State of the Iran Proxies
So there’s been good news and bad news from launching proxyheap. (Btw, you can check it your proxy is working here.)
The good news? We have lots of support! The bad news? There’s a HUGE chunk of proxies misconfigured… rendering them useless. There’s also a bunch of proxies on un-reliable connections — we pass these out to people in Iran and when they’re down, it just makes things harder.
That said, special thanks to r3boot (the original author) and esr (who put all the pieces in place) for putting together a reliable Squid configuration file for those in Iran seeking unfiltered Internet access.
To quote from the config file:
# 0. Do this installation only on a non-essential machine, as the host may be
# targeted for serious denial-of-service or cracking attempts. For maximum
# security, run it inside a virtual machine.
#
# 1. Install squid on your system. You will need to be root for this.
# Under Ubuntu, do "apt-get install squid"
# Under RedHat, Fedora, and Centos do "yum install squid"
# Under Gentoo, do "emerge squid"
# Under OpenBSD, do "pkg_add PKG_PATH=ftp://ftp.openbsd.org/pub/{version}/packages/i386/squid"
# Under FreeBSD, do this:
# wget http://www.squid-cache.org/Versions/v2/2.7/squid-2.7.STABLE6.tar.gz;
# tar zxvf squid-2.7.STABLE6.tar.gz
# cd squid-2.7.STABLE6
# ./configure '--sysconfdir=/etc/squid' '--enable-storeio=diskd,ufs,aufs' '--enable-delay-pools' '--enable-pf-transparent' '--enable-ipf-transparent' '--disable-ident-lookups' '--enable-removal-policies'
