Un mémo sur comment installer et configurer un serveur proxy Squid3 chainé au réseau TOR via privoxy pour se rendre anonyme sur Internet.
L’idée est de pouvoir accéder très facilement au réseau Internet, depuis n’import quel ordinateur et n’import où dans le monde de façon anonyme sans obligation d’être connecté à un serveur VPN. Car dans le cas d’une connexion via un proxy, seul un réglage est nécessaire dans le navigateur contrairement à une connexion via VPN ou il faut obligatoirement un client installé sur le poste.
Attention toute fois, seule une connexion à un serveur VPN très bien configuré permet de chiffrer de bout à bout et de garantir l’intégrité de la connexion.
Dans mon cas, l’installation et la mise en place de la solution est réalisé sur mon serveur Yunohost.
Le serveur Squid est configuré pour se connecter à 8 nœuds TOR au hasard.
nb: toutes les commandes sont éxécutées en tant que root.
Installer le proxy Squid3
- Installer Squid3 sur Yunohost : https://memo-linux.com/installer-squid3-sur-un-serveur-yunohost
- Installer Squid3 sur Debian : https://memo-linux.com/installer-un-proxy-squid-et-un-filtrage-avec-squidguard-sous-debian
Installer Privoxy et Tor
- Installaton des paquets privoxy et tor :
apt install privoxy tor
systemctl stop squid3 systemctl stop privoxy systemctl stop tor
Configurer Tor
- Création de 8 fichiers de configurations pour TOR només
torrc-x:- torrc-1 :
nano /etc/tor/torrc-1
SocksBindAddress 127.0.0.1 SocksPort 10010 SocksPolicy accept * AllowUnverifiedNodes middle,rendezvous Log notice syslog RunAsDaemon 1 User debian-tor CircuitBuildTimeout 30 NumEntryGuards 6 KeepalivePeriod 60 NewCircuitPeriod 15 DataDirectory /var/lib/tor1 PidFile /var/run/tor/tor-1.pid
- torrc-2 :
nano /etc/tor/torrc-2
SocksBindAddress 127.0.0.1 SocksPort 10020 SocksPolicy accept * AllowUnverifiedNodes middle,rendezvous Log notice syslog RunAsDaemon 1 User debian-tor CircuitBuildTimeout 30 NumEntryGuards 6 KeepalivePeriod 60 NewCircuitPeriod 15 DataDirectory /var/lib/tor2 PidFile /var/run/tor/tor-2.pid
nano /etc/tor/torrc-3
SocksBindAddress 127.0.0.1 SocksPort 10030 SocksPolicy accept * AllowUnverifiedNodes middle,rendezvous Log notice syslog RunAsDaemon 1 User debian-tor CircuitBuildTimeout 30 NumEntryGuards 6 KeepalivePeriod 60 NewCircuitPeriod 15 DataDirectory /var/lib/tor3 PidFile /var/run/tor/tor-3.pid
nano /etc/tor/torrc-4
SocksBindAddress 127.0.0.1 SocksPort 10040 SocksPolicy accept * AllowUnverifiedNodes middle,rendezvous Log notice syslog RunAsDaemon 1 User debian-tor CircuitBuildTimeout 30 NumEntryGuards 6 KeepalivePeriod 60 NewCircuitPeriod 15 DataDirectory /var/lib/tor4 PidFile /var/run/tor/tor-4.pid
nano /etc/tor/torrc-5
SocksBindAddress 127.0.0.1 SocksPort 10050 SocksPolicy accept * AllowUnverifiedNodes middle,rendezvous Log notice syslog RunAsDaemon 1 User debian-tor CircuitBuildTimeout 30 NumEntryGuards 6 KeepalivePeriod 60 NewCircuitPeriod 15 DataDirectory /var/lib/tor5 PidFile /var/run/tor/tor-5.pid
nano /etc/tor/torrc-6
SocksBindAddress 127.0.0.1 SocksPort 10060 SocksPolicy accept * AllowUnverifiedNodes middle,rendezvous Log notice syslog RunAsDaemon 1 User debian-tor CircuitBuildTimeout 30 NumEntryGuards 6 KeepalivePeriod 60 NewCircuitPeriod 15 DataDirectory /var/lib/tor6 PidFile /var/run/tor/tor-6.pid
nano /etc/tor/torrc-7
SocksBindAddress 127.0.0.1 SocksPort 10070 SocksPolicy accept * AllowUnverifiedNodes middle,rendezvous Log notice syslog RunAsDaemon 1 User debian-tor CircuitBuildTimeout 30 NumEntryGuards 6 KeepalivePeriod 60 NewCircuitPeriod 15 DataDirectory /var/lib/tor7 PidFile /var/run/tor/tor-7.pid
nano /etc/tor/torrc-8
SocksBindAddress 127.0.0.1 SocksPort 10080 SocksPolicy accept * AllowUnverifiedNodes middle,rendezvous Log notice syslog RunAsDaemon 1 User debian-tor CircuitBuildTimeout 30 NumEntryGuards 6 KeepalivePeriod 60 NewCircuitPeriod 15 DataDirectory /var/lib/tor8 PidFile /var/run/tor/tor-8.pid
install -o debian-tor -g debian-tor -m 700 -d /var/lib/tor1 install -o debian-tor -g debian-tor -m 700 -d /var/lib/tor2 install -o debian-tor -g debian-tor -m 700 -d /var/lib/tor3 install -o debian-tor -g debian-tor -m 700 -d /var/lib/tor4 install -o debian-tor -g debian-tor -m 700 -d /var/lib/tor5 install -o debian-tor -g debian-tor -m 700 -d /var/lib/tor6 install -o debian-tor -g debian-tor -m 700 -d /var/lib/tor7 install -o debian-tor -g debian-tor -m 700 -d /var/lib/tor8
- Sauvegarde de l’ancien script de démarrage de TOR :
mv /etc/init.d/tor /etc/init.d/tor.orig
wget https://memo-linux.com/wp-content/uploads/2016/11/tor -O /etc/init.d/tor
chmod +x /etc/init.d/tor
/etc/init.d/tor start
Raising maximum number of filedescriptors (ulimit -n) to 32768. Starting tor daemon: tor... tor 1 done. tor 2 done. tor 3 done. tor 4 done. tor 5 done. tor 6 done. tor 7 done. tor 8 done.
netstat -tap | grep tor
tcp 0 0 yunohost.yunohost:10040 *:* LISTEN 1127/tor tcp 0 0 yunohost.yunohost:10010 *:* LISTEN 1118/tor tcp 0 0 yunohost.yunohost.:9050 *:* LISTEN 765/tor tcp 0 0 yunohost.yunohos:amanda *:* LISTEN 1139/tor tcp 0 0 yunohost.y:zabbix-agent *:* LISTEN 1130/tor tcp 0 0 yunohost.yunohost:10020 *:* LISTEN 1121/tor tcp 0 0 yunohost.yunohost:10060 *:* LISTEN 1133/tor tcp 0 0 yunohost.yunohost:10030 *:* LISTEN 1124/tor tcp 0 0 yunohost.yunohost:10070 *:* LISTEN 1136/tor tcp 0 0 IP:40101 p*****:9001 ESTABLISHED 1139/tor tcp 0 0 IP:34457 r*****:https ESTABLISHED 1136/to
Configuration de Privoxy
- Création de 8 ficheirs de configurations :
- privoxy_1.conf :
nano /etc/privoxy/privoxy_1.conf
user-manual /usr/share/doc/privoxy/user-manual confdir /etc/privoxy actionsfile match-all.action actionsfile default.action actionsfile user.action filterfile default.filter logfile logfile toggle 1 enable-remote-toggle 0 enable-remote-http-toggle 0 enable-edit-actions 0 enforce-blocks 0 buffer-limit 4096 forwarded-connect-retries 0 accept-intercepted-requests 0 allow-cgi-request-crunching 0 split-large-forms 0 keep-alive-timeout 5 socket-timeout 300 handle-as-empty-doc-returns-ok 1 logdir /var/log/privoxy_1 listen-address localhost:11010 forward-socks5t / 127.0.0.1:10010 . forward 192.168.*.*/ . forward 127.*.*.*/ . forward localhost/ .
- privoxy_2.conf :
nano /etc/privoxy/privoxy_2.conf
user-manual /usr/share/doc/privoxy/user-manual confdir /etc/privoxy actionsfile match-all.action actionsfile default.action actionsfile user.action filterfile default.filter logfile logfile toggle 1 enable-remote-toggle 0 enable-remote-http-toggle 0 enable-edit-actions 0 enforce-blocks 0 buffer-limit 4096 forwarded-connect-retries 0 accept-intercepted-requests 0 allow-cgi-request-crunching 0 split-large-forms 0 keep-alive-timeout 5 socket-timeout 300 handle-as-empty-doc-returns-ok 1 logdir /var/log/privoxy_2 listen-address localhost:11020 forward-socks5t / 127.0.0.1:10020 . forward 192.168.*.*/ . forward 127.*.*.*/ . forward localhost/ .
nano /etc/privoxy/privoxy_3.conf
user-manual /usr/share/doc/privoxy/user-manual confdir /etc/privoxy actionsfile match-all.action actionsfile default.action actionsfile user.action filterfile default.filter logfile logfile toggle 1 enable-remote-toggle 0 enable-remote-http-toggle 0 enable-edit-actions 0 enforce-blocks 0 buffer-limit 4096 forwarded-connect-retries 0 accept-intercepted-requests 0 allow-cgi-request-crunching 0 split-large-forms 0 keep-alive-timeout 5 socket-timeout 300 handle-as-empty-doc-returns-ok 1 logdir /var/log/privoxy_3 listen-address localhost:11030 forward-socks5t / 127.0.0.1:10030 . forward 192.168.*.*/ . forward 127.*.*.*/ . forward localhost/ .
nano /etc/privoxy/privoxy_4.conf
user-manual /usr/share/doc/privoxy/user-manual confdir /etc/privoxy actionsfile match-all.action actionsfile default.action actionsfile user.action filterfile default.filter logfile logfile toggle 1 enable-remote-toggle 0 enable-remote-http-toggle 0 enable-edit-actions 0 enforce-blocks 0 buffer-limit 4096 forwarded-connect-retries 0 accept-intercepted-requests 0 allow-cgi-request-crunching 0 split-large-forms 0 keep-alive-timeout 5 socket-timeout 300 handle-as-empty-doc-returns-ok 1 logdir /var/log/privoxy_4 listen-address localhost:11040 forward-socks5t / 127.0.0.1:10040 . forward 192.168.*.*/ . forward 127.*.*.*/ . forward localhost/ .
nano /etc/privoxy/privoxy_5.conf
user-manual /usr/share/doc/privoxy/user-manual confdir /etc/privoxy actionsfile match-all.action actionsfile default.action actionsfile user.action filterfile default.filter logfile logfile toggle 1 enable-remote-toggle 0 enable-remote-http-toggle 0 enable-edit-actions 0 enforce-blocks 0 buffer-limit 4096 forwarded-connect-retries 0 accept-intercepted-requests 0 allow-cgi-request-crunching 0 split-large-forms 0 keep-alive-timeout 5 socket-timeout 300 handle-as-empty-doc-returns-ok 1 logdir /var/log/privoxy_5 listen-address localhost:11050 forward-socks5t / 127.0.0.1:10050 . forward 192.168.*.*/ . forward 127.*.*.*/ . forward localhost/ .
nano /etc/privoxy/privoxy_6.conf
user-manual /usr/share/doc/privoxy/user-manual confdir /etc/privoxy actionsfile match-all.action actionsfile default.action actionsfile user.action filterfile default.filter logfile logfile toggle 1 enable-remote-toggle 0 enable-remote-http-toggle 0 enable-edit-actions 0 enforce-blocks 0 buffer-limit 4096 forwarded-connect-retries 0 accept-intercepted-requests 0 allow-cgi-request-crunching 0 split-large-forms 0 keep-alive-timeout 5 socket-timeout 300 handle-as-empty-doc-returns-ok 1 logdir /var/log/privoxy_6 listen-address localhost:11060 forward-socks5t / 127.0.0.1:10060 . forward 192.168.*.*/ . forward 127.*.*.*/ . forward localhost/ .
nano /etc/privoxy/privoxy_7.conf
user-manual /usr/share/doc/privoxy/user-manual confdir /etc/privoxy actionsfile match-all.action actionsfile default.action actionsfile user.action filterfile default.filter logfile logfile toggle 1 enable-remote-toggle 0 enable-remote-http-toggle 0 enable-edit-actions 0 enforce-blocks 0 buffer-limit 4096 forwarded-connect-retries 0 accept-intercepted-requests 0 allow-cgi-request-crunching 0 split-large-forms 0 keep-alive-timeout 5 socket-timeout 300 handle-as-empty-doc-returns-ok 1 logdir /var/log/privoxy_7 listen-address localhost:11070 forward-socks5t / 127.0.0.1:10070 . forward 192.168.*.*/ . forward 127.*.*.*/ . forward localhost/ .
