Haystack needs your help to support a free Internet in Iran!
17
Jun

Best Proxy Practices (BPP!) and an update

I just want to make a quick post about best practices when running a proxy to help those on the ground in Iran get access to social networks, the outside world, and their families. It is ABSOLUTELY IMPERATIVE that this be a secure effort that is thought out and executed in the safest possible manner.

As a general rule, and I know I didn’t point this out in the original guides, all proxies should be setup with the following options in the Squid config file:

* Blocking of IRI government ipblocks [1]
* Allowing of Iran ipblocks [2]
* 10 random chosen inbound ports
* CONNECT support
* No X-Forwarded-For headers
* No client stats
* Logging to /dev/null
* Turn SSL off — it’s blocked from Iran anyway

If you’re running a proxy already, please change these settings. If you’re running a proxy on a default port (81/8080/8181/9090/3218) then change the port and shoot me off an e-mail at update@austinheap.com.

I will post a sample configuration file, as I know there have been a lot of concerns.

Also, I want to say sorry for not being able to respond to all the tweets and e-mails yet, although I’m going as fast as possible given all the other pressing demands! I’ve got thousands of emails to sort out, and the outpour of support and people helping out has been amazing. Together we’re capable of doing amazing things so thank you to everyone who is helping make a difference.

Thank you. Thank you. Thank you.

#allmylove2iran

[1] Based on ripe data found on RIPE

[2] Based on Country IP data found on CountryIPBlocks

Related posts:

  1. How to setup a proxy for Iran citizens
  2. How to setup a proxy for Iran citizens (Virtual Machine Disk Format!)
  3. How to setup a proxy for Iran citizens (for Windows!)
  4. State of the Iran Proxies
  5. Working Iran Proxy List
Tags Posted under Internets, Iran, Politics by Austin

68 Responses


  • Is there a risk of logs/statistics being accessed via a remote attack?

    I’ll attempt to put in the iptable stuff and header, but a sample config file would be very helpful as I’ve never ever worked with Squid before.

    by: Arancaytar, Jun 17th at 4:36 pm

  • i’ll make sure to make those changes. although i think after this whole fiasco, we’ll need to help iranians get rid of their adware. see tons of traffic coming in for ads linked to adware.

    by: Darren Kopp, Jun 17th at 4:39 pm

  • Any instructions on how to configure blocking on the government IP blocks?

    Also, I’m not sure how to modify this in the conf file.
    * CONNECT support
    * No X-Forwarded-For headers

    Anyone willing to upload a conf file that meets these specs?

    by: dster, Jun 17th at 4:48 pm

  • great, finally got the virtual ProxyBox working, awaiting a sample config file. Thanks!

    by: dg, Jun 17th at 4:49 pm

  • I make sure these options are set:

    forwarded_for off
    cache deny all
    access_log /dev/null
    cache_log /dev/null
    cache_store_log /dev/null
    header_access Allow allow all
    header_access Authorization allow all
    header_access WWW-Authenticate allow all
    header_access Proxy-Authorization allow all
    header_access Proxy-Authenticate allow all
    header_access Cache-Control allow all
    header_access Content-Encoding allow all
    header_access Content-Length allow all
    header_access Content-Type allow all
    header_access Date allow all
    header_access Expires allow all
    header_access Host allow all
    header_access If-Modified-Since allow all
    header_access Last-Modified allow all
    header_access Location allow all
    header_access Pragma allow all
    header_access Accept allow all
    header_access Accept-Charset allow all
    header_access Accept-Encoding allow all
    header_access Accept-Language allow all
    header_access Content-Language allow all
    header_access Mime-Version allow all
    header_access Retry-After allow all
    header_access Title allow all
    header_access Connection allow all
    header_access Proxy-Connection allow all
    header_access All deny all
    header_replace User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 GTB5 (.NET CLR 3.5.30729)

    acl UNTRUSTED src 194.225.164.0/23 213.176.19.0/26 213.176.74.0/23 217.172.104.0/21 217.172.112.0/22 217.172.120.0/21 217.172.96.0/22 217.24.144.0/21 217.24.152.0/21 78.38.77.160/28 80.191.21.0/24 84.47.212.0/21 84.47.220.0/22 84.47.248.0/21

    http_access deny UNTRUSTED

    Here’s a condensed list of all the aggregated IP blocks listed in RIPE:

