Privacy Enhancing Filtering Proxy Chain for OS X
A privacy enhanced web proxy is a nearly essential tool on the modern web: it blocks ads, malicious scripts, and conceals information used to track you around the web. I've provided a quick setup below in case it's useful to others. This will build a privatizing squid:privoxy proxy chain that works with any browser, and can be used by anyone on your LAN, including and especially secure VPN logins and ssh tunnels. In my experience, this setup is a lot more capable and effective than using a simple adblocking Firefox Add-On. There's a world of difference between reading ad-filled web pages with and without a filtering proxy server. I've also included information for a polipo proxy that can be used with Tor for full anonymity, as well as a script for ssh tunnelling
- Install Xcode and Macports
- Install squid, privoxy, and polipo:
$ sudo port selfupdate
$ sudo port install squid privoxy polipo
$ sudo port load squid privoxy polipo
Configure the squid/privoxy/polipo config files shown below, then relaunch the proxies and test to make sure they're up:
$ sudo launchctl unload -w /Library/LaunchDaemons/org.macports.Squid.plist
$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.Squid.plist
$ sudo launchctl unload -w /Library/LaunchDaemons/org.macports.Privoxy.plist
$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.Privoxy.plist
$ sudo launchctl unload -w /Library/LaunchDaemons/org.macports.Polipo.plist
$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.Polipo.plist
$ nmap -p 3128,8118,8123 localhost
Starting Nmap 5.51 ( http://nmap.org ) at 2012-02-07 11:47 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
PORT STATE SERVICE
3128/tcp open squid-http
8118/tcp open privoxy
8123/tcp open polipo
Now web applications can use your filtering web proxy chain. If you use the config files below, websites will not know where you came from (HTTP_REFERER header is forged), and will not know your User Agent (also forged), and read access is block to several HTTP header fields. Ads are filtered. Your connection looks like this:
Application <--port 3128--> Squid <--port 8118--> Privoxy <----> Internet
- Configure your network to add an option to route your web traffic through this proxy. System Preferences>Network>Wi-Fi/Ethernet/...>Locations:>Edit Locations...> Gear icon, Duplicate Location, Advanced...>Proxies> Check boxes for HTTP and HTTPS web proxies with proxy server localhost:3128.
- While you're at it, configure your OS and browsers to block Adobe flash cookies. Read this WSJ article series to understand how this impacts your privacy.
- System Preferences>Flash Player>Block all sites from storing information, using your camera and microphone, and networking with peers. Also Delete all data and go to this Adobe Flash Player Settings web page and block all sites from storing information, using your camera and microphone, and networking with peers.
- Firefox/Safari>DO NOT ALLOW third party cookies, request not to be tracked
- Firefox Add-Ons: NoScript (blocks/manages JavaScript), Beef TACO (blocks/manages flash cookies), BetterPrivacy (blocks/manages flash cookies), and the EFFs HTTPS Everywhere.
- You can also download the Tor anonymous proxy chain for both OS X and iOS devices. This will run a little polipo proxy natively on mobile devices.
Here are the config file settings. Search through the config file too see the appropriate location for these settings. Turn off http_access and icp_access (squid), permit-access (privoxy), and allowedClients (polipo) if you do not want everyone on your LAN to be able to use the proxy. Double check that you're not running an open web proxy on the internet.
$ sudo vi /opt/local/etc/squid/squid.conf
# See http://www.privoxy.org/user-manual/config.html
# Define Privoxy as parent proxy (without ICP)
cache_peer 127.0.0.1 parent 8118 7 no-query
http_access allow localnet
icp_access allow localnet
via off
# old 'http_anonymizer standard'
header_access From deny all
# forge Referer in Privoxy
# header_access Referer deny all
header_access Server deny all
# forge User-Agent in Privoxy
# header_access User-Agent deny all
header_access WWW-Authenticate deny all
header_access Link deny all
# more privacy
header_access Cache-Control deny all
header_access Proxy-Connection deny all
header_access X-Cache deny all
header_access X-Cache-Lookup deny all
header_access Via deny all
header_access Forwarded-For deny all
header_access X-Forwarded-For deny all
header_access Pragma deny all
header_access Keep-Alive deny all
shutdown_lifetime 10 seconds
# See http://www.privoxy.org/user-manual/config.html
# Define ACL for protocol FTP
acl ftp proto FTP
# Do not forward FTP requests to Privoxy
always_direct allow ftp
# See http://www.privoxy.org/user-manual/config.html
# Forward all the rest to Privoxy
never_direct allow all
dns_nameservers 10.0.1.2 10.0.1.1
forwarded_for off
$ sudo vi /opt/local/etc/privoxy/config
forward / .
$ sudo vi /opt/local/etc/privoxy/match-all.action
{ \
+change-x-forwarded-for{block} \
+deanimate-gifs{last} \
+filter{refresh-tags} \
+filter{img-reorder} \
+filter{banners-by-size} \
+filter{webbugs} \
+filter{jumping-windows} \
+filter{ie-exploits} \
+hide-from-header{block} \
+hide-referrer{conditional-block} \
+session-cookies-only \
+set-image-blocker{pattern} \
}
/ # Match all URLs
# See http://www.christianschenk.org/blog/enhancing-your-privacy-using-squid-and-privo xy/
{ \
+hide-referrer{conditional-forge} \
+hide-user-agent{Mozilla/5.0} \
}
/ # Match all URLs
$ sudo vi /opt/local/etc/privoxy/user.action
# fix bing's travel site, others
{ -block }
ads1.msn.com/
.bing.com/travel/jsxc\.vjs\?
.onecause.com
.apple.com
.go.com
# sourceforge
{ -block -filter -deanimate-gifs}
.sourceforge.net
.dell.com
# expedia
{ -hide-user-agent }
.expedia.com
# don't filter downloads
{-filter -deanimate-gifs}
/.*\.iso(\?|$)
/.*\.mp3(\?|$)
/.*\.mp4(\?|$)
/.*\.mov(\?|$)
/.*\.mpg(\?|$)
/.*\.ogg(\?|$)
/.*\.aac(\?|$)
/.*\.zip(\?|$)
/.*\.pdf(\?|$)
/.*\.dmg(\?|$)
/.*\.tar(\?|$)
/.*\.gz(\?|$)
/.*\.dat(\?|$)
$ sudo vi /opt/local/etc/privoxy/config
proxyAddress = "0.0.0.0" # IPv4 only
allowedClients = 127.0.0.1, 10.0.1.0/16
Mac mini, Mac OS X (10.7.3), Lion Server, 8 GB