How to install Privoxy and combine it with Tor

In this post I’ll show you how you can improve your privacy and anonymity while you are browsing on some websites. For this purpose I’ll use Privoxy and Tor. Privoxy is a non-caching web-proxy with filtering capabilities for enhancing privacy. Tor uses an overlay network of volunteers and relays your traffic through the Tor network to it’s destination. It also encrypts your data, so no Tor node (except the exit node) can read your data.

This is not a high-security setup, but it should improve your privacy and anonymity.

1. Privoxy
2. Tor
3. Combine Privoxy and Tor
4. Appendix


1. Privoxy

First of all we have to download Privoxy. You can find all releases for all systems here.

wget http://downloads.sourceforge.net/ijbswa/privoxy-3.0.21-stable-src.tar.gz

Next step is to extract the archive:

tar xzf privoxy-3.0.21-stable-src.tar.gz

I highly recommend to create a user and a group for Privoxy otherwise the installation will fail, if you install Privoxy as root. The advantage is that Privoxy does not run with root privileges.

groupadd -g 206 privoxy
useradd -u 206 -g 206 -c "Web Proxy" -d /dev/null -s /bin/false privoxy

To create the configuration script you need the autoconf package to run autoheader and autoconf.

$ autoheader
$ autoconf

Now we are able to run the configuration script. Don’t forget to use the options with-user and with-group to define the Privoxy user and group.

./configure --prefix=/usr/ --sysconfdir=/etc/privoxy \ 
--localstatedir=/var --with-docbook=no \ 
--with-user=privoxy --with-group=privoxy \
--enable-no-gifs --enable-compression

For an executable with security enhanced features, you can also use the following options:

--disable-toggle  --disable-editor  --disable-force

Explanation of these options (excerpt of the configure help):

--disable-toggle                Don't support temporary disable
--disable-force                 Don't allow single-page disable
--disable-editor                Prevents the use of the web-based actions file
                                editor and web-based temporary disable setting.

The next step is to compile and install Privoxy:

$ make && sudo make install

If the installation was successful, you’ll get the following message:

Privoxy 3.0.21 stable installation succeeded!

Now we have to change some configurations. Open /etc/privoxy/config in your favorite editor. Maybe you have to change the config directory, change

confdir /etc
to
confdir /etc/privoxy

If you want to use the proxy in your network to serve all computers inside the network, you have to change the listen-address, change:

listen-address  127.0.0.1:8118
to
listen-address  192.168.0.150:8118

and replace 192.168.0.150 with the ip address of your host.

The next step is optional and is not necessary to run Privoxy, but maybe you want to change the hostname. Just uncomment and change:

#hostname hostname.example.org
to
hostname COMPUTERNAME.DOMAIN.TLD

I’ve tested this installation on a Debian virtual machine and noticed that the start script contained the wrong config folder. Maybe you have to change the config folder in /etc/init.d/privoxy. Just change:

P_CONF_FILE=/usr/local/etc/privoxy/config
to
P_CONF_FILE=/etc/privoxy/config

My preferred Linux distribution is Slackware. I use the rc.privoxy from Slackbuilds. You can find the complete rc.privoxy at the end of this post. To start Privoxy during the boot process you have to edit /etc/rc.d/rc.local (on Slackware). Add the following lines:

if [ -x /etc/rc.d/rc.privoxy ]; then
/etc/rc.d/rc.privoxy start
fi

And to shut down Privoxy automatically add the following lines to /etc/rc.d/rc.local_shutdown (if it doesn’t exist, you’ll have to create it):

if [ -x /etc/rc.d/rc.privoxy ]; then
/etc/rc.d/rc.privoxy stop
fi

Now Privoxy is installed and ready to run.


2. Tor

Tor requires libevent. I’ll not show you the steps to install it. It should be straight forward to install libevent.
The first step to install Tor is to download the latest version and extract the archive:

$ wget https://www.torproject.org/dist/tor-0.2.4.19.tar.gz
$ tar xzf tor-0.2.4.19.tar.gz

I highly recommend to create a new non-root user and a group for Tor.

# groupadd -g 220 tor 
# useradd -u 220 -g 220 -c "The Onion Router" -d /dev/null -s /bin/false tor

The next step is to run the configure script, compile and install Tor:

$ ./configure --prefix=/usr --sysconfdir=/etc \
--localstatedir=/var --with-tor-user=tor \
--with-tor-group=tor
$ make 
$ sudo make install

Now we have to change some configurations. Change the directory to /etc/tor and copy the sample of the torrc:

# cd /etc/tor/
# cp torrc.sample torrc

Uncomment the following lines:

SocksPort 9050 # Default: Bind to localhost:9050 for local connections.
Log notice file /usr/local/var/log/tor/notices.log
RunAsDaemon 1
DataDirectory /var/lib/tor

You should also add the following line to run Tor with a specific user id.

