Прозрачное проксирование в I2P и TOR.

Александр Чернышев — Thu, 24 Nov 2016 14:47:40 +0300

Заметка написана по мотивам статьи «Прозрачное проксирование в I2P и TOR».

_LANNET_ — локальная подсеть
_WANETH_ — внешний интерфейс
_LANETH_ — внутренний интерфейс

DNSMasq

vi /etc/dnsmasq.conf

log-queries
log-facility=/var/log/dnsmasq.log
listen-address= 0.0.0.0
interface=_LANETH_
except-interface=_WANETH_
domain-needed 
bogus-priv  
strict-order 
no-resolv
server=77.88.8.88
server=8.8.8.8
address=/.onion/10.10.99.99
address=/.i2p/10.10.99.99

systemctl enable dnsmasq.service
systemctl start dnsmasq.service

Tor

vi /etc/tor/torrc

SocksPort 9050
SocksListenAddress 127.0.0.1
ExcludeNodes {ru}, {ua}, {by}
VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1

systemctl enable tor.service
systemctl start tor.service

i2pd

vi /etc/i2pd/subscriptions.txt

http://inr.i2p/export/alive-hosts.txt
http://stats.i2p/cgi-bin/newhosts.txt
http://i2p-projekt.i2p/hosts.txt
http://i2host.i2p/cgi-bin/i2hostetag
http://no.i2p/export/alive-hosts.txt
http://rus.i2p/hosts.txt
http://udhdrtrcetjm5sxzskjyr5ztpeszydbh4dpl3pl4utgqqw2v4jna.b32.i2p/hosts.tx

vi /etc/i2pd/

[IRC]
type = client
address = 127.0.0.1
port = 6668
destination = irc.postman.i2p
destinationport = 6667
keys = irc-keys.dat

systemctl enable i2pd.service
systemctl start i2pd.service

TinyProxy

vim /etc/tinyproxy.conf

User nobody
Group nogroup
Port 8888
Listen _LANNET_
Timeout 200
ErrorFile 404 "/usr/share/tinyproxy/404.html"
ErrorFile 400 "/usr/share/tinyproxy/400.html"
ErrorFile 503 "/usr/share/tinyproxy/503.html"
ErrorFile 403 "/usr/share/tinyproxy/403.html"
ErrorFile 408 "/usr/share/tinyproxy/408.html"
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
Logfile "/var/log/tinyproxy/tinyproxy.log"
LogLevel Info
PidFile "/var/run/tinyproxy/tinyproxy.pid"
upstream 127.0.0.1:8123
upstream 127.0.0.1:4444 ".i2p"
upstream 127.0.0.1:8124 ".onion"
MaxClients 100
MinSpareServers 5
MaxSpareServers 20
StartServers 10
MaxRequestsPerChild 0
Allow 127.0.0.1
Allow 192.168.0.0/16
ViaProxyName "tinyproxy"
ConnectPort 443
ConnectPort 563

systemctl enable tinyproxy.service
systemctl start tinyproxy.service

Polipo

vim /etc/polipo/wan.conf

##################
# https://www.irif.fr/~jch/software/polipo/polipo.html#
##################

displayName = WAN
proxyPort = 8123
allowedClients = 127.0.0.1, _LANNET_
dnsQueryIPv6 = false
pidFile = /var/run/polipo/polipo_wan.pid
#######
censoredHeaders = from, accept-language
censorReferer = maybe
disableVia = true
####### Cache #######
diskCacheRoot = "/var/cache/polipo/wan_cache/"
maxDiskCacheEntrySize = 524288
diskCacheDirectoryPermissions = 0700
diskCacheFilePermissions = 0600
relaxTransparency = maybe
dontCacheCookies = true
dontCacheRedirects = true
diskCacheUnlinkTime = 7d
diskCacheTruncateTime = 3d
diskCacheTruncateSize = 1MB
######## Memory ########
chunkHighMark = 50331648
objectHighMark = 16384
######## WEB Interface ########
disableLocalInterface = true
#disableConfiguration = false
#disableIndexing = false
#disableServersList = false
######## Log ########
logSyslog = true
logFile = "/var/log/polipo/wan.log"

vim /etc/polipo/tor.conf

##################
# https://www.irif.fr/~jch/software/polipo/polipo.html#
##################

displayName = TOR
proxyPort = 8124
allowedClients = 127.0.0.1, _LANNET_
dnsQueryIPv6 = false
pidFile = /var/run/polipo/polipo_tor.pid
####### SOCKS #######
socksParentProxy = "127.0.0.1:9050"
socksProxyType=socks5
#######
censoredHeaders = from, accept-language
censorReferer = maybe
disableVia = true
####### Cache #######
diskCacheRoot = "/var/cache/polipo/tor_cache/"
diskCacheDirectoryPermissions = 0700
diskCacheFilePermissions = 0600
relaxTransparency = maybe
dontCacheCookies = true
dontCacheRedirects = true
diskCacheUnlinkTime = 7d
diskCacheTruncateTime = 3d
diskCacheTruncateSize = 1MB
######## Memory ########
chunkHighMark = 50331648
objectHighMark = 16384
######## WEB Interface ########
disableLocalInterface = true
#disableConfiguration = false
#disableIndexing = false
#disableServersList = false
######## Log ########
logSyslog = true
logFile = "/var/log/polipo/tor.log"

