This is a followup to my previous posting. And it is worth repeating something that I've said there:
in a few places my advice goes against those of Austin Heap and by http://twitter.com/ProtesterHelp. Keep in mind that those individuals are much more connected to people in Iran and most certainly have a better sense of what they need than I do ... In terms of helping people in Iran you should certainly consider Austin Heap and Helpful American more trustworthy than I am. I am perfectly trustworthy, but you have no way to know that. They have established reputations at the center of efforts to help Iranians evade censorship. I merely disagree with some of the security and technical advice they offer.
New proxy submission and testing methods
The big news is that Austin Heap has set up a form for submitting proxy information and a mechanism for testing your proxies. In order to use either of these (and thus have your proxy submitted and distributed to those who need it) you need to allow access to your proxies from the hosts that are used for testing. So you need to add an ACL (Access Control List) for the proxy testing sources in the section of you squid configuration where ACLs are defined.
# The proxyheap validation servers acl proxyheap src 126.96.36.199 acl proxyheap src 188.8.131.52And later, where you access policy is defined you need the line
# Allow the proxyheap validation servers http_access allow proxyheap
Austin Heap posts a complete squid configuration for Iran proxies.
Blocking the Government
Austin Heap and others have recommended that people running these proxies block access from bits of network operated by the government of the Islamic Republic of Iran. This is a point on which I disagree, but please see my caveat above for how you take disagreements.
- To my (very limited) knowledge there have been no attacks (other than blocking) on any of these proxy servers
- I suspect (again with no real information) that there are plenty of good people who's internet access is from government nets. This may be particularly true of networks operated by the ministry of education.
Therefore, I think that little good, and some real harm, might come from blocking access until we have evidence of targeted attacks from those networks on our proxies. Furthermore, the most obvious attack that comes to my mind would not be prevented by blocking access to the government networks within Squid. The only way to prevent attacks of that nature would be at your firewall.
Here is another point of disagreement. Austin Heap recommend turning off logging of your squid cache. The (very good) reasons for this is that if your host is compromised by the bad guys, you don't want the logs with the various IP addresses of those using your proxy to fall into the wrong hands. I fully concur with the goals. But it is also important to know that your proxy is working. Disabling logs makes that impossible to tell.
I recommend changing the log format to not include the source IP address or the details of the HTTP request.
logformat squidanon %ts.%03tu %6tr X.X.X.X %Ss/%03Hs %<st %rm XXX %un %Sh/%<A %mtAnd then specifying your access log to use that format.
access_log /usr/local/squid/logs/access.log squidanonNote that you should set the patch to the log for what is normal on your system.
It is possible to have different logging for different ACLs. That is, you can have anonymized logging for connections from iran-net, while having regular logging for all other connections. That would be useful identifying attacks or attempted abuse of your proxy. But I haven't tested those yet, and I am meeting a friend for coffee in a few minutes. So this is all for now.