## On startup, setuid to this user and setgid to their primary group.
User tor

The last step is to create the log and lib folder for Tor and change the user and group of these directories:

# mkdir -p /var/lib/tor
# mkdir -p /var/log/tor
# chown -R tor:tor /var/lib/tor
# chown -R tor:tor /etc/tor/
# chown -R tor:tor /var/log/tor

Now we can start Tor, but don’t start Tor as root!

sudo -u tor tor &

As I said, my preferred Linux distribution is Slackware. I use the rc.tor from Slackbuilds to start and stop Tor. You can find the complete content of rc.tor at the end of this post.

If you want to start Tor automatically (on Slackware), just add the following lines to the /etc/rc.d/rc.local:

if [ -x /etc/rc.d/rc.tor ]; then
/etc/rc.d/rc.tor start
fi

And add the following lines to /etc/rc.d/rc.local_shutdown to automatically shutdown Tor:

/etc/rc.d/rc.local_shutdown
if [ -x /etc/rc.d/rc.tor ]; then
/etc/rc.d/rc.tor stop
fi

The first time I tried this installation on my virtual machine, it fails to build a Tor circuit. If something fails take a look at the log file /var/log/tor/notices.log. I noticed this warning:

[warn] Our clock is 22 minutes, 26 seconds behind the time published in the consensus network status document.
Tor needs an accurate clock to work correctly. Please check your time and date settings!

So I had to set the correct time. No problem, I used ntpdate to get the correct time:

ntpdate ptbtime1.ptb.de

This time it worked. If you want to verify it, use the following command:

curl --silent http://checkip.dyndns.org/ | grep -Eo \
'\<[[:digit:]]{1,3}(\.[[:digit:]]{1,3}){3}\>'

You’ll get your current ip address without using Tor. To verify the Tor installation you have to use the Tor SOCKS proxy on port 9050.

curl --silent --socks5 127.0.0.1:9050 http://checkip.dyndns.org/ | grep \
-Eo '\<[[:digit:]]{1,3}(\.[[:digit:]]{1,3}){3}\>'

If everything works fine, you’ll get a different ip address. This implies that Tor runs without problems.


3. Combine Privoxy and Tor

It’s very simple to combine Privoxy and Tor. Open the Privoxy config file /etc/privoxy/config and uncomment the following lines:

forward-socks5   /               127.0.0.1:9050 .
forward         192.168.*.*/     .
forward            10.*.*.*/     .
forward           127.*.*.*/     .

You have to restart Privoxy and it should use Tor now.

To use Privoxy you have to configure your browser. Go to your network configuration of your browser and enter the ip address of the Privoxy host. I recommend to use this proxy for all protocols, including SSL.


4. Appendix

complete content of rc.privoxy:

#!/bin/sh
#  ********************************************************************
#  This script uses exit to return proper error codes,
#  sourcing (. /path/to/rc.privoxy) it in your system's
#  rc files is a bad idea.
#  ********************************************************************

RETVAL=1

PRIVOXY_PRG="privoxy"
PRIVOXY_BIN="/usr/sbin/$PRIVOXY_PRG"
PRIVOXY_CONF="/etc/privoxy/config"
PRIVOXY_USER="privoxy"
PRIVOXY_GROUP="privoxy"
PRIVOXY_PID="/var/run/$PRIVOXY_PRG.pid"

declare -i check
check=(`/bin/ps -e|/bin/grep $PRIVOXY_PRG|/usr/bin/wc -l`)

# some checks for us
if [ ! -x $PRIVOXY_BIN  ] ; then exit 0 ;fi
if [ ! -f $PRIVOXY_CONF ] ; then exit 0 ;fi

# See how we were called.

PRIVOXY="$PRIVOXY_BIN --user $PRIVOXY_USER.$PRIVOXY_GROUP --pidfile $PRIVOXY_PID $PRIVOXY_CONF"

start () {
	# start daemon
	echo -n $"Starting $PRIVOXY_PRG: "

	if [ ! -f $PRIVOXY_PID ]; then
		( $PRIVOXY 2>/dev/tty9 ) \
			&& echo " OK" \
			&& /bin/touch /var/lock/$PRIVOXY_PRG \
			&& RETVAL=0
	elif [ $check -lt 3 ]; then 
	        echo "Zombie lock file found"
	        /bin/rm -f /var/lock/$PRIVOXY_PRG $PRIVOXY_PID
		echo "Retrying..."
		start
	else
		echo "Already running"
	fi
	echo
}

stop () {
	# stop daemon
	echo -n $"Stopping $PRIVOXY_PRG: "
	if [ -f $PRIVOXY_PID ]; then
		/bin/kill `/bin/cat $PRIVOXY_PID` \
			&& /bin/rm -f /var/lock/$PRIVOXY_PRG $PRIVOXY_PID \
			&& echo " OK" \
			&& RETVAL=0
		echo
	else
		echo " Not Running"
	fi
}

case "$1" in
  start)
	start	
	;;
  stop)
	stop	
	;;
  reload)
	if [ -f $PRIVOXY_PID ] ; then
                /bin/kill -HUP `cat $PRIVOXY_PID` \
			&& RETVAL=0
        fi
	;;
  restart)
	stop 
	start
	;;
  kill)
	echo "Kill all Privoxy"
	/bin/rm -f /var/lock/$PRIVOXY_PRG $PRIVOXY_PID 
	/bin/killall $PRIVOXY
	;;
  condrestart)
	# restart only if already running
	if [ -f $PRIVOXY_PID ] ; then
		stop
		start
	fi 
	;;
  status)
	/bin/ps ax|/bin/grep $PRIVOXY_PRG|/bin/grep -v 'grep\|init\.d\|rc\.d'
	RETVAL=0
	;;
  top)
	if [ -f $PRIVOXY_PID ]; then
                a=""
                for i in `/sbin/pidof $PRIVOXY_PRG` ; do
                        a="$a -p $i"
                done
                /usr/bin/top $a
        fi
	;;
  *)
	echo $"Usage: $PRIVOXY_PRG {start|stop|reload|restart|condrestart|status|top|kill}"
	exit 1
esac

exit $RETVAL

Complete content of rc.tor:

#!/bin/sh
#
# tor - The Onion Router
#
# Startup/shutdown script for Tor.
#
# Written by Marco Bonetti , heavily based on
# contrib/tor.sh, contrib/torctl and Debian init script.

# Check available file descriptors
if [ -r /proc/sys/fs/file-max ]; then
  SYSTEM_MAX=`cat /proc/sys/fs/file-max`
  if [ "$SYSTEM_MAX" -gt "80000" ]; then
    MAX_FILEDESCRIPTORS=32768
  elif [ "$SYSTEM_MAX" -gt "40000" ]; then
    MAX_FILEDESCRIPTORS=16384
  elif [ "$SYSTEM_MAX" -gt "10000" ]; then
    MAX_FILEDESCRIPTORS=8192
  else
    MAX_FILEDESCRIPTORS=1024
    cat </dev/null`
  if [ -z "$PID" ]; then
    echo " not running."
    exit 0
  fi
  if kill -15 $PID; then
    echo " stopped."
  else
    sleep 1
    if kill -9 $PID; then
      echo " killed."
    else
      echo " error!"
      exit 1
    fi
  fi
}

tor_reload() {
  echo -n "Reloading Tor..."
  PID=`cat /var/run/tor/tor.pid 2>/dev/null`
  if [ -z "$PID" ]; then
    echo " not running."
    exit 0
  fi
  if kill -1 $PID; then
    echo " reloaded."
  else
    echo " error!"
    exit 1
  fi
}

tor_status() {
  PID=`cat /var/run/tor/tor.pid 2>/dev/null`
  if [ -z "$PID" ]; then
    echo "Not running."
    exit 1
  elif kill -0 $PID; then
    echo "Running."
    exit 0
  else
    echo "PID file /var/run/tor/tor.pid present but PID $PID is not running."
    exit 1
  fi
}

case "$1" in
  start)
    tor_start
  ;;

  stop)
    tor_stop
  ;;

  restart)
    tor_stop
    sleep 3
    tor_start
  ;;

  reload)
    tor_reload
  ;;

  status)
    tor_status
  ;;

  *)
  echo "Usage: $0 (start|stop|restart|reload|status)"
esac

Sources:
Privoxy Doc Forwarding
Slackbuilds: Privoxy
Slackbuilds: Tor

Posted on December 18, 2013, in Command-Line, Configure, Install, Network, Security and tagged , , , , , , , , , , , , , . Bookmark the permalink. 1 Comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: