Haystack needs your help to support a free Internet in Iran!
17
Jun

Best Proxy Practices (BPP!) and an update

Currently VPNs are one of the safest methods of evading censorship. HMA has hundreds of exit nodes/countries and many ways of accessing their servers.

I just want to make a quick post about best practices when running a proxy to help those on the ground in Iran get access to social networks, the outside world, and their families. It is ABSOLUTELY IMPERATIVE that this be a secure effort that is thought out and executed in the safest possible manner.

As a general rule, and I know I didn’t point this out in the original guides, all proxies should be setup with the following options in the Squid config file:

* Blocking of IRI government ipblocks [1]
* Allowing of Iran ipblocks [2]
* 10 random chosen inbound ports
* CONNECT support
* No X-Forwarded-For headers
* No client stats
* Logging to /dev/null
* Turn SSL off — it’s blocked from Iran anyway

If you’re running a proxy already, please change these settings. If you’re running a proxy on a default port (81/8080/8181/9090/3218) then change the port and shoot me off an e-mail at [email protected]

I will post a sample configuration file, as I know there have been a lot of concerns.

Also, I want to say sorry for not being able to respond to all the tweets and e-mails yet, although I’m going as fast as possible given all the other pressing demands! I’ve got thousands of emails to sort out, and the outpour of support and people helping out has been amazing. Together we’re capable of doing amazing things so thank you to everyone who is helping make a difference.

Thank you. Thank you. Thank you.

#allmylove2iran

[1] Based on ripe data found on RIPE

[2] Based on Country IP data found on CountryIPBlocks

Related posts:

  1. How to setup a proxy for Iran citizens
  2. How to setup a proxy for Iran citizens (for Windows!)
  3. How to setup a proxy for Iran citizens (Virtual Machine Disk Format!)
  4. Working Iran Proxy List
  5. How to setup a proxy for Iran citizens (for Mac!)
Tags Posted under Internets, Iran, Politics by
Older Comments
  • http://fremnet.net Shannon

    I’ve got a squid up and running – at current it only allows austinheap, youtube, twitter, and facebook – Does anyone have any other sites I should permit?

    I only have limited bandwidth with which to provide the service so it’s important to keep it as short as possible.

  • Derek

    My proxy is working for normal web browsing, but I can’t log into twitter, facebook, etc. through the proxy. Twitter throws a 403, and Facebook tells me I don’t have cookies enabled.

    I assume I’m missing/misconfigured something. Can anyone give me a hint without me tossing my entire config up? (Which I’ll do, but I don’t care to add to the noise if it’s not necessary.)

  • Josh Rubin

    @Shannon: How will users know which sites they are allowed to visit? I’m afraid of endangering protesters who waste time figuring it out by trial and error.

  • http://fremnet.net Shannon

    @Josh – I have the 4 major sites, and this one in my permit list – I’m also logging attempts to access domains (only that, no ip address, no urls, just domains) to see if there are other important domains I should add – which I’m monitoring real time…

  • Pingback: Proxies: 17-06-09, HTTP AND SOCKS - Page 8 - Why We Protest - IRAN

  • http://iran.whyweprotest.net/attachments/help-iran-online/49d1245678166-how-setup-proxy-iranian-citizens-windows-squid-configuration-file.zip Fidel Dangelow

    Here’s a link to a proxy config file, modified for Windows: http://iran.whyweprotest.net/attachments/help-iran-online/49d1245678166-how-setup-proxy-iranian-citizens-windows-squid-configuration-file.zip. It is slightly modified from the original version for Linux, found here: http://dev.austinheap.com/iran/squid-iran-ideal.txt. It should help Windows Squid users set up a proxy more quickly.

  • http://goldmark.org/jeff/ Jeffrey Goldberg

    If there are going to be attacks on proxies from the IRI government sites, the correct line of defense is with firewall rules and not with a Squid ACL. So thanks to those who’ve posted instructions on adding those blocks to iptables.

    I think it would be helpful if someone could post instructions for those using off the shelf “hardware” firewalls such as linksys or D-Link boxes. I don’t have access to these to play with, so I can’t provide instructions beyond saying connect to your router with your web browser. You already needed to connect to it to allow port forwarding for your proxy (otherwise no one from the outside can connect), so I won’t provide those instructions. And just look for the tab or page for firewall rules. You might have to enter each by hand, and let’s hope that they accept CIDR format.

    If others have played with these firewall/router thingies and can be more specific about what does and doesn’t work (and where to look for things) please enlighten us.

  • http://www.youtube.com/neodudecurt Curtis

    Hey, This guide seems like it was written for the computer literate. I have about 200 coworkers (I’m not kidding) who all would like to setup a proxy, as well as myself, but we seem to not be able to make any sense of the guide. If anybody else could PLEASE email me directions that explain it for idiots like myself, send it to t.ilton.s.tudent[at]gmail.com (all those periods are actually there)

  • http://www.countryipblocks.net Stewart

    Austin:

    Thank you for posting an excellent response to the current internet access plight of the Iranian people. Your blog has resulted in nearly 500 new visitors to Country IP Blocks in the past few days. As a result we are making our network access lists for the Islamic Republic of Iran more prominent.

    We are also in the process of mapping the network backbone access points in Iran to see if there may be routes in and out of Iran that are not currently being filtered.

    Please keep in mind that Iranian network data is subject to change, therefore it is a good idea to check our website for the latest updates.

    Thanks again for mentioning us in your post.

  • MR

    Curtis, others: if you are not computer literate, try installing TOR, and run it as a relay. This helps Iranians getting anonymous and safe internet access.
    Installation is very easy, and most of the time all you have to do is click a few times.

    There’s a short guide, including pictures, at:
    http://iansbrain.com/2009/06/15/tor-and-the-iranian-election/

    Good luck!

    Mohsen

  • efx

    If the http://www.catb.org/esr/nedanet/squid.conf conf file was used then I assume all of the above options in the conf are fixed?

  • http://surfazad.com Never mind

    An easier way to setup a proxy on a Windows computer:
    http://www.surfazad.com/howto_setup_proxy.php

    Please make sure you have at least a cable connection and leave your computer on at all times so your proxy is not down.

  • HS

    Good idea Curtis. Better still: place it here so all we “idiots” can benefit from it.

  • Proxy45

    Thank you Fidel, it’s usefull.

  • http://charlessblog.youcarib.com/ amuddigundell

    Nice blogpost, good looking website, added it to my favs.

  • amir

    please send for me a web proxy

  • reza

    please send for me a web proxy

  • http://hompage jalinoos

    contact my accunt.

  • hosain

    Please send for me a web proxy

  • zeya

    please send for me a web proxy
    thank you!!!!!!!!!

  • http://www.yahoo.com/ Adelphia

    AFAICT you’ve ceoevrd all the bases with this answer!

  • http://www.google.com/ Justus

    Ppl like you get all the brains. I just get to say thanks for he aswenr.

  • http://epymltnrowiw.com/ lurtvgirh

    LABll1 spmgnhvgfncg

Older Comments