# make
# make install
# Under NetBSD, do "cd /usr/ports/www/squid; make install clean"
#
# 2. Red Hat and CentOS only:
# * Edit the iptables via system-config-securitylevel. As root, run
# /usr/bin/system-config-securitylevel
# * Set SELinux: to either Permissive(slightly better) or Disabled.
# Note, this is a crude solution. Someone with more SELinux
# knowledge might be able to write a pass-through rule.
# * Now go into Customize. In Other Ports, set it like this:
# portnum:protocol (eg. 42342:tcp, 42343:tcp, 42344:tcp).
# Do this for all of your nonstandard ports. Hit OK->OK
#
# 3. Replace your squid configuration with this file. It is likely
# to be in /etc/squid/squid.conf, but could be in /etc/squid.conf
# as well.
#
# 4. Fix the "visible_hostname" line in /etc/squid.conf: it should declare
# your machine's hostname (i.e. the part following "userid@" in your
# terminal prompt)
#
# 5. Choose a nonstandard port number to listen on, or better yet
# about a dozen of them. Fix the http_port line in /etc/squid.conf.
# Add more lines as needed.
#
# 6. Specify the IP of a machine where you have login privilages on the
# "acl remote_test" liner below. You will use this to verify that your
# proxy is working, and can remove it afterwards.
#
# 7. Type "sudo adduser squid" and specify a password
#
# 8. Restart squid by typing: "/etc/init.d/squid restart"
#
# 9. Stop the service by typing "/etc/init.d/squid stop"
#
# 10. Test it in debug mode by typing "squid -z" (which creates the cache files)
#
# 11. Type "squid -NCd10" to test squid in debug mode and leave it running.
#
# 12. Open Firefox and type the URL localhost:3128 It will fail to retrieve a
# page, but at the bottom it should confirm that the error is generated
# by squid. (To be extra-sure, re-do this test using one of the
# non-standard ports you declared in step 4.)
#
# 13. Back at the Terminal type CTRL-C to cancel the debug mode
#
# 14. Start squid for real with "/etc/init.d/squid start". It will start
# automatically from now on.
#
# 15. If your squid host is sitting behind a hardware router with firewalling
# capability, you must set up port forwarding of all your nonstandard
# ports to the squid host machine. The procedure for this varies
# depending on your router, but is most likely to involves pointing your
# browser at 192.168.1.1 and navigating to a "Port Forwarding" page.
#
# 16. The easiest way to test that your proxy server is working is to
# use the proxy tester at austinheap.com:
#
# If it says "Fatal error: couldn't connect to host", then your
# squid instance probably isn't running; check for possible fatal
# error in the configuration parse, and if you don't see that make
# sure that you have correctly configured your ruter or firewall
# to pass through packets. If it says "Your proxy is not accepting
# connections from the validation servers.", you're at least
# reaching squid, but your allow/denies aren't right or you
# configuration file doesn't live where you think it does.
#
# 17. Register your proxy server with proxyheap at
#
# You'll have to do this once for each listener port you declared.
# You will receive an email notification from the proxyheap
# verification servers if all is well. Otherwise, email will tell you
# that your server could not be verified and drop the entry from the
# proxyyheap database. Once you are successfully registered,
# the Iranian revolutionaries can begin using your proxy with
# no further action required on your part.
#
# 18. Death threats have already been made against cooperating
# hackers. If you receive such a threat, report it to your local
# police immediately. Do not assume that your cooperation is unknown
# to the Iranian regime or their agents, and do not assume you will
# have warning if they act on their threats. If you are not already
# armed and prepared to defend yourself, fix both of these bugs.
I think this is a very good starting point for getting this effort organized and effective.
Related posts:
- How to setup a proxy for Iran citizens
- Best Proxy Practices (BPP!) and an update
- How to setup a proxy for Iran citizens (for Windows!)
- How to setup a proxy for Iran citizens (for Mac!)
- How to setup a proxy for Iran citizens (Virtual Machine Disk Format!)
Iran iranelection Posted under Internets, Iran, Technology by Austin
Share your comment
Hello all,
I have 4 machines that I can setup with Ubuntu or Windows XP(running Virtual Box). I was thinking I could just put these non-essential machines out in my DMZ. Wouldnt that work?
AB
by: AdamBaum, Jun 24th at 1:10 am
The version of Squid shipped with Ubuntu 9.04 doesn’t like lines mixed with comments:
# squid -z
FATAL: Bungled squid.conf line 110: http_port 28910 # Heretic II
Squid Cache (Version 2.7.STABLE3): Terminated abnormally.
Split all http_port lines in squid-iran-ideal.txt so that comments are on separate lines. The http_port line should have the following format:
http_port
by: Hackiran, Jun 24th at 2:17 am
Sorry,some portion of my comment has been eaten. Reposting:
The http_port line should have the following format:
http_port[SPACE_CHARACTER][PORT_NUMBER]
by: Hackiran, Jun 24th at 2:18 am
To generate random port number lines for your squid.conf you can use this one line bash script:
for i in `seq 16`; do echo $RANDOM | perl -pe ’s/^/http_port /;’; done;
by: Hackiran, Jun 24th at 2:34 am
Some ISP are blocking confirmation e-mails from proxyheap. BellSouth is doing so.
Confirmation e-mails are coming through on gmail.
by: wtf, Jun 24th at 4:53 am
How do you check the traffic? Is there a way to do this on windows xp?
Cheers
by: PKH, Jun 24th at 7:17 am
Use a unix shell account on another machine to test your proxy:
(hope the line breaks don’t get screwed up)
#!/bin/bash
#PROXY=’example.com’ # proxy IP address or hostname
PROXY=123.122.122.122
TEST_URL=’http://google.com’ # test page
for PORT in 1111 2222 3333 4444 # or whatever
do
# run wget in an environment where the “http_proxy” variable is set.
env http_proxy=http://${PROXY}:${PORT} wget –output document=/dev/null ${TEST_URL}
done
by: Josh Rubin, Jun 24th at 12:28 pm
Jeremy
Instructions re proxies and where to Tweet (Twitter) details to here:
http://reunifygally.wordpress.com/2009/06/17/help-iran/
by: Annie, Jun 24th at 1:22 pm
@ Chris Smith
just go to the porxyheap, and confirm the mail you get, I’d say.
I must say that the silence here, from the site’s owner side is not really motivating.
I can understand there’s no way to get in touch with everybody, but it ‘d be nice to see some ‘human’ talk on how things are going, which shows a result of appreciation as well as understanding the issues people seem to have.