    194.225.164.0/23
    213.176.19.0/26
    213.176.74.0/23
    217.172.104.0/21
    217.172.112.0/22
    217.172.120.0/21
    217.172.96.0/22
    217.24.144.0/21
    217.24.152.0/21
    78.38.77.160/28
    80.191.21.0/24
    84.47.212.0/21
    84.47.220.0/22
    84.47.248.0/21

    by: JR, Jun 17th at 5:04 pm

  • * Blocking of IRI government ipblocks [1]

    I compiled a list of these blocks into iptables rules for anyone to use. I reference the “PermittedProxy” table from the rule that specifies an incoming connection to one of my proxy ports.

    iptables -N PermittedProxy
    iptables -A PermittedProxy -s 194.225.164.0/23 -j DROP
    iptables -A PermittedProxy -s 213.176.19.0/26 -j DROP
    iptables -A PermittedProxy -s 213.176.74.0/23 -j DROP
    iptables -A PermittedProxy -s 217.172.104.0/22 -j DROP
    iptables -A PermittedProxy -s 217.172.108.0/22 -j DROP
    iptables -A PermittedProxy -s 217.172.112.0/22 -j DROP
    iptables -A PermittedProxy -s 217.172.120.0/22 -j DROP
    iptables -A PermittedProxy -s 217.172.124.0/22 -j DROP
    iptables -A PermittedProxy -s 217.172.96.0/22 -j DROP
    iptables -A PermittedProxy -s 217.24.144.0/22 -j DROP
    iptables -A PermittedProxy -s 217.24.148.0/22 -j DROP
    iptables -A PermittedProxy -s 217.24.152.0/22 -j DROP
    iptables -A PermittedProxy -s 217.24.156.0/22 -j DROP
    iptables -A PermittedProxy -s 78.38.77.160/28 -j DROP
    iptables -A PermittedProxy -s 80.191.21.0/24 -j DROP
    iptables -A PermittedProxy -s 84.47.212.0/22 -j DROP
    iptables -A PermittedProxy -s 84.47.216.0/22 -j DROP
    iptables -A PermittedProxy -s 84.47.220.0/22 -j DROP
    iptables -A PermittedProxy -s 84.47.248.0/21 -j DROP
    iptables -A PermittedProxy -j ACCEPT

    by: Ted, Jun 17th at 5:08 pm

  • Already sent sample config to Austin, but I’d might just as well post it here. This configuration is tested on Ubuntu/x86 and Debian/Alpha. A sample iptables script is below as well:

    http://r3blog.nl/squid.conf
    http://r3blog.nl/iran.conf
    http://r3blog.nl/iran.iptables.sh

    This configuration features all guidelines mentioned above.

    by: r3boot, Jun 17th at 5:31 pm

  • Just need a second set of eyes for these subnet mask.

    acl Min_of_Education src 213.176.19.0/26
    acl Min_of_Transportation src 78.38.77.160/28
    acl Min_of_Communication src 80.191.21.0/24
    acl Min_of_Culture src 194.225.164.0/23
    acl Min_of_Science src 216.176.74.0/23
    acl Min_of_Foreign_Affairs src 217.24.144.0/22 217.24.148.0/22 217.24.152.0/22 217.24.156.0/22 217.172.96.0/22 217.172.104.0/24 217.172.108.0/22 217.172.112.0/22 217.172.120.0/22 217.172.124.0/22 84.47.212.0/22 84.47.216.0/22 84.47.220.0/22 84.47.248.0/22 84.47.252.0/22

    Also any thoughts on allowing or denying the Ministry of Education, Culture or Science?

    by: AZ, Jun 17th at 6:37 pm

  • Seems like you need some way to delegate a lot of these tasks. For example, a tutorial on making the settings you described above would be very useful. Setting up the proxy was fairly simple but these changes look more complicated. But every moment you spend working on tutorials/etc is one that isn’t being spent dealing with the incoming proxies.

