March 29, 2016 at 11:39Making your friGate anonymous and ad-free
Introduction
Plugins for bypassing locks like the popular friGate are good for everyone, but they have one drawback - they like to build in their ads and in the future keep track of everything that you do on the Internet.
VPN has its drawbacks: either all traffic will go through a remote server, or you will need to configure complex routing rules.
The ssh tunnel on a constantly falling asleep and waking laptop needs to be restarted every time.
There are solutions like autossh, but they won't satisfy a true perfectionist.
Let's try to achieve a convenience similar to friGate using services that are completely under our control.
We will need: a dedicated server with Linux / FreeBSD (I used Ubuntu), a domain, letsencrypt, squid and some magic of PAC files.
You can take a free domain level 3 from your host or here: freedomain.co.nr , registry.cu.cc .
Squid supports an encrypted connection to the browser - exactly what you need for this case.
This opportunity is for some reason practically unknown to the general public, so this post appeared.
Installing Squid with SSL Support
In Ubuntu, squid is built without the support of the keys we need (--enable-ssl)
If you have a different distribution kit and everything is fine (you can check it by running squid3 -v | grep -E --color "(ssl | tls) ") - go directly to the next item.
And we will build our own package for Ubuntu ( this instruction was used):
apply the following patches:
We assemble and install:
Obtaining a signed certificate using letsencrypt.org service
Downloading scripts:
If you already have a web server running, stop it, because letsencrypt script will launch its own.
In the case of severe production, you can verify domain control without stopping the web server, see the documentation .
We get the certificate:
If successful, pem-files can be found in the directory / etc / letsencrypt / live / <our domain> /
Configuring Squid
Config - default, add only the https_port option. If desired - acl for access only from specific ip or password . For example, run squid
We teach the browser encrypted connections with a proxy
As indicated in the Squid documentation, setting up an https connection with a proxy server in Firefox and Chrome has recently been possible, but only using a PAC file.
PAC (Proxy Auto Configuration) is a javascript file executed by the browser to determine the proxy for each request.
I used the following code:
The addresses in the hosts list are taken for the test, dilute them with the ones you need;) We
connect the file in the corresponding field of the browser settings (Preferences -> Advanced -> Network -> Settings), check what our external address on myip.ru looks like now, enjoy stable operation.
At the same time, traffic goes directly to all hosts, except those indicated in the hosts line.
This pac-file can be put on a web server, connected via http and changes in it will automatically be pulled up on all hosts, for example, on a laptop, desktop and even a smartphone .
You can also use foxyproxy to filter hosts that need to work through a proxy in combination with a simpler PAC file - then you can edit this list directly in the browser.
Conclusion The
topic was written in hot pursuit solely to demonstrate the concept of an encrypted tunnel in a browser without using VPN / ssh / third-party extensions.
Plugins for bypassing locks like the popular friGate are good for everyone, but they have one drawback - they like to build in their ads and in the future keep track of everything that you do on the Internet.
VPN has its drawbacks: either all traffic will go through a remote server, or you will need to configure complex routing rules.
The ssh tunnel on a constantly falling asleep and waking laptop needs to be restarted every time.
There are solutions like autossh, but they won't satisfy a true perfectionist.
Let's try to achieve a convenience similar to friGate using services that are completely under our control.
We will need: a dedicated server with Linux / FreeBSD (I used Ubuntu), a domain, letsencrypt, squid and some magic of PAC files.
You can take a free domain level 3 from your host or here: freedomain.co.nr , registry.cu.cc .
Squid supports an encrypted connection to the browser - exactly what you need for this case.
This opportunity is for some reason practically unknown to the general public, so this post appeared.
Installing Squid with SSL Support
In Ubuntu, squid is built without the support of the keys we need (--enable-ssl)
If you have a different distribution kit and everything is fine (you can check it by running squid3 -v | grep -E --color "(ssl | tls) ") - go directly to the next item.