Submit a proxy, and that’s it. We get a lot of them, and they’re not all set up properly. Now go check your proxy there, and register it there. Automated message, and that’s it.
I have given my proxy details to an Iranian client, and he will pass it trough to his younger nephew. I just told him to pass it trough and tell the young guy to pass it on, as it is needed.
I don’t see any traffic here neither and I am a bit disappointed as to the communication and collaboration here. It all seems technical and not as such human.
@ Austin:
We’re combining efforts out of ideology, and that can have some organisation. perhaps trough a bbs style or whatever. Threads can be made about setting up, about the status of the situation there, the need of proxies, the involvement of the loanIP-companies, and the ones providing free VPN and such.
Bottom line: We all set up a proxy, and then there’s silence… Is that the purpose of your initiative? Sorry to speak so freely… But does it all make sense, and towards the future?
by: olli, Jun 24th at 1:50 pm
@ PKH:
you’d have to look for the access log.
There is an implicit demand to turn off logging, but setting the line
client_netmask 0.0.0.0
in your configuration, no ip’s get logged.
I can see when I test the proxy troug the austin heap, i looks like this:
1245806841.992 480 0.0.0.0 TCP_MISS/200 215 GET http://proxyheap.austinheap.com/bindata.php – DIRECT/208.116.53.211 text/html
As you see, the source is left as 0.0.0.0 and the target url is visible.
_______
The logging directives are just a precaution in case there would be a security breach that causes interception of the logs, thus putting at risk the source users of the proxy: the people we care about in Iran!!
by: olli, Jun 24th at 2:00 pm
@olli,
You are right. It all seems technical and not as such human.
How are we helping people in Iran if there is no traffic on our servers? Are we losing the proxy-war? http://tinyurl.com/mwgus6
@Austin,
Where is this initiative going? Are the Iranians blocking everything?
On twitter, I read that the Iranian gov is using email addresses of detained journalists. Who do you trust in this situation? It’s a tough situation but setting up a proxyserver is not enough.
by: Michael Tepper, Jun 24th at 4:00 pm
Austin: I just sent two e-mails to proxyheap@austinheap.com from w_t_f@bellsouth.net. Have you received them?
w_t_f
by: wtf, Jun 24th at 5:24 pm
and what about vpn servers ? Though more tech off course…
by: olli, Jun 24th at 5:25 pm
Austin: I just sent two e-mails to proxyheap@austinheap.com from w_t_f@bellsouth.net. Did you receive them?
w_t_f
by: wtf, Jun 24th at 5:25 pm
Austin: I just submitted again. Confirmation e-mail not delivered to my BellSouth account and not in my spam folder. Confirmation e-mail was delivered immediately to my gmail account.
w_t_f
by: wtf, Jun 24th at 5:37 pm
@olli
Thanks for the explaination.
Has anyone seen this? Where do we stand in relation to this?
http://spectregroup.wordpress.com/2009/06/19/what-tipped-you-off/
by: PKH, Jun 24th at 6:50 pm
@olli,
thanks. I just stopped my squid. Running tor till I figure out how to get vpn/ssl to work.
by: Michael Tepper, Jun 24th at 8:17 pm
let’s start a tor bridge heap!
by: Michael Tepper, Jun 24th at 9:32 pm
running tor – got a message when I tested my port 9030 “unexpected data from port”. does that mean something is working or not?!
by: jrl, Jun 24th at 11:39 pm
in reply to PKH:
http://spectregroup.wordpress.com/2009/06/19/what-tipped-you-off/
> ssl is not an option as far as I know. https is not possible. Though I read gmail is accessible, and that one uses https…
What abpout it
by: olli, Jun 25th at 1:31 am
I feel I should repeat an earlier suggestion – what about ssh servers – very very easy to use as a client, relatively easy to set up, and they work as socks5 proxies.
by: Shannon, Jun 25th at 3:49 am
Shannon: all of SSH (port 22) is blocked in Iran, like SSL.
by: spacefiddle, Jun 25th at 7:41 am
@spacefiddle Do you have any info about whether there is blocking based on packet contents, or just by port? Are ssh / ssl / etc blocked regardless of port?