vi /etc/systemd/system/polipo@.service

[Unit]
Description=Polipo Proxy Server
After=network.target

[Service]
User=proxy
Group=proxy
Type=simple
Restart=always
PIDFile=/var/run/polipo/polipo_%i.pid
PermissionsStartOnly=true
ExecStartPre=/bin/mkdir -p /var/cache/polipo/%i_cache
ExecStartPre=/bin/chown proxy:proxy /var/cache/polipo/%i_cache -R
ExecStartPre=/bin/chmod 700 /var/cache/polipo/%i_cache -R
ExecStart=/usr/bin/polipo -c /etc/polipo/%i.conf
ExecReload=/bin/kill -USR1 $MAINPID


[Install]
WantedBy=multi-user.target

vi /etc/tmpfiles.d/polipo.conf

d /run/polipo 0755 proxy proxy -

Скрипт для очистки кеша

vi /usr/local/polipo/polipo_trimcache.sh

#!/bin/bash

export PATH="$PATH:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin"
SN="$(basename "$0")"

function print_help() {
    printf "\n"
    printf "Использование: %s options...\n" "$SN"
    printf "Параметры:\n"
    printf "  -n         Имя копии Polipo.\n"
    printf "  -h         Справка.\n"
    printf "\n"
}

# Если скрипт запущен без аргументов, открываем справку.
if [[ $# = 0 ]]; then
    print_help && exit 1
fi
while getopts ":n:h" opt ;
do
    case $opt in
        n) NAME=$OPTARG;
            ;;
        h) print_help
            exit 1
            ;;
        *) printf "Неправильный параметр\n";
           printf "Для вызова справки запустите %s -h\n" "$SN";
            exit 1
            ;;
        esac
done

if [[ "$NAME" == "" ]] ;  then
 printf "\n"
 printf "Параметры запуска не указаны.\n"
 printf "Для справки наберите: %s -h\n" "$SN"
 printf "\n"
 exit 1
fi

CONFIG_FILE=/etc/polipo/$NAME.conf
FORBIDDEN_FILE=/etc/polipo/forbidden
PIDFILE=/var/run/polipo/polipo_$NAME.pid
RUNAS=proxy

if [ ! -x /usr/bin/polipo ]; then
  exit 0
fi

if [ ! -f "$FORBIDDEN_FILE" ]; then
  FORBIDDEN_FILE=/dev/null
fi

if [ -f "$PIDFILE" ]; then
  # Instruct polipo to to flush its in-memory cache to disk (signal USR1)
  kill -USR1 "$(cat "$PIDFILE")"
  # Allow some time for polipo to perform the requested flush
  sleep 2
  # Since f17, the following su command prints "...killed." to stdout ???
  runuser -s /bin/sh -c \
    "nice polipo -x -c $CONFIG_FILE forbiddenFile=$FORBIDDEN_FILE > /dev/null" \
    $RUNAS 2> /dev/null
  # Instruct polipo to to discard its in-memory cache (signal USR2)
  kill -USR2 "$(cat "$PIDFILE")"
fi

exit 0

vi /etc/systemd/system/polipo_trimcache@.service

Создаем сервис для очистки кеша

[Unit]
Description=Polipo trim cache on %I
After=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/lib/polipo/polipo_trimcache.sh -n %i

Создаем таймер

vi /etc/systemd/system/polipo_trimcache@.timer

[Unit]
Description=Polipo trim cache timer on %I

[Timer]
OnCalendar=*-*-* 00:00:00
Persistent=true

[Install]
WantedBy=timers.target

Активируем и запускаем сервисы

systemctl enable polipo@wan
systemctl enable polipo_trimcache@wan.timer
systemctl start polipo@wan
systemctl sart polipo_trimcache@wan.timer
systemctl enable polipo@tor
systemctl enable polipo_trimcache@tor.timer
systemctl start polipo@tor
systemctl sart polipo_trimcache@tor.timer

Firefox не открывает сайты .onion

Александр Чернышев — Fri, 19 Aug 2016 10:24:59 +0300

Начиная с версии Firefox 45 в настройках about:config появилась новая опция network.dns.blockDotOnion для блокировки на уровне DNS узлов в скрытой сети .onion. По умолчанию указано значение true. Для отключения этой опции необходимо изменить значение на false и перезапустите браузер.