    Email me if you need any help, I’m a programmer so if there are any tools that could help automate things or streamline the system I’m more then willing to help. Linux config knowledge is kinda spotty though :( otherwise I’d offer to write the above afformentioned tutorial.

    by: DB, Jun 17th at 6:59 pm

  • Ok so I have questions:

    * Blocking of IRI government ipblocks [1] – is this necessary if the acl ALLOW list is provided and all others are blocked?

    * 10 random chosen inbound ports – How do I change this from the default 3218? I opened 10 ports in my firewall, then what?

    by: doinksta, Jun 17th at 7:19 pm

  • I saw the link to the iptables rules on twitter. How do you set them up on an Ubuntu system?

    by: Doug Holland, Jun 17th at 7:44 pm

  • Yes, waiting for sample config file. I’m worried about doing something incorrectly.

    Thank you!

    by: nh, Jun 17th at 8:31 pm

  • Can you post instructions for applying your config to the .vmdk provided.

    by: flamsmark, Jun 17th at 8:37 pm

  • I would love to take part, know of any walk throughs on setting up a proxy?

    by: Cresh, Jun 17th at 9:03 pm

  • Those IRI government IPs in CIDR format are

    194.225.164.0/23
    213.176.19.0/26
    213.176.74.0/23
    217.172.104/22
    217.172.108/22
    217.172.112.0/22
    217.172.120.0/22
    217.172.124.0/22
    217.172.96.0/22
    217.24.144.0/22
    217.24.148.0/22
    217.24.152.0/22
    217.24.156.0/22
    78.38.77.160/16
    80.191.21.0/24
    84.47.212.0/22
    84.47.216.0/22
    84.47.220.0/22
    84.47.248.0/22
    84.47.252.0/22

    I blocked them in my router’s firewall (linux based) with the following settings:

    iptables -A INPUT -s 194.225.164.0/23 -j DROP
    iptables -A INPUT -s 213.176.19.0/26 -j DROP
    iptables -A INPUT -s 213.176.74.0/23 -j DROP
    iptables -A INPUT -s 217.172.104/22 -j DROP
    iptables -A INPUT -s 217.172.108/22 -j DROP
    iptables -A INPUT -s 217.172.112.0/22 -j DROP
    iptables -A INPUT -s 217.172.120.0/22 -j DROP
    iptables -A INPUT -s 217.172.124.0/22 -j DROP
    iptables -A INPUT -s 217.172.96.0/22 -j DROP
    iptables -A INPUT -s 217.24.144.0/22 -j DROP
    iptables -A INPUT -s 217.24.148.0/22 -j DROP
    iptables -A INPUT -s 217.24.152.0/22 -j DROP
    iptables -A INPUT -s 217.24.156.0/22 -j DROP
    iptables -A INPUT -s 78.38.77.160/16 -j DROP
    iptables -A INPUT -s 80.191.21.0/24 -j DROP
    iptables -A INPUT -s 84.47.212.0/22 -j DROP
    iptables -A INPUT -s 84.47.216.0/22 -j DROP
    iptables -A INPUT -s 84.47.220.0/22 -j DROP
    iptables -A INPUT -s 84.47.248.0/22 -j DROP
    iptables -A INPUT -s 84.47.252.0/22 -j DROP

    This way you system appears to them to just be a nonexistent system.

    by: DM, Jun 17th at 10:15 pm

  • I emailed you and then read this post. I also could really use a sample config file, some changes I can make/figure out on my own, but I am not terribly familiar with squid. Thank you for all the help you have been providing.

    by: Nate, Jun 17th at 10:45 pm

  • Please post a sample config file!

    by: joe, Jun 17th at 11:06 pm

  • Finally got Squid installed, after fighting with it for three days. Can someone point me to a resource that will tell me how to implement the practices described above? I’ve never done any of this before–am still figuring it out…

    by: Daniel, Jun 17th at 11:09 pm

  • Oh, and I’m working with the squid.conf file I downloaded from http://thoughtsections.blogspot.com/2009/06/proxies-for-iran-walkthrough.html, if that’s relevant…

    by: Daniel, Jun 17th at 11:10 pm

  • Ok, and further, here is a complete squid.conf file stripped of comments and ready to be filled in with your ports, IP address, and DNS servers.

    acl all src all
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32
    acl to_localhost dst 127.0.0.0/8
    acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
    acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access allow CONNECT all
    http_access allow localnet
    acl TRUSTED1 src 62.60.128.0/17 62.193.0.0/19 62.220.96.0/19 77.36.128.0/17 77.77.64.0/18 77.104.64.0/18 77.237.64.0/19 77.237.160.0/19 77.245.224.0/20 78.38.0.0/15 78.109.192.0/20 78.110.112.0/20 78.111.0.0/20 78.154.32.0/19 78.157.32.0/19 78.158.160.0/19 79.127.0.0/17 79.132.192.0/19 79.170.144.0/21 79.175.128.0/18 80.66.176.0/20 80.69.240.0/20 80.71.112.0/20 80.75.0.0/20 80.191.0.0/16 80.242.0.0/20 80.253.128.0/20 80.253.144.0/20 81.12.0.0/17 81.28.32.0/20 81.28.48.0/20 81.31.160.0/20 81.31.176.0/20
    acl TRUSTED2 src 81.90.144.0/20 81.91.128.0/20 81.91.144.0/20 82.99.192.0/18 82.115.0.0/19 83.147.192.0/18 84.47.192.0/18 84.241.0.0/18 85.9.64.0/18 85.15.0.0/18 85.133.128.0/17 85.185.0.0/16 85.198.0.0/18 86.109.32.0/19 87.107.0.0/16 87.247.160.0/19 87.248.128.0/19 89.144.128.0/18 89.165.0.0/17 89.221.80.0/20 89.235.64.0/18 91.98.0.0/15 91.184.64.0/19 91.186.192.0/19 91.206.122.0/23 91.208.165.0/24 91.209.242.0/24 91.212.16.0/24 91.212.19.0/24 91.212.252.0/24 92.42.48.0/21 92.50.0.0/18 92.61.176.0/20
    acl TRUSTED3 src 92.62.176.0/20 92.242.192.0/19 93.110.0.0/16 93.190.24.0/21 94.74.128.0/18 94.101.128.0/20 94.101.176.0/20 94.101.240.0/20 94.139.160.0/19 94.182.0.0/15 94.184.0.0/17 94.232.168.0/21 94.241.128.0/18 95.38.0.0/16 95.80.128.0/18 95.81.64.0/18 95.82.0.0/18 95.82.64.0/18 95.130.56.0/21 95.130.240.0/21 188.34.0.0/16 188.93.64.0/21 188.121.96.0/19 188.121.128.0/19 188.136.128.0/17 188.158.0.0/15 193.189.122.0/23 194.225.0.0/16 195.146.32.0/19 212.16.64.0/19 212.33.192.0/19 212.50.224.0/19
    acl TRUSTED4 src 212.80.0.0/19 212.95.128.0/19 212.120.192.0/19 213.176.0.0/19 213.176.32.0/19 213.176.64.0/18 213.195.0.0/18 213.207.192.0/18 213.217.32.0/19 213.233.160.0/19 217.11.16.0/20 217.24.144.0/20 217.25.48.0/20 217.64.144.0/20 217.66.192.0/20 217.66.208.0/20 217.146.208.0/20 217.172.96.0/19 217.174.16.0/20 217.218.0.0/15 127.0.0.1 192.168.5.0/24
    http_access allow TRUSTED1
    http_access allow TRUSTED2
    http_access allow TRUSTED3
    http_access allow TRUSTED4
    http_access deny all
    icp_access allow localnet
    icp_access deny all
    follow_x_forwarded_for allow all
    ssl_engine off
    http_port
    http_port
    http_port
    http_port
    http_port
    http_port
    http_port
    http_port
    http_port
    http_port
    hierarchy_stoplist cgi-bin ?
    access_log none
    cache_store_log none
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern . 0 20% 4320
    acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
    upgrade_http0.9 deny shoutcast
    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache
    visible_hostname
    dns_nameservers
    forwarded_for off
    header_access X-Forwarded-For deny all
    header_access Via deny all
    client_db off
    coredump_dir none

    by: DM, Jun 17th at 11:23 pm

  • Oops. I forgot to mention, you’ll need to fill in the http_port lines with your 10 ports, and fill in the visible_hostname and dns_nameservers with your IP address and DNS servers.

    by: DM, Jun 17th at 11:33 pm

  • Hmm… it’s a thin line. Some IRI government people are probably trying to get around the blocks themselves.

    by: luqa, Jun 18th at 12:02 am

  • Hi, I think I’ve gone through my squid.conf file and made the various changes. The only one I’m not able to do is #1, the blocking of IRI govmt ipblocks. I just copied/pasted the IP address ranges found on RIPE (see below) but when I restart the squid server (on ubuntu) I got error msges for these code lines–

    acl IRI src 194.225.164.0-194.225.165.255 213.176.19.0-213.176.19.63 213.176.74.0-213.176.75.255 217.172.104.0-217.172.107.255 217.172.108.0-217.172.111.255 217.172.108.0-217.172.108.255 217.172.112.0-217.172.115.255 217.172.120.0-217.172.123.255 217.172.120.0-217.172.120.255 217.172.124.0-217.172.127.255 217.172.96.0-217.172.99.255 217.24.144.0-217.24.147.255 217.24.144.0-217.24.145.255 217.24.148.0-217.24.151.255 217.24.152.0-217.24.155.255 217.24.156.0-217.24.159.255 78.38.77.160-78.38.77.175 80.191.21.0-80.191.21.255 84.47.212.0-84.47.215.255 84.47.216.0-84.47.219.255 84.47.220.0-84.47.223.0 84.47.220.0-84.47.223.255 84.47.248.0-84.47.251.0 84.47.252.0-84.47.255.0
    http_access deny IRI

    Can anyone help please? Also, I’m waiting for the squid.conf posting on here to replace mine. Thanks thanks, and democracy for Iranians!

    by: Signifiance, Jun 18th at 2:53 am

  • Anyone reading this without a server can easily sign up with a decent VPS host, pay $10-20 dollars, setup a proxy server (as above) and forward the IP to Austin/our trusted Iranian friends.

    Internet censorship is a general problem in Iran. Open Net initiative has a report on it (http://opennet.net/research/profiles/iran). I’m wondering what can/should be done after all this unrest quietens down to ensure Iranians can still access the web?

    There’s been talk about Google improving security by settting the defaults on their apps to HTTPS. Is there something similar that can be enouraged for Iranians? Default browsers to TOR? To proxy through something else?

    by: Mazuhl, Jun 18th at 5:08 am

  • Austin, your e-mail server is refusing (rejecting) all smtp connections.

    by: quumies, Jun 18th at 10:48 am

  • Here’s the squid ACL that blocks the Iran Ministry blocks in RIPE:
    acl UNTRUSTED src 194.225.164.0/23 213.176.19.0/26 213.176.74.0/23 217.172.104.0/22 217.172.108.0/22 217.172.108.0/24 217.172.112.0/22 217.172.120.0/22 217.172.124.0/22 217.172.96.0/22 217.24.144.0/22 217.24.148.0/22 217.24.152.0/22 217.24.156.0/22 78.38.77.160/28 80.191.21.0/24 84.47.212.0/22 84.47.216.0/22 84.47.220.0/22 84.47.248.0/22 84.47.252.0/22

    by: Ian, Jun 18th at 1:20 pm

  • civisec.org publishes a guide to anti-censorware for activists and users.

    http://civisec.org/guides/everyones-guides

    Web based proxies are easiest to use plus they don’t require additional software in the event your computer is seized.

    There are various ways of passing IP addresses and ports to use to the people who need them.

    Example:

    http://en.wikipedia.org/wiki/Steganography

    After obtaining the IP address and port number, the website they access redirects them randomly (using mod_rewrite or PHP) to one of a long list of proxy servers.

    When the authorities discover the server distributing the proxy servers, everybody who visited the site previously still has working proxy servers. The authorities would have to find a way to visit the redirection site enough times to discover the whole list of proxy servers.

    Those people, in turn, can use the proxy server they were redirected to to contact someone who can send them a long list of IP address / port number pairs of proxy servers to distribute internally.

    Example:

    Each server used for redirection uses a different set of 100 proxy servers.

    100 redirect servers x 100 proxy servers = 10000 proxy servers

    From there, people working independently would be passing lists of their own proxy servers.

    You get enough people participating around the world and it would be very difficult for the authorities to keep up even if they blocked an entire country.

    by: Joe, Jun 18th at 1:25 pm

  • Here’s my attempt to write config lines for the first two. I’m not sure if it’s correct. If it looks about right, let me know and I’ll load it in.

    # Generated from RIPE with http://ip2cidr.com/

    acl UNTRUSTED src 194.225.164.0/23 213.176.19.0/26 213.176.74.0/23 217.172.104.0/21 217.172.112.0/22 217.172.120.0/21 217.172.96.0/22 217.24.144.0/20 78.38.77.160/28 80.191.21.0/24 84.47.212.0/22 84.47.216.0/21 84.47.248.0/22 84.47.252.0/23 84.47.254.0/24 84.47.255.0/32
    http_access deny UNTRUSTED

    # Copied from http://blog.austinheap.com/2009/06/15/how-to-setup-a-proxy-for-iran-citizens-for-windows/comment-page-2/#comment-196

    Austin, you should update your old posts with links to this one. Or updated config instructions.

    by: Elika, Jun 18th at 1:48 pm

  • To achieve : * Blocking of IRI government ipblocks [1]

    I have made an acl that gathers all the ip addresses mentionned
    above in the reference (1] Based on ripe data found on RIPE) so you can deny this acl prior to accept trusted (defined in other post of austinheap) .

    here is the acl :
    acl IRANMINISTRY src 194.225.164.0/23 213.176.19.0/26 213.176.74.0/23 217.172.104.0/21 217.172.112.0/22 217.172.120.0/21 217.172.96.0/22 217.24.144.0/20 84.47.212.0/21 84.47.220.0/22 84.47.251.0/21

    remember to use it like indicated below in squid.conf

    acl IRANMINISTRY …(the whole above IRANMINISTRY acl)
    acl TRUSTED … (the whole TRUSTED acl, other post of austinheap)

    http_access deny IRANMINISTRY
    http_access allow TRUSTED

    by: citoyenlambda, Jun 19th at 2:28 pm

  • just an additionnal piece of advice if you have 2 PC at home (with 1 you have to change squid.conf)
    you put the local ip address of one of your pc in TRUSTED acl that way: a.b.c.d/32 (eg 192.168.1.5/32)
    and the ip address of your other pc in the IRANMINISTRY acl.

    you configure the use of squid proxy and if with your 1rst pc you can access internet with the proxy and you can’t with your second pc
    it means your configuration is ok

    by: citoyenlambda, Jun 19th at 2:35 pm

  • hello DM my .conf is like yours except what follows I have on top of you :
    (acl TRUSTED should be like yours)

    #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
    #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
    acl localnet src 192.168.0.0/24 # my real localnet

    #acl Safe_ports port 443 # https

    # Only allow purge requests from localhost
    http_access allow purge localhost
    http_access deny purge

    acl IRANMINISTRY src 194.225.164.0/23 213.176.19.0/26 213.176.74.0/23 217.172.104.0/21 217.172.112.0/22 217.172.120.0/21 217.172.96.0/22 217.24.144.0/20 84.47.212.0/21 84.47.220.0/22 84.47.251.0/21

    acl TRUSTED src 62.60.128.0/17 62.193.0.0/19 62.220.96.0/19 77.36.128.0/17 77.77.64.0/18 77.104.64.0/18 77.237.64.0/19 77.237.160.0/19 77.245.224.0/20 78.38.0.0/15 78.109.192.0/20 78.110.112.0/20 78.111.0.0/20 78.154.32.0/19 78.157.32.0/19 78.158.160.0/19 79.127.0.0/17 79.132.192.0/19 79.170.144.0/21 79.175.128.0/18 80.66.176.0/20 80.69.240.0/20 80.71.112.0/20 80.75.0.0/20 80.191.0.0/16 80.242.0.0/20 80.253.128.0/20 80.253.144.0/20 81.12.0.0/17 81.28.32.0/20 81.28.48.0/20 81.31.160.0/20 81.31.176.0/20 81.90.144.0/20 81.91.128.0/20 81.91.144.0/20 82.99.192.0/18 82.115.0.0/19 83.147.192.0/18 84.47.192.0/18 84.241.0.0/18 85.9.64.0/18 85.15.0.0/18 85.133.128.0/17 85.185.0.0/16 85.198.0.0/18 86.109.32.0/19 87.107.0.0/16 87.247.160.0/19 87.248.128.0/19 89.144.128.0/18 89.165.0.0/17 89.221.80.0/20 89.235.64.0/18 91.98.0.0/15 91.184.64.0/19 91.186.192.0/19 91.206.122.0/23 91.208.165.0/24 91.209.242.0/24 91.212.16.0/24 91.212.19.0/24 91.212.252.0/24 92.42.48.0/21 92.50.0.0/18 92.61.176.0/20 92.62.176.0/20 93.110.0.0/16 93.190.24.0/21 94.74.128.0/18 94.101.128.0/20 94.101.176.0/20 94.101.240.0/20 94.139.160.0/19 94.182.0.0/15 94.184.0.0/17 94.232.168.0/21 94.241.128.0/18 95.38.0.0/16 95.80.128.0/18 95.81.64.0/18 95.82.0.0/18 95.82.64.0/18 95.130.56.0/21 95.130.240.0/21 188.34.0.0/16 188.93.64.0/21 188.121.96.0/19 188.121.128.0/19 188.136.128.0/17 188.158.0.0/15 193.189.122.0/23 194.225.0.0/16 195.146.32.0/19 212.16.64.0/19 212.33.192.0/19 212.50.224.0/19 212.80.0.0/19 212.95.128.0/19 212.120.192.0/19 213.176.0.0/19 213.176.32.0/19 213.176.64.0/18 213.195.0.0/18 213.207.192.0/18 213.217.32.0/19 213.233.160.0/19 217.11.16.0/20 217.24.144.0/20 217.25.48.0/20 217.64.144.0/20 217.66.192.0/20 217.66.208.0/20 217.146.208.0/20 217.172.96.0/19 217.174.16.0/20 217.218.0.0/15
    http_access allow localnet
    http_access deny IRANMINISTRY
    http_access allow TRUSTED
    http_access deny all

    refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880

    by: citoyenlambda, Jun 19th at 4:17 pm

  • !!!!!!! Caution there was a mistake in my acl IRANMINISTRY I corrected it in
    here below do not take ohers only that one it has been validated :

    acl IRANMINISTRY src 194.225.164.0/23 213.176.19.0/26 213.176.74.0/23 217.172.104.0/21 217.172.112.0/22 217.172.120.0/21 217.172.96.0/22 217.24.144.0/20 84.47.212.0/22 84.47.216.0/22 84.47.220.0/22 84.47.248.0/22 84.47.252.0/22

    by: citoyenlambda, Jun 20th at 5:39 am

  • protect your lan !

    with squid in your lan people could go out on your lan instead of going out on the internet to prevent that here is how to cnfigure squid :

    1) an acl of your lan network (or all private addresses)

    at the begining of squid.conf with other acl add :

    #
    acl out_filter dst 10.0.0.0/8 # RFC1918 possible internal network
    acl out_filter dst 172.16.0.0/12 # RFC1918 possible internal network
    acl out_filter dst 192.168.0.0/16 # RFC1918 possible internal network

    alternately you may enter only your lan eg :

    #
    acl out_filter dst 192.168.0.0/24 # my lan

    2) further in the squid.conf file
    (you may take as an example the squid.cnf file of commenter DM above
    and you may add my differences (NB take the latest version of my IRANMINISTRY acl)

    http_access allow TRUSTED
    http_access deny all

    #after the 2 lines above you add :

    http_access2 deny out_filter

    #and that’s it

    by: citoyenlambda, Jun 20th at 11:18 am

  • The latest post by citizenloyola is very important.

    1) Please test that your proxy does not allow external access to your local network.

    2) I recommend deleting the early recommendations, and replacing them with examples that have been vetted by squid experts.

