Privoxy, add a new friend to the battle.

So, we've got now three browsers using three differents socks port to access the Tor network, and the last of ours browsers building a special doble circuit in the tor network combining different countries (this is not bad at all). Remember, we were here .

But...the situation is so difficult...we've to protect us with more layers.

Let's introduce the layer 7 firewall Privoxy.

What is a layer 7 firewall? It's a firewall that work at the last layer of the ISO/OSI network stack, that in no technical user speaking is the URI, www.facebook.com, steemit.com/@npna ...

Matryoshka are sexis

.

We like Russia, and we like матрёшка.

In this case we're doing the exact thing, encapsulate layer after layer our information to protect it from the privacy cannibals.

Our dolls start from the navigator, go through privoxy and the will be routed to the Tor network.

Let install privoxy from the OpenBSD precompiled packages with a simple command:

$ doas pkg_add -U privoxy

It will install those files and binaries:

$ pkg_info -L privoxy Information for inst:privoxy-3.0.26 Files: /usr/local/bin/privoxy-log-parser.pl /usr/local/bin/privoxy-regression-test.pl /usr/local/bin/uagen.pl /usr/local/bin/url-pattern-translator.pl /usr/local/man/man1/privoxy.1 /usr/local/sbin/privoxy /usr/local/share/doc/privoxy/AUTHORS /usr/local/share/doc/privoxy/ChangeLog /usr/local/share/doc/privoxy/LICENSE /usr/local/share/doc/privoxy/README /usr/local/share/examples/privoxy/config /usr/local/share/examples/privoxy/default.action /usr/local/share/examples/privoxy/default.filter /usr/local/share/examples/privoxy/match-all.action /usr/local/share/examples/privoxy/regression-tests.action /usr/local/share/examples/privoxy/templates/blocked /usr/local/share/examples/privoxy/templates/cgi-error-404 /usr/local/share/examples/privoxy/templates/cgi-error-bad-param /usr/local/share/examples/privoxy/templates/cgi-error-disabled /usr/local/share/examples/privoxy/templates/cgi-error-file /usr/local/share/examples/privoxy/templates/cgi-error-file-read-only /usr/local/share/examples/privoxy/templates/cgi-error-modified /usr/local/share/examples/privoxy/templates/cgi-error-parse /usr/local/share/examples/privoxy/templates/cgi-style.css /usr/local/share/examples/privoxy/templates/client-tags /usr/local/share/examples/privoxy/templates/connect-failed /usr/local/share/examples/privoxy/templates/connection-timeout /usr/local/share/examples/privoxy/templates/default /usr/local/share/examples/privoxy/templates/edit-actions-add-url-form /usr/local/share/examples/privoxy/templates/edit-actions-for-url /usr/local/share/examples/privoxy/templates/edit-actions-for-url-filter /usr/local/share/examples/privoxy/templates/edit-actions-list /usr/local/share/examples/privoxy/templates/edit-actions-list-button /usr/local/share/examples/privoxy/templates/edit-actions-list-section /usr/local/share/examples/privoxy/templates/edit-actions-list-url /usr/local/share/examples/privoxy/templates/edit-actions-remove-url-form /usr/local/share/examples/privoxy/templates/edit-actions-url-form /usr/local/share/examples/privoxy/templates/forwarding-failed /usr/local/share/examples/privoxy/templates/mod-local-help /usr/local/share/examples/privoxy/templates/mod-support-and-service /usr/local/share/examples/privoxy/templates/mod-title /usr/local/share/examples/privoxy/templates/mod-unstable-warning /usr/local/share/examples/privoxy/templates/no-server-data /usr/local/share/examples/privoxy/templates/no-such-domain /usr/local/share/examples/privoxy/templates/show-request /usr/local/share/examples/privoxy/templates/show-status /usr/local/share/examples/privoxy/templates/show-status-file /usr/local/share/examples/privoxy/templates/show-url-info /usr/local/share/examples/privoxy/templates/show-version /usr/local/share/examples/privoxy/templates/toggle /usr/local/share/examples/privoxy/templates/toggle-mini /usr/local/share/examples/privoxy/templates/untrusted /usr/local/share/examples/privoxy/templates/url-info-osd.xml /usr/local/share/examples/privoxy/user.action /usr/local/share/examples/privoxy/user.filter /etc/rc.d/privoxy

We've only a little problem respect to Tor with privoxy. To concatenate three privoxy ports to three Tor ports we've to launch three differents privoxy instances. But with OpenBSD and to his clearness this is very simple.

Let's go deep in the configuration:

cd to the privoxy configuration directory: $ cd /etc/privoxy

copy default config file into three diferentes: $ doas cp config firefox && doas cp config chrome && doas cp config torbrowser

go to the OpenBSD rc.d directory: $ cd /etc/rc.d

copy the default privoxy init script in three diffents: $ doas cp privoxy privoxyfirefox && doas cp privoxy privoxychrome && doas cp privoxy privoxytorbrowser



Ok all it's simple and without complications. Good, i love OpenBSD.

The privoxy main configuration file is full of options and you have to dedicate a couple of ours to understand all the voices, or to simply read it. For now we use this basic configuration (in ours next chapters probably we will do some changes to it). Let's see together the one that will be used in the firefox environment:

$ cat /etc/privoxy/firefox # # $Id: config,v 1.112 2016/08/26 13:14:18 fabiankeil Exp $ # # Copyright (C) 2001-2016 Privoxy Developers https://www.privoxy.org/ # user-manual https://www.privoxy.org/user-manual/ trust-info-url https://learn.canva.com/wp-content/uploads/2015/06/50-Of-The-Most-Creative-404-Pages-On-The-Web-01.png admin-address [email protected] #config guide #proxy-info-url http://www.example.com/proxy-service.html confdir /etc/privoxy templdir /etc/privoxy/templates logdir /var/log/privoxy actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on. actionsfile default.action # Main actions file actionsfile user.action # User customizations filterfile default.filter filterfile user.filter # User customizations logfile privoxyfirefox.log #if set all deny but the ones listed on [use ~ like *] #trustfile trust # # debug 1 # Log the destination for each request Privoxy let through. See also debug 1024 # debug 2 # show each connection status # debug 4 # show I/O status # debug 8 # show header parsing # debug 16 # log all data written to the network # debug 32 # debug force feature # debug 64 # debug regular expression filters # debug 128 # debug redirects # debug 256 # debug GIF de-animation # debug 512 # Common Log Format # debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why. # debug 2048 # CGI user interface # debug 4096 # Startup banner and warnings. # debug 8192 # Non-fatal errors # debug 32768 # log all data read from the network # debug 65536 # Log the applying actions debug 1 # Log the destination for each request Privoxy let through. See also debug 1024. #debug 1024 # Actions that are applied to all sites and maybe overruled later on. #debug 4096 # Startup banner and warnings #debug 8192 # Non-fatal errors single-threaded 0 hostname Lutetia.unknown_domain listen-address 127.0.0.1:8800 #filter mode toggle 1 enable-remote-toggle 0 #filter by X-filter http header enable-remote-http-toggle 0 enable-edit-actions 0 enforce-blocks 1 # src_addr[:port][/src_masklen] [dst_addr[:port][/dst_masklen]] permit-access 127.0.0.1 buffer-limit 8192 #enable if there's a parent proxy enable-proxy-authentication-forwarding 0 forward-socks5 / 127.0.0.1:9900 . forwarded-connect-retries 0 #transparent proxy accept-intercepted-requests 0 # allow-cgi-request-crunching 0 split-large-forms 0 # grow up to 300 (if browser hang stop) keep-alive-timeout 5 # disable if problems tolerate-pipelining 1 #default-server-timeout 60 connection-sharing 0 # try to reduce to 5 sec socket-timeout 300 #max-client-connections 256 handle-as-empty-doc-returns-ok 0 #enable-compression 1 #compression-level 3 #client-header-order Host \ # Accept \ # Accept-Language \ # Accept-Encoding \ # Proxy-Connection \ # Referer \ # Cookie \ # DNT \ # If-Modified-Since \ # Cache-Control \ # Content-Length \ # Content-Type # #client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions # disable-content-filters Disable content-filters but do not affect other actions # # # client-tag-lifetime 180 # # IP address with a X-Forwarded-For header. # trust-x-forwarded-for 1

Ok simply change admin-address and hostname with the yours.

Privoxy send in every configuration file the http proxy port to a distinct socks port .

To create the others two execute this command:

# sed s/privoxyfirefox/privoxychrome/g privoxyfirefox | sed s/9900/9901/g > privoxychrome # sed s/privoxychrome/privoxytorbrowser/g privoxychrome | sed s/9901/9902/g > privoxytorbrowser

Now create the missing logs files with:

$ doas touch /var/log/privoxy/privoxyfirefox.log $ doas touch /var/log/privoxy/privoxychrome.log $ doas touch /var/log/privoxy/privoxytorbrowser.log

And enable all the three at boot:

$ doas rcctl enable privoxyfirefox $ doas rcctl set privoxyfirefox user _privoxy $ doas rcctl set privoxyfirefox flags /etc/privoxy/firefox $ doas rcctl enable privoxychrome $ doas rcctl set privoxychrome user _privoxy $ doas rcctl set privoxychrome flags /etc/privoxy/chrome $ doas rcctl enable privoxytorbrowser $ doas rcctl set privoxytorbrowser user _privoxy $ doas rcctl set privoxytorbrowser flags /etc/privoxy/torbrowser

At last start the three daemons:

$ doas rcctl start privoxyfirefox $ doas rcctl start privoxychrome $ doas rcctl start privoxytorbrowser

Browsers configurations



Now we've got the correct setup of privoxy, but remember without any rule of layer 7 firewalling, that we will see in our next chapter.

We've to change the configuration of the three browsers to use privoxy and not directly the tor socks.

Firefox:

Chrome: simply change --proxy-server="socks5://127.0.0.1:9901" with -proxy-server="http://127.0.0.1:8801" Torbrowser:



Preparing the chicken soup



Ok, the cooking is started, but one last little hack to disturb our favorites cannibals. Let's eliminate the HTTP header Refer:

# cat >> /etc/privoxy/user.filter << EOF { +crunch-client-header{Referer:} } / EOF

And yes...for today is EOF

thank you and #changeNOW . please.