Monday, June 22, 2009

Squid proxies for Iran part 2

This is a followup to my previous posting. And it is worth repeating something that I've said there:

in a few places my advice goes against those of Austin Heap and by Keep in mind that those individuals are much more connected to people in Iran and most certainly have a better sense of what they need than I do ... In terms of helping people in Iran you should certainly consider Austin Heap and Helpful American more trustworthy than I am. I am perfectly trustworthy, but you have no way to know that. They have established reputations at the center of efforts to help Iranians evade censorship. I merely disagree with some of the security and technical advice they offer.

New proxy submission and testing methods

The big news is that Austin Heap has set up a form for submitting proxy information and a mechanism for testing your proxies. In order to use either of these (and thus have your proxy submitted and distributed to those who need it) you need to allow access to your proxies from the hosts that are used for testing. So you need to add an ACL (Access Control List) for the proxy testing sources in the section of you squid configuration where ACLs are defined.

# The proxyheap validation servers 
acl proxyheap src 
acl proxyheap src
And later, where you access policy is defined you need the line
# Allow the proxyheap validation servers
http_access allow proxyheap

Austin Heap posts a complete squid configuration for Iran proxies.

Blocking the Government

Austin Heap and others have recommended that people running these proxies block access from bits of network operated by the government of the Islamic Republic of Iran. This is a point on which I disagree, but please see my caveat above for how you take disagreements.

  • To my (very limited) knowledge there have been no attacks (other than blocking) on any of these proxy servers
  • I suspect (again with no real information) that there are plenty of good people who's internet access is from government nets. This may be particularly true of networks operated by the ministry of education.

Therefore, I think that little good, and some real harm, might come from blocking access until we have evidence of targeted attacks from those networks on our proxies. Furthermore, the most obvious attack that comes to my mind would not be prevented by blocking access to the government networks within Squid. The only way to prevent attacks of that nature would be at your firewall.

Anonymizing logging

Here is another point of disagreement. Austin Heap recommend turning off logging of your squid cache. The (very good) reasons for this is that if your host is compromised by the bad guys, you don't want the logs with the various IP addresses of those using your proxy to fall into the wrong hands. I fully concur with the goals. But it is also important to know that your proxy is working. Disabling logs makes that impossible to tell.

I recommend changing the log format to not include the source IP address or the details of the HTTP request.

logformat squidanon %ts.%03tu %6tr X.X.X.X  %Ss/%03Hs %<st %rm XXX %un %Sh/%<A %mt
And then specifying your access log to use that format.
access_log /usr/local/squid/logs/access.log squidanon
Note that you should set the patch to the log for what is normal on your system.

It is possible to have different logging for different ACLs. That is, you can have anonymized logging for connections from iran-net, while having regular logging for all other connections. That would be useful identifying attacks or attempted abuse of your proxy. But I haven't tested those yet, and I am meeting a friend for coffee in a few minutes. So this is all for now.


  1. My Squid is set up to log just the domain being accessed and the time it was accessed, nothing more then that - but then I have tight domain based restrictions on my squid - I'm doing it so I can see if there's a need for access to other domains outside the 5 I've allowed

    I'm undecided about the government addresses myself, for the time being they are completely firewalled off.

    I've also set up a secure ssh chroot that I'm trying to work out how to spread news of - you can ssh into it with the parameter -D 9000 then use socks5 localhost:9000 as your proxy - or configure putty with dynamic port forwarding...

  2. Freman, would you post your logformat statement? I very much like the idea of only logging the destination domain instead of the full path of the request.

    As for the government nets being stopped at your firewall, are your firewall logs showing any unusual activity from those sources? Of course a negative answer from you don't prove that its safe to let those sources in, but I am very doubtful that the IRI government would target sites that they could just as easily block access to.

  3. This comment has been removed by the author.

  4. JPGoldberg - second try (should have copied and pasted) - It looks like this

    logformat domain %tl %{host}>h [%<A] %Ss
    access_log /var/log/squid/domain.log domain

    Log lines look like
    23/Jun/2009:09:12:12 +1000 [] TCP_MISS

    Incidently people have suggested using OpenDNS as an alternative to hard line dns blocking - I like this idea and wonder why I didn't think of it myself.

    I've had zero hits on my proxy or my firewall since I put it up and submitted it yesterday... I don't know what the score is

  5. Freeman, thanks for the log format information. I could have waded through the Squid manual and eventually figured out the %{host}>h construct. But I thought I would ask you as you already had it up and running.

    As for your proxy not getting used, I can only speculate about how IPs are being distributed. I figure that relatively short sublists of the 2000 or so IPs are being circulated and people will tend to stop at the first one of the on their list that works. I would be curious about overall usage, and this was one of the reasons that I recommended using anonymized logs instead of no logging at all.