nano /etc/privoxy/privoxy_8.conf
user-manual /usr/share/doc/privoxy/user-manual confdir /etc/privoxy actionsfile match-all.action actionsfile default.action actionsfile user.action filterfile default.filter logfile logfile toggle 1 enable-remote-toggle 0 enable-remote-http-toggle 0 enable-edit-actions 0 enforce-blocks 0 buffer-limit 4096 forwarded-connect-retries 0 accept-intercepted-requests 0 allow-cgi-request-crunching 0 split-large-forms 0 keep-alive-timeout 5 socket-timeout 300 handle-as-empty-doc-returns-ok 1 logdir /var/log/privoxy_8 listen-address localhost:11080 forward-socks5t / 127.0.0.1:10080 . forward 192.168.*.*/ . forward 127.*.*.*/ . forward localhost/ .
install -o privoxy -g nogroup -m 750 -d /var/log/privoxy_1 install -o privoxy -g nogroup -m 750 -d /var/log/privoxy_2 install -o privoxy -g nogroup -m 750 -d /var/log/privoxy_3 install -o privoxy -g nogroup -m 750 -d /var/log/privoxy_4 install -o privoxy -g nogroup -m 750 -d /var/log/privoxy_5 install -o privoxy -g nogroup -m 750 -d /var/log/privoxy_6 install -o privoxy -g nogroup -m 750 -d /var/log/privoxy_7 install -o privoxy -g nogroup -m 750 -d /var/log/privoxy_8
- Sauvegarde de l’ancien script :
mv /etc/init.d/privoxy /etc/init.d/privoxy.orig
wget https://memo-linux.com/wp-content/uploads/2016/11/privoxy -O /etc/init.d/privoxy
chmod +x /etc/init.d/privoxy
/etc/init.d/privoxy start
Starting Privoxy Server: privoxy_1. Starting Privoxy Server: privoxy_2. Starting Privoxy Server: privoxy_3. Starting Privoxy Server: privoxy_4. Starting Privoxy Server: privoxy_5. Starting Privoxy Server: privoxy_6. Starting Privoxy Server: privoxy_7. Starting Privoxy Server: privoxy_8.
netstat -tap | grep privoxy
tcp 0 0 localhost:11010 *:* LISTEN 1968/privoxy tcp 0 0 localhost:11050 *:* LISTEN 2072/privoxy tcp 0 0 localhost:11040 *:* LISTEN 1431/privoxy tcp 0 0 localhost:11080 *:* LISTEN 1543/privoxy tcp 0 0 localhost:11070 *:* LISTEN 1484/privoxy tcp 0 0 localhost:11060 *:* LISTEN 1558/privoxy tcp 0 0 localhost:11020 *:* LISTEN 1512/privoxy tcp 0 0 localhost:10030 *:* LISTEN 1590/privoxy
Configuration du proxy Squid3
- Éditer le fichier de configuration de Squid3 :
nano /etc/squid3/squid.conf
cache_peer localhost parent 11010 0 default no-query no-delay no-digest no-netdb-exchange round-robin cache_peer localhost_2 parent 11020 0 default no-query no-delay no-digest no-netdb-exchange round-robin cache_peer localhost_3 parent 11030 0 default no-query no-delay no-digest no-netdb-exchange round-robin cache_peer localhost_4 parent 11040 0 default no-query no-delay no-digest no-netdb-exchange round-robin cache_peer localhost_5 parent 11050 0 default no-query no-delay no-digest no-netdb-exchange round-robin cache_peer localhost_6 parent 11060 0 default no-query no-delay no-digest no-netdb-exchange round-robin cache_peer localhost_7 parent 11070 0 default no-query no-delay no-digest no-netdb-exchange round-robin cache_peer localhost_8 parent 11080 0 default no-query no-delay no-digest no-netdb-exchange round-robin always_direct deny all
- Arréter le serveur proxy :
/etc/init.d/squid3 stop
squid3 -f /etc/squid3/squid.conf -z
/etc/init.d/squid3 start
Configurer le fichier hosts du serveur
Ajouter ces entrées dans le fichier /etc/hosts :
nano /etc/hosts
127.0.0.1 localhost # 127.0.0.1 localhost_2 127.0.0.1 localhost_3 127.0.0.1 localhost_4 127.0.0.1 localhost_5 127.0.0.1 localhost_6 127.0.0.1 localhost_7 127.0.0.1 localhost_8
Test de la connexion anonyme
- Configurer le navigateur pour se connecter au serveur proxy :
- Tester son adresse IP avec l’aide des ces deux site par exemple :
Et normalement votre véritables adresse IP n’apparaît plus ni même celle du serveur :-)