Saturday, June 20, 2009

Squid configuration notes for Iran proxies

According to a twitter post by Austin Heap there are now more than 2000 HTTP proxies set up outside of Iran to help people in Iran evade various forms of censorship. In various blog posts, he's provided instructions for setting up a proxy. That page also includes links to installation instructions for various operating systems.

In this post, I'll comment and elaborate on some of the Squid proxy configuration details. Keep in mind that that using an HTTP proxy is only one of the ways to help keep people in Iran anonymously connected. Two other tools of note are Tor and FreeGate. I hope to write about Tor in a later post; I do not know enough about Freegate to really comment on it.

Once you have your proxy up and running send email or a twitter Direct Message to Austin Heap or Helpful American with the IP address and ports your system is listening on. Do not post the details of your proxy publicly. For those new to Twitter, as I am, an "reply" is listed publicly, a Direct Message is not, so only use the latter to tell them the IP addresses and ports of your proxy. Posting it publicly will just get it blocked. I committed that blunder with my own, and so now my proxy is useless.

What is say here is supplementary material. These aren't complete instructions. You must first look at the stuff I've liked to above.

A Caveat and Caution

For the most part, I elaborate on some aspects of squid configuration, but in a few places my advice goes against those of Austin Heap and by @ProsterHelp (AKA Helpful American). Keep in mind that those individuals are much more connected to people in Iran and most certainly have a better sense of what they need than I do. What I offer is technical experience with squid. Although I haven't used it recently, I've used it and its predecessor (harvest) extensively in the 1990s. In the few places where I disagree with those who've been coordinating things, I will try to explain my reasons.

In terms of helping people in Iran you should certainly consider Austin Heap and Helpful American more trustworthy than I am. I am perfectly trustworthy, but you have no way to know that. They have established reputations at the center of efforts to help Iranians evade censorship. I merely disagree with some of the security and technical advice they offer.

Proxy background

HTTP proxy systems like Squid were designed to for other purposes than to enable anonymous web browsing. ironically enough, these tools are often used as part of web filtering systems for households and businesses. However, web proxies can easily be configured for this purpose. Squid is big, and does lots of things, and so you will see that it has a very large configuration file with many complicated options and settings. Fortunately, you only need to set a few of them to make squid work as an anonymizing proxy.

Squid originated as a Unix program, intended to run on servers. I did not know until a few days ago that there was a Windows version. As a typical Unix service, its configuration file is a text file which needs to be edited with a plain text editor.

Alternative ports

Under its default configuration, Squid listens for requests from the network on port 3128. For days now, the Iranian government has been blocking outbound traffic to that port, so you will need to configure squid to listen on alternative ports. This is done with the http_port configuration item. You list this item multiple times, one for each port you want your system to listen on. Here is an excerpt from my configuration, which sets my system to listen on parts 70, 2831, and 3128:

# Iran is blocking 3128.  Use gopher port instead (70)
http_port 3128
http_port 2831
http_port 70

You can use as many ports as you like, and don't just pick the ones that I've done. We want to mix things up so that it will be harder for the Iranian government to block. Also you don't want to conflict with the ports that other services on your system are listening on. For example, if you are already running a web server on port 80, don't use that for squid. To find out what ports things on your Unix-like machine are already listening on run the command

$ netstat -na -f inet | grep LISTEN
And look at the last number in the 4th column. For those of you on BSD Unix, you will probably find that the sockstat command provides nicer output; look at its manual page for details. If someone knows a useful incantation for Windows systems, please let me know. The Unix instructions apply to OS X.

If you wish to use a privileged port (one less than 1024) then squid will need to start as root. From what I've seen, that is the default situation on most Unix installations. But if you are using FreeBSD and squid version 3, you will need to set

squid_user=root
in /etc/rc.conf.

Keeping connected

If you run an HTTP proxy it is important to keep your machine running all the time. Also if you have a dynamic IP address, it is particularly useful to keep your machine running as your IP address may change the next time you connect to your ISP. Note that with running a Tor service, this isn't an issue.

More to come ...

I will write a second part of this latter, which will include notes about blocking IRI government sites and logging. It's there where I disagree with what's been advised, but I found that so far this took more more time to write than I'd anticipated.

No comments:

Post a Comment