• TheOnionRouter
• SquidProxy

up to Tor

**********************************************************************

WARNING: recent testing has shown that using Squid in conjunction with Tor and Privoxy is a critical compromise to your privacy! Please read this update for more details. Thank you.

• Squid 2 can be compiled with, "--disable-internal-dns", and use an external dns client of your choice to prevent dns leaks. You could even disable dns lookups from squid entirely if you'd like. See squid documentation for more info.

**********************************************************************

A Squid HTTP proxy can significantly reduce the latency experienced when using the onion router network for web browsing. The following instructions describe how to configure a transparent proxy gateway or personal workstation in such a manner.

Prerequisites

This example requires the following software and configuration settings:

Gateway Mode:

• A dedicated gateway host which can perform transparent HTTP proxy service on all outgoing web (TCP dest port 80) traffic.

• Privoxy on localhost:8118 configured per the Tor installation instructions.

• Linux 2.4 or 2.6 kernel with iptables interface to netfilter system when using Gateway Mode.

Client Mode:

• A workstation with caching proxy in stand alone mode.
• Privoxy on localhost:8118.

Unpacking and Compilation

You may need to customize directory paths and build targets to suit your system. The following example assumes a Linux 2.4/2.6 system with iptables. Additional information on using Squid as a transparent proxy can be found in the Transparent Proxy HOWTO.

wget http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE6.tar.gz
tar zxvf squid-2.5.STABLE6.tar.gz
cd squid-2.5.STABLE6
./configure --enable-linux-netfilter --enable-ssl --prefix=/home/squid
make
make install

NOTE: For the duration of this example it is assumed that '~' will refer to the home directory which was used as the --prefix when configuring the Squid sources.

Configuration Files

Squid requires some configuration values to be modified in order to function as a caching proxy. Use $EDITOR to make the following changes.

vi ~/etc/squid.conf

# Search for the following key values and set them accordingly:
#
http_port 8888
http_access allow localhost
cache_peer   localhost    parent   8118   7   no-query default
# force the use of privoxy/tor in all cases:
never_direct allow all
visible_hostname localhost

# If transparent gateway mode is used, the following must also be set:
# (insert your subnets as required):
#
acl home_network src 192.168.1.0/24
http_access allow home_network
httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

# The following settings are helpful in removing some sensitive
# HTTP headers which could divulge unwanted information:
#
header_access From deny all
header_access Referer deny all
header_access Server deny all
header_access User-Agent deny all
header_access WWW-Authenticate deny all
header_access Link deny all
#
# NOTE: some sites may require a User-Agent or Referer to
# function correctly.

Be sure to run '~/sbin/squid -z' to create the cache directories before starting the Squid proxy with '~/bin/RunCache'.

Client Configuration

Using your browser configuration utility update the HTTP/HTTPS proxy settings to point to localhost at port 8888. At this point all of your web traffic will be going through the Squid proxy, into Privoxy for protocol cleaning, and finally into Tor for delivery of requests and responses.

The reduced latency of Squid serving cached pages should be readily visible as you browse various sites.

Gateway Configuration

The final step in the transparent proxy gateway configuration is the port redirection via iptables to intercept all outgoing HTTP request traffic from the local network and divert it into Squid. Using this method all clients on the local network can browse the web as usual while their traffic goes through the Squid caching proxy, into Privoxy, and out to Tor.

NOTE: All clients will still be making DNS requests outside of the Tor network. This means that .onion and .exit URL's will not work with a transparent proxy configuration and other web requests may leak client information via DNS queries. For this reason it is strongly suggested that all clients use squid as an http proxy and not via transparent proxy.

The following commands will create the iptables chain rule to redirect traffic. It is assumed that IP forwarding is already enabled.

Note that the port based method of identifying web traffic will miss any HTTP requests going to destinations other than port 80.

# Redirect by port
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8888

Once these chains are created all web traffic from the local network routed by this host will be transparently proxied and sent through the Tor network. You can verify that traffic is be redirected via the packet counters associated with the rule chain.

iptables -t nat -L -v
...
Chain PREROUTING (policy ACCEPT 563K packets, 32M bytes)
 pkts bytes target     prot opt in     out     source               destination
   13   780 REDIRECT   tcp  --  eth0   any     anywhere             anywhere            tcp dpt:http redir ports 8888

More on HTTP Header Filtering

As noted in the above section, Configuration Files, you can use Squid to filter out revealing and potentially dangerous HTTP headers from your WWW client requests. If you wish to do this, you must first decide what kind of filtering policy you want; default-deny or default-allow. "Default-deny" is the most secure, as it will ONLY allow the headers you specify in your squid.conf file. The downside to this setup is that there may be some web services out there (usually malicious ones!) that require extra headers to function properly. In this case, you might want to use a "default-allow" setup that will only block the headers you specify- all others will be let through.

Below are the config entries you will need to add for either of the two basic header policies:

Default Allow Configuration

header_access From deny all
header_access Referer deny all
header_access Server deny all
header_access User-Agent deny all
header_access WWW-Authenticate deny all
header_access Link deny all
header_access Via deny all
header_access Warning deny all
header_access ETag deny all
header_access Allow allow all 

Default-Deny Configuration

header_access Allow allow all
header_access Authorization allow all
header_access WWW-Authenticate allow all
header_access Cache-Control allow all
header_access Content-Encoding allow all
header_access Content-Length allow all
header_access Content-Type allow all
header_access Date allow all
header_access Expires allow all
header_access Host allow all
header_access If-Modified-Since allow all
header_access Last-Modified allow all
header_access Location allow all
header_access Pragma allow all
header_access Accept allow all
header_access Accept-Charset allow all
header_access Accept-Encoding allow all
header_access Accept-Language allow all
header_access Content-Language allow all
header_access Mime-Version allow all
header_access Retry-After allow all
header_access Title allow all
header_access Connection allow all
header_access Proxy-Connection allow all
header_access All deny all

Andrew's Custom Default-Deny Configuration

This set-up is like the standard default-deny setup, except that it includes a few extra headers that are commonly required by some reputable and safe e-commerce sites.

header_access Authorization allow all 
header_access Cache-Control allow all
header_access Content-Encoding allow all
header_access Content-Length allow all
header_access Content-Type allow all
header_access Date allow all
header_access Expires allow all
header_access Host allow all
header_access If-Modified-Since allow all
header_access Last-Modified allow all
header_access Location allow all
header_access Pragma allow all
header_access Accept allow all
header_access Accept-Charset allow all
header_access Accept-Encoding allow all
header_access Accept-Language allow all
header_access Content-Language allow all
header_access Mime-Version allow all
header_access Retry-After allow all
header_access Title allow all
header_access Connection allow all
header_access Proxy-Connection allow all
header_access All deny all

Finally, you may wish to enable the forwarded_for off option. Doing this will prevent Squid from divulging what IP it is requesting its data for. If you don't, the X_forwarded_for:Your_IP_Adress header will be sent, and the entire purpose of utilizing Squid and Tor will be defeated!

Further Reading

If you would like to learn how to do some of these same functions with the almighty Privoxy web scrubber, please check out this Privoxy manual entry.