And we will build our own package for Ubuntu ( this instruction was used):
sudo apt-get install devscripts build-essential fakeroot libssl-dev
apt-get source squid3
sudo apt-get build-dep squid3
apply the following patches:
--- squid3-3.3.8/debian/rules 2013-11-15 11:49:59.052362467 +0100
+++ squid3-3.3.8/debian/rules.new 2013-11-15 11:49:35.412362836 +0100
@@ -19,6 +19,8 @@
DEB_CONFIGURE_EXTRA_FLAGS := --datadir=/usr/share/squid3 \
--sysconfdir=/etc/squid3 \
--mandir=/usr/share/man \
+ --enable-ssl \
+ --enable-ssl-crtd \
--enable-inline \
--enable-async-io=8 \
--enable-storeio="ufs,aufs,diskd,rock" \
eng
One file in source code of Squid Proxy needs to be adjusted too (src / ssl / gadgets.cc). This change is needed to prevent Firefox error sec_error_inadequate_key_usage that usually occurs when doing HTTPS filtering with latest Firefox browsers. If you use only Google Chrome, Microsoft Internet Explorer or Apple Safari this step is not required.
--- squid3-3.3.8/src/ssl/gadgets.cc 2013-07-13 09:25:14.000000000 -0400
+++ squid3-3.3.8/src/ssl/gadgets.cc.new 2013-11-26 03:25:25.461794704 -0500
@@ -257,7 +257,7 @@
mimicExtensions(Ssl::X509_Pointer & cert, Ssl::X509_Pointer const & mimicCert)
{
static int extensions[]= {
- NID_key_usage,
+ //NID_key_usage,
NID_ext_key_usage,
NID_basic_constraints,
0
We assemble and install:
cd squid3-3.3.8 && dpkg-buildpackage -rfakeroot -b
sudo apt-get install squid-langpack
sudo dpkg -i ../squid-common*.deb ../squid_*.deb
Obtaining a signed certificate using letsencrypt.org service
Downloading scripts:
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help
If you already have a web server running, stop it, because letsencrypt script will launch its own.
In the case of severe production, you can verify domain control without stopping the web server, see the documentation .
We get the certificate:
./letsencrypt-auto --authenticator standalone --installer apache -d <наш_домен.ру>
If successful, pem-files can be found in the directory / etc / letsencrypt / live / <our domain> /
Configuring Squid
Config - default, add only the https_port option. If desired - acl for access only from specific ip or password . For example, run squid
https_port 3129 cert=/etc/letsencrypt/live/example.com/fullchain.pem key=/etc/letsencrypt/live/example.com/privkey.pem
acl mynet src <ваш_внешний_ip>/32
http_access allow mynet
sudo /etc/init.d/squid3 start
We teach the browser encrypted connections with a proxy
As indicated in the Squid documentation, setting up an https connection with a proxy server in Firefox and Chrome has recently been possible, but only using a PAC file.
The Chrome browser is able to connect to proxies over SSL connections if configured to use one in a PAC file or command line switch. GUI configuration appears not to be possible (yet).
...
The Firefox 33.0 browser is able to connect to proxies over SSL connections if configured to use one in a PAC file. GUI configuration appears not to be possible (yet).
PAC (Proxy Auto Configuration) is a javascript file executed by the browser to determine the proxy for each request.
I used the following code:
// encrypted_squid.pac
var hosts = 'myip.ru internet.yandex.ru';
var blocked = hosts.split(' ');
function FindProxyForURL(url, host) {
var shost = host.split('.').reverse();
shost = shost[1] + '.' + shost[0];
for(var i = 0; i < blocked.length; i++)
{
if( shost == blocked[i] ) return "HTTPS <ваш_прокси_FQDN>:3129";
}
return "DIRECT";
}
The addresses in the hosts list are taken for the test, dilute them with the ones you need;) We
connect the file in the corresponding field of the browser settings (Preferences -> Advanced -> Network -> Settings), check what our external address on myip.ru looks like now, enjoy stable operation.
At the same time, traffic goes directly to all hosts, except those indicated in the hosts line.
This pac-file can be put on a web server, connected via http and changes in it will automatically be pulled up on all hosts, for example, on a laptop, desktop and even a smartphone .
You can also use foxyproxy to filter hosts that need to work through a proxy in combination with a simpler PAC file - then you can edit this list directly in the browser.
Conclusion The
topic was written in hot pursuit solely to demonstrate the concept of an encrypted tunnel in a browser without using VPN / ssh / third-party extensions.