Docs... » Installation » Anonymous proxy » Access rules » User Authentication » Compiling » Changing Home Anon Proxy » Misc » Adding to your computer's startup » Extra statistics » Browser to proxy encryption » Unsupported » Multiple IPs

Title text Browser to proxy encryption Encryption Normally, the proxy is accessed on the same computer as the browser. But when the proxy is on a different computer to the browser you may want to encrypt it. Browsers don't support encrypted connections to proxys so we need to do this with other methods. stunnel Download stunnel from www.stunnel.org On the browser's computer run... stunnel -c -d 8443 -r proxyhostname.com:8443 Then setup the browser to use localhost:8443 as the proxy. Note: Change "proxyhostname" to whatever your proxy's host name/ip address is. On the proxy's computer... stunnel -p /etc/stunnel/stunnel.pem -d 8443 -r 127.0.0.1:8080 ...and open up port 8443 in the proxy's firewall Note: You may have to change stunnel.pem to your own custom certifcate file. VPN You can also setup a vpn from the proxy to the browser to encrypt the information. Unsupported SOCKS misc. Only TCP connects are supported so far. Seems to be enough to run most Instand Messaging programs. User authentication is not supported in socks. You can disable access to socks by adding a "block" rule with "url" "is" "socks://" Multiple IPs on one computer You can find some cheap VPSs here if you want extra IPs from other places in the world... lowendbox.com By default the software can be accessed on all IPs available on the one computer. But if you want to use the different IPs as outgoing IPs(the IP that people see you as), you need to run mutliple copies of this software. To run multiple copies on one computer, copy the anon_proxy_server folder in htdocs and rename it. Then access it like http://localhost:8081/xxxx Where xxxx is the new folder name. Then set a different "Proxy port" in each of the new folders. Then start the proxy with the command line(see below) instead of the normal start/stop button. Linux Taken from... http://blog.sebastien.raveau.name/2009/04/per-process-routing.html If 10.0.0.1 was your gateway and 10.1.2.3 was the IP address you want to use... Create a "aps2" user adduser aps2 Mark packets coming from the aps2 user iptables -t mangle -A OUTPUT -m owner --uid-owner aps2 -j MARK --set-mark 42 Apply the Wi-Fi IP address on them iptables -t nat -A POSTROUTING -o ath0 -m mark --mark 42 -j SNAT --to-source 10.1.2.3 Route marked packets via Wi-Fi ip rule add fwmark 42 table 42 ip route add default via 10.0.0.1 dev ath0 table 42 Launch programs as the aps2 user sudo -u aps2 ./pserver -run 8082 Windows Use ForceBindIP, and start pserver from cmd.exe with "ForceBindIP -i 1.2.3.4 ./pserver.exe -run 8082" To install from tar file... Requirements: PHP, a web server The packages have precompiled linux/windows binaries, if you have anything other than linux or windows you'll have to compile the C program. Unzip into your web server's folder and then visit... http://localhost/anon_proxy_server/index.php (or whereever you've unzipped it) (If you get a permission/server error, then edit or delete .htaccess, by default it only lets the localhost access) Then follow the instructions until you get a "tick" on all the required options and then click "save". It's a good idea to clear your browser's cache before using or else the server's cache won't ever get a copy of what you're browsing. tell me if you have problems installing/running it, or just have general comments. Setup your own home proxy By changing the home proxy you can create your own group of proxys, you can gather a group of people you trust and only use their proxys. So the web site won't know which location you're coming from. This feature has some problems that can be temporarily fixed by reloading web pages that fail or restarting the server. Setup a home proxy... On the non-home proxys: Put the url of the home proxy's installation into the "home proxy" box. The url is the same as the "url of this configuration" on the home proxy, except "localhost" should be changed to your public host name(you may need dyndns or something similiar). On the home proxy: I recommend listening on another port other than port 80 because some isps force you into their transparent cache. If you're using the windows binary version you'll need to edit the httpd.conf and remove the the "Listen" line and add "Listen 80", "Listen 443". You'll need at least 2 proxies pointed to the same home proxy url for anything to happen. The home proxy doesn't have to be started for other proxys to use it as their home, they just need to be able to access the anon.php file. Anonymous Proxy What it does... It protects you from being tracked by the web server at the other side, you probably should clear your cookies and change your browser's config to not accept cookies before you start using it, as some sites maybe able to match up your previous ip address with a cookie. The "proxy to proxy" communications is encrypted via SSL but it is unencrypted from "proxy to web server" and "browser to proxy" So the best protection from people listening inbetween you and the server is by using https: How to use... If you tick "anonymous proxy" in the configuration section, you'll enable the anonymous P2P proxy. This will allow other people to use your proxy for web browsing, and you can use other peoples' proxys for your browsing. The result is that the web server won't know where you're coming from, but the browsing will be slower. How it works... When you tick "anon proxy" mode, the proxy will register itself into the home proxy(which is a url to any other anonproxyserver installation). The home proxy will then check whether your proxy can be reached (if you have a firewall, you have to setup your firewall to forward port 8082 to the computer that's running your proxy). If everything went ok, your proxy server will receive a list of proxys it can use, and the keys to use them. You can check if the registration went ok by clicking on info -> general. If you only want to send certain urls via the anonymous proxy network, you can set this up in the access section by selecting "Anon" as the action. The proxy will then register itself again check every few minutes with a new key so that only people who let you use their proxy server can use your proxy server and vice versa. Comparison... The pros/cons of p2p proxy over tor, jap, paid services(anonimizer.com, etc.)... Pros... Infinite number of ip addresses are available. Privacy is protected by fellow users. Cons... Other people can use your proxy and you may not know what they're doing or if you can trust them. Access rules Samples... Basic "or" access   Basic "and" access   Order of the access What order the access rules are in is important. Simple Block Block access to things with a customizable message. Redirect Instead of blocking you can redirect people to another site. Labelling rules An access rule can be labelled for re-use in multiple rules later on. No proxy Avoid the proxy, useful for intranets, etc. Use other proxies Use a different proxy sometimes, if you want to avoid anon proxy server for certain things. Sample router configuration This will vary depending on your model of router. The samples here are usually of "url" type, you can also restrict things by time, day, ip address, port. Note that "no proxy" + "other proxy" are implemented on the browser instead of the server and somethings will not work, like port, label, user auth. Compiling The installation comes with windows + linux(uclibc) pre-compiled, but if you have any other OS or have a better compiler, here's how to do it... Windows To compile in Visual Studio, use the project files in pserver_w32 Get openssl for windows. You can get a precompiled one here... http://www.slproweb.com/products/Win32OpenSSL.html Go to project > properties > C/C++ > General > "Additional include Directories" > change paths to where the "src" folder is and where openssl's include folder is. Go to project > properties > Linker > General > "Additional library Directories" > change to the openssl's lib/VC folder To compile in MSYS, you'll need to compile and install... GNU Regex (copy the regex.o to the anonproxyserver folder) openssl, then edit src/Makefile and change the OPENSSL variables to where you've installed openssl Then run... make pserver.exe Linux make pserver When you start the server, it looks for a "pserver" executable first if it is not found, "pserver.uclibc" will be used. Linux with uclibc A static linked uclibc version is distributed because in the past I've found that it is compatible across most kernel/glibc/libc versions, it's the closest thing linux has to windows style binary compatibility. Plus it is small. You'll need to compile openssl using uclibc and install it into a separate directory, here's how... * tar -xzf openssl-.... * mkdir /usr/i386-uclibc-linux/local * edit config and change "CC=gcc" to "CC=i386-uclibc-linux-gcc" * ./config --prefix=/usr/i386-uclibc-linux/local no-dso * edit the Makefile and change "gcc" to "i386-uclibc-linux-gcc" (in Ubuntu 6 I also had to add "-fno-stack-protector" to CFLAGS or else it'll complain about not linking some stack related thing. * make install * Go back to the anonproxyserver folder and run "make pserver.uclibc" Edit the first few lines of src/Makefile to change the settings to the directories on your computer. Debugging To compile and run the debug version... make pserver.debug (or make pserver.debug.exe in windows) touch cache/startWanted.txt ./pserver.debug You can adjust the debug level by running "pserver -debug ??" Where ?? is... 5 only major stuff. 10 medium level of details. 20 lots of details. 25 Almost Everything. To run valgrind with openssl it needs to be rebuilt with -DPURIFY or else it'll print alot of errors. The openssl directory can be changed in src/Makefile. Adding to Startup Linux Add to /etc/rc.d/ rc.local or boot.local or whatever... cd /usr/local/apache2/htdocs/anon_proxy_server; su -c ./pserver.uclibc apache Change "apache" to whatever user your web server is in, change "/usr/local/apache2/htdocs/anon_proxy_server" to where ever you've unzipped the installation to. User Auth examples User authentication can be added by selecting "User auth" in the access section. User auth is set to "is not" and "block" by default, it won't work with any other setting. The external authentication program is checked every 5 mins if the user is still using the proxy. You can put in any program, if the program returns 0 the authentication is considered ok, anything else it'll fail. If your command doesn't work, errors outputted from them can be found in the error log. Here're some examples... In windows... You'll need the web server's user(system) to have permission to use "LogonUser" for these to work... windows:xxxx where xxx is the domain name. Or... net use \\XXX\YYY "/user:%s" "%s" Where XXX is the computer. and YYY is the share folder. If the user can open the share folder they'll have access. Via samba... Via another windows or samba machine... /usr/local/samba/bin/smbclient //XXXX/YYYY -U '%s' '%s' -c quit XXXX is the computer with windows or samba. YYYY is the share folder. Via winbindd(must be running on the computer with the proxy server)... /usr/local/samba/bin/ntlm_auth '--username=%s' '--password=%s' '--domain=xxx'" Via plain text file... grep -F '%s %s' /etc/plain_passwords Password format would be... username password joeblow joeblowspassword Via apache's htpasswd... cat /etc/apache2/htpasswd | perl -ne '{ if(m#%s:((..).*$)# && crypt("%s",$2) eq $1) { print "ok"; } }' | grep . Use the normal apache htpasswd commands to add/remove users. Add: htpasswd /etc/apache2/htpasswd username Remove: htpasswd -D /etc/apache2/htpasswd username Via mysql... /usr/local/mysql/bin/mysql -u xxx '--password=yyy' phpbb -e "select username from phpbb_users where username = '%s' and user_password = MD5('%s')" | grep . xxx/yyy is the mysql user login/password And change "phpbb" and "phpbb_users" the sql statement if you're using anything other than phpbb. Misc... A diagnoses link will show up when you can't access a web page, it works best with tcptraceroute installed. It will use normal traceroute if no tcptraceoute is found, but the trace won't go through firewalls. Default Ports... Item Port Where to change HTTP/Socks Proxy 8080 Can be changed in the web configuration Web configuration 8081 Can be changed in conf/httpd.conf in the installation directory.(usually c:\program files\anon proxy server\). Need to be opened on the firewall for anon proxy mode. SSL anon proxy port 8082 Can be changed in the web configuration. Need to be opened on the firewall for anon proxy mode. Unused if the proxy is not setup for Anon proxy. AWSTATS To use awstats, you need to apply this patch and change these 2 lines in the awstats.???.conf file... LogFormat = "%time4 %extra1 %host %extra4 %bytesd %extra2 %code %method %extra3 %url" LogSeparator="\t" and point the "LogFile" line to the htdocs/anon_proxy_server/cache/access.log file in the installation dir. Download logs Visit the SVN here and click "download" to get the log.php file to save over the existing one(in the htdocs/anon_proxy_server folder), so you can enable the "download" links in the "usage log" section. This will be released in the next version.