest

coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320


httpd_suppress_version_string on
forwarded_for off
always_direct allow ftp
never_direct allow all
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl home_network src 192.168.2.0/24
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow home_network
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl malware_domains url_regex '/etc/squid/Malware-domains.txt'
http_access deny malware_domains
http_access allow localhost
http_access deny all
icp_access deny all
http_port 3400
icp_port 0
hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_peer localhost parent 8118 0 round-robin no-query
cache_peer localhost2 parent 8129 0 round-robin no-query
cache_peer localhost3 parent 8230 0 round-robin no-query
cache_peer localhost4 parent 8321 0 round-robin no-query
cache_peer localhost5 parent 8421 0 round-robin no-query
cache_peer localhost6 parent 8522 0 round-robin no-query
cache_peer localhost7 parent 8623 0 round-robin no-query
cache_peer localhost8 parent 8724 0 round-robin no-query
never_direct allow all
always_direct deny all
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
forwarded_for off
coredump_dir /home/squid-cache # where squid stores the cache
cache_dir ufs /home/squid-cache 20000 16 256 # cache-size in MB, Directory-Structure 1, Directory-Structure below 1
pid_filename /var/run/squid-in.pid
access_log /var/log/squid/access.squid-in.log
cache_store_log /var/log/squid/store.squid-in.log
cache_log /var/log/squid/cache.squid-in.log

Privoxy

nano /etc/privoxy/config

privoxy
#
# https://www.privoxy.org/user-manual/config.html
#
listen-address  192.168.1.131:8118
#ExitNodes {za}
#StrictNodes 1
user-manual /usr/share/doc/privoxy/user-manual
confdir /etc/privoxy
logdir /var/log/privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action   # Main actions file
actionsfile user.action      # User customizations
filterfile default.filter
filterfile user.filter      # User customizations
logfile logfile
debug     1 # Log the destination for each request. See also debug 1024.
debug     2 # show each connection status
debug     4 # show tagging-related messages
debug     8 # show header parsing
debug    16 # log all data written to the network
debug    32 # debug force feature
debug    64 # debug regular expression filters
debug   128 # debug redirects
debug   256 # debug GIF de-animation
debug   512 # Common Log Format
debug  1024 # Log the destination for requests Privoxy didn't let through, and the reason why.
debug  2048 # CGI user interface
debug  4096 # Startup banner and warnings.
debug  8192 # Non-fatal errors
debug 32768 # log all data read from the network
debug 65536 # Log the applying actions
toggle  1
enable-remote-toggle  0
enable-remote-http-toggle  0
enable-edit-actions 0
enforce-blocks 0
buffer-limit 4096
enable-proxy-authentication-forwarding 0
forward-socks5 / 192.168.1.131:9050 . # перенаправляем траффик на tor socks proxy (на тор)
forward-socks4 / 192.168.1.131:9050 . # перенаправляем траффик на tor socks proxy (на тор)
forward-socks4a / 192.168.1.131:9050 . # перенаправляем траффик на tor socks proxy (на тор)
forward-socks4a .onion 192.168.1.131:9050 . # Если домен .onion - то через tor
#forward .i2p 192.168.1.131:4444 . # если домен .i2p - идем на него через i2p роутер
forward 192.168.*.*/ . # локалку не трогаем forward 10.*.*.*/ . #равно как и VPN
forward 127.*.*.*/   .
forwarded-connect-retries  0
accept-intercepted-requests 1 # это позволит делать прозрачное проксирование через iptables
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 5
tolerate-pipelining 1
socket-timeout 300
forward-socks4a / 127.0.0.1:9050 .
confdir /etc/privoxy
logdir /var/log/privoxy
actionsfile default.action   # Main actions file
actionsfile user.action      # User customizations
filterfile default.filter

logfile logfile

debug   4096 # Startup banner and warnings
debug   8192 # Errors - *we highly recommended enabling this*

user-manual /usr/share/doc/privoxy/user-manual
listen-address  127.0.0.1:8118
toggle  1
enable-remote-toggle 0
enable-edit-actions 0
enable-remote-http-toggle 0
buffer-limit 4096
actionsfile standard.action # Internal purpose, recommended
actionsfile default.action # Main actions file
actionsfile user.action # User customizations
actionsfile neilvandyke.action # http://neilvandyke.org/privoxy-rules/
filterfile default.filter
logfile logfile
toggle 1
enable-remote-toggle 0
enable-remote-http-toggle 0
enable-edit-actions 1
enforce-blocks 0
buffer-limit 4096
forwarded-connect-retries 0
accept-intercepted-requests 0
allow-cgi-request-crunching 0
split-large-forms 0

Tor

Tor

nano /etc/tor/torrc

torrc
SocksPort localhost:9050
ControlPort localhost:9051
# 
Log notice file /var/log/tor/notices.log
Log debug file /var/log/tor/debug.log
#
DataDirectory /var/lib/tor
CookieAuthentication 0
User debian-tor
Group debian-tor
RunAsDaemon 1
# Эти настройки немного ускоряют работу - важно для слабых устройств
CircuitBuildTimeout 30 
KeepAlivePeriod 60
NewCircuitPeriod 15 
NumEntryGuards 8
# Это позволяет ограничить количество используемых сокетов - важно при работе на опять-таки "вялых" устройствах и на арендованных серверах
ConstrainedSockets 1
# Мининизировать запись на диск - это важно для устройств, система которых находится на флешке
AvoidDiskWrites 1
SocksPort 9050 # what port to open for local application connections
SocksBindAddress 127.0.0.1 # accept connections only from localhost
AllowUnverifiedNodes middle,rendezvous
Log notice syslog
SocksBindAddress 127.0.0.1 # accept connections only from localhost
AllowUnverifiedNodes middle,rendezvous
Log notice syslog
RunAsDaemon 1
User tor
Group tor
CircuitBuildTimeout 30
NumEntryGuards 6
KeepalivePeriod 60
NewCircuitPeriod 15