    I am not a squid expert.

    by: Josh Rubin, Jun 20th at 12:14 pm

  • I made an interesting typo
    s/citizenloyola/citoyenlambda/

    by: Josh Rubin, Jun 20th at 12:27 pm

  • Since open relay proxies are so commonly abused, I wouldn’t recommend turning off your access logs entirely.

    You can have squid mask out the client IP from the logs, so that you can see what resources were accessed, but not who did the accessing. This will let you know what your proxy is being used for, while still protecting your users in the unlikely event that government agents infiltrate your system or otherwise seize your logs. (Although it would give them a possible list of web sites to target)

    — In squid.conf —
    client_netmask 0.0.0.0

    by: Nic Benders, Jun 20th at 3:37 pm

  • How do we get the word out that we’ve set up a proxy? Simply email Austin?

    by: SMiTTY, Jun 21st at 8:58 am

  • For those putting up Proxy’s, you might want to use OpenDNS servers for your DNS.

    You can block access to adult, hacking and other “non-useful” sites and keep access to those who need to exchange information on the cause at hand.

    by: ProxyGuy, Jun 21st at 4:29 pm

  • Guys, please post a *single* cohesive configuration file rather than bits and pieces that need to be assembled. This is making it much more difficult to set up.

    by: Cliff Rowley, Jun 21st at 4:57 pm

  • The following lines cause errors in the Squid configuration:

    http_access allow purge localhost
    http_access deny purge
    http_access2 deny out_filter

    by: Cliff Rowley, Jun 21st at 5:14 pm

  • Considering throwing up a proxy myself – a little concerned about the AFP knocking on my door tho…

    by: Shannon, Jun 21st at 9:31 pm

  • Should the form for submitting our proxies be https: to protect against a man-in-the-middle attack?

    by: Lydia, Jun 21st at 9:53 pm

  • Has anyone considered setting up SSH servers supporting dynamic forwarding (socks5 over ssh) – would be a lot more secure against packet sniffing….

    by: Shannon, Jun 21st at 10:24 pm

  • I’ve configured SQUID on a Win XP machine and the service is running without any error message; but I am unable to see a proxy server address. How do I start the server up and test it to see if its working?

    by: Kam, Jun 21st at 10:42 pm

  • The cache.log for squid points to ready and able proxy service, but I can’t figure out how and where to use/find proxy server address. Would somebody please advise on next step(s) to test/make server available.

    by: Kam, Jun 21st at 10:57 pm

  • I’ve got a squid up and running – at current it only allows austinheap, youtube, twitter, and facebook – Does anyone have any other sites I should permit?

    I only have limited bandwidth with which to provide the service so it’s important to keep it as short as possible.

    by: Shannon, Jun 21st at 11:51 pm

  • My proxy is working for normal web browsing, but I can’t log into twitter, facebook, etc. through the proxy. Twitter throws a 403, and Facebook tells me I don’t have cookies enabled.

    I assume I’m missing/misconfigured something. Can anyone give me a hint without me tossing my entire config up? (Which I’ll do, but I don’t care to add to the noise if it’s not necessary.)

    by: Derek, Jun 22nd at 12:36 am

  • @Shannon: How will users know which sites they are allowed to visit? I’m afraid of endangering protesters who waste time figuring it out by trial and error.

    by: Josh Rubin, Jun 22nd at 9:38 am

  • @Josh – I have the 4 major sites, and this one in my permit list – I’m also logging attempts to access domains (only that, no ip address, no urls, just domains) to see if there are other important domains I should add – which I’m monitoring real time…

    by: Shannon, Jun 22nd at 9:53 am

  • Here’s a link to a proxy config file, modified for Windows: http://iran.whyweprotest.net/attachments/help-iran-online/49d1245678166-how-setup-proxy-iranian-citizens-windows-squid-configuration-file.zip. It is slightly modified from the original version for Linux, found here: http://dev.austinheap.com/iran/squid-iran-ideal.txt. It should help Windows Squid users set up a proxy more quickly.

    by: Fidel Dangelow, Jun 22nd at 2:53 pm

1 · 2 ·

Share your comment

Name Your Message
Email Website * We know you have something to say