It isn’t be hard to provide root access to a virtual machine running ssh and loaded with software. Let ‘em use what they want.
by: Josh Rubin, Jun 25th at 10:04 am
Should we open ports to countries which border Iran or have frequent business travel? Trade must go on or the government runs out of money. Maybe Turkey. People are probably bringing out thumb drives and such, but are still afraid of sending in the clear.
by: Josh Rubin, Jun 25th at 10:10 am
Can we get someone to answer the following questions:
1. Is the IR gov’t blocking SSL on any port, or just port 443/3128, etc.? To do the latter, they would need DPI on every port, not just port-based ACLs.
2. If there’s no blocking, is it worth setting up SSL on proxies in order to allow Iranians to browse in an encrypted manner or does this complicate their access?
3. Is there any reason to get actual CA-signed certs, or would self-signed certs be enough? I can’t see a benefit to a CA-signed cert, as the proxies are not DNS named, but are just referred to by IP.
by: Andy, Jun 25th at 12:52 pm
@spacefiddle *chuckle* I already run ssh on port 21 for a friend who’s boss blocks traffic at work and she proxies through me, running it on xbox live and about 65000 other ports wouldn’t be too much of a stretch
by: Shannon, Jun 25th at 4:17 pm
just to say my proxy is up and running again (there was a little problem today but OK now).
by: PKH, Jun 25th at 5:57 pm
Thanks for the example config file!
On OpenBSD 4.4/amd64 with Squid 2.7stable3 a few notes:
– comments are not allowed after config lines (such as the http_port lines)
– the squid_ user is added during installation, so step #7 is not necessary
– I added the squid ports to my pf.conf to allow incoming connections
Other than that, easy and clear. (I might like to not make any response to denied connections, but I didn’t see how to add that to the squid config; maybe it’s not an option?)
by: Mark, Jun 26th at 12:58 am
@ Austin:
It would be better to use wordpress pages here instead of posts, that way your communicated info would be easily updated, and one could browse from the top…
@andy:
check out this post here: it contains essential guidelines:
http://blog.austinheap.com/2009/06/17/best-proxy-practices-bpp-and-an-update/
and please also check the first info that was here:
http://blog.austinheap.com/2009/06/15/how-to-setup-a-proxy-for-iran-citizens/
by: olli, Jun 26th at 2:48 am
My proxy’s been running for about a week on Ubuntu. I haven’t received an E-mail but I can see from netstat and GNU system monitor that it’s being used, mainly to reach Tor nodes. One thing that seems strange to me is that GNU system monitor reports that about 76 Mbytes have been received so far, but only 25 Mbytes have been sent out. Shouldn’t these numbers be about the same? I’ve never run any services before so I’m having a hard time making sense of the numbers. Can anyone help?
by: Zaster, Jun 26th at 7:53 am
Austin, I concer with “olli @ 06/24/2009 at 1:50 pm”: lot of folks want
to support your efforts but we’re not getting much feedback from you. A little
leadership would go a long way right now. Help us help you.
by: Gino, Jun 26th at 1:24 pm
@Austin: Do you have a secure way of getting proxy info to people who need it? If not, please tell us so we can seek other routes.
by: Josh Rubin, Jun 27th at 1:46 pm
I understand that all traffic through Iran is subject to Deep Packet Inspection (DPI) – aka eavesdropping – and that SSL-based communication can neutralize this.
Do we need to establish SSL-based proxy servers?
Do we need to establish SSL-based TOR servers?
by: Gino, Jun 28th at 3:53 am
^did you even click the link at the very top of this page??
-> http://proxyheap.austinheap.com/phase1.php
Well, it would just be nice to hear that proxies are getting passed trough in some update…
by: olli, Jun 28th at 6:24 pm
According to nedanet.org, they are no longer recommending using plaintext squid proxies because the Iran govt are doing deep-packet inspections on all traffic.
by: DavidMWW, Jun 29th at 9:46 am
Is this down? ‘not found’
http://proxyheap.austinheap.com/checker.php
by: PKH, Jun 30th at 6:24 pm
OK it seems the checker was under construction last night. Its back up now. But now when I check the proxies (which I checked before with Success) I get this error:
Bad HTTP_ header exposed: HTTP_X_FORWARDED_FOR, HTTP_VIA …
What does this mean? Is something wrong? I used the config file provided here and didn’t have any problems with the old checker.
Thanks
by: PKH, Jul 1st at 4:53 am
OK I restarted the server and it’s working now.
by: PKH, Jul 1st at 5:01 am
no there is something wrong I keep getting this:
Bad HTTP_ header exposed: HTTP_X_FORWARDED_FOR, HTTP_VIA …
Please any ideas?
Thanks
by: PKH, Jul 1st at 7:48 pm
Strange working now. I think it’s the test. Something wrong with the site after the reconstruction?
by: PKH, Jul 2nd at 5:02 am
Bad HTTP_ header exposed: HTTP_X_FORWARDED_FOR, HTTP_VIA …
Getting the same error here. Works randomly on test. Fails to submit.
Using the above config.
by: Vee, Jul 2nd at 9:31 pm
@Austin can you please check the submission script?
My Polipo proxy passed test and submission fine. But my squid one passes testing intermittently and fails submission with the error Bad HTTP_ header exposed: HTTP_X_FORWARDED_FOR, HTTP_VIA
The config being used is the one pasted here.
by: Vee, Jul 3rd at 4:14 am
thank you all so much for doing this.
I am in touch with friends and relatives living in Iran who have been communicating their frustration around the internet censoring (amongst other things).
just wanted to let you know this is huge in terms of fighting back against the injustices of the Iranian government; they have been getting away with too much.
by: an Iranian, Jul 7th at 7:59 pm
@Vee @PKH @Austin @Anyone_else_having_trouble
I kept getting ‘Bad HTTP_ header exposed: HTTP_X_FORWARDED_FOR, HTTP_VIA’
I’ve found the information here to be helpful:
http://www.christianschenk.org/blog/enhancing-your-privacy-using-squid-and-privoxy/
Long story short, I added these lines below ‘cache deny all’:
via off
forwarded_for off
header_access From deny all
header_access Server deny all
header_access WWW-Authenticate deny all
header_access Link deny all
header_access Cache-Control deny all
header_access Proxy-Connection deny all
header_access X-Cache deny all
header_access X-Cache-Lookup deny all
header_access Via deny all
header_access Forwarded-For deny all
header_access X-Forwarded-For deny all
header_access Pragma deny all
header_access Keep-Alive deny all
…
I hope this helps
by: Normal Dan, Jul 7th at 11:34 pm
Unfortunately it doesn’t. Squid won’t even start if I add those lines.
by: Cyrus7777, Jul 29th at 5:21 am
It’s not header_access
It’s request_header_access
by: Cyrus7777, Jul 29th at 5:52 am
I just submitted again. Confirmation e-mail not delivered to my BellSouth account and not in my spam folder. Confirmation e-mail was delivered immediately to my gmail account.
by: lina yuliana, Aug 7th at 6:05 am
i live in Iran. In the country i s theme sites have been closed. Please immediate immediate immediate software filter against yourself with program” sent me to understand. Perhaps shikastih hand gears into fees because I am not pall fees also closed. I am waiting for your Program”. Urgent urgent urgent.
by: reza in iran live, Sep 12th at 2:02 pm
i live in Iran. In the country i s theme sites have been closed. Please immediate immediate immediate software filter against yourself with program” sent me to understand. Perhaps shikastih hand gears into fees because I am not pall fees also closed. I am waiting for your Program”. Urgent urgent urgent. I address:
by: reza in iran live, Sep 12th at 2:03 pm
Maybe can try vpn other than proxy, got 4 free ones i found here
http://techwor.com/free-vpn-software-for-secure-anonymous-surfing/
by: charleston, Nov 10th at 12:46 pm