⬆️ ⬇️

We make our friGate with anonymity and without advertising

Introduction



All good plugins for bypassing locks like the popular friGate, but they have one drawback - they like to embed their ads and, in the long run, keep track of everything you do on the Internet.



VPN has its drawbacks: either all traffic will go through a remote server, or it will be necessary to set up complex routing rules.

')

Ssh-tunnel on a constantly falling asleep and waking up laptop has to be restarted each time.

There are solutions like autossh, but they will not satisfy the real perfectionist.



Let's try to achieve convenience similar to friGate using services that are completely under our control.

We will need: a dedicated server with Linux / FreeBSD (I used Ubuntu), a domain, letsencrypt, squid and a bit of magic PAC-files.



Domain you can take a free 3rd level from your hoster or here: freedomain.co.nr , registry.cu.cc .



Squid supports an encrypted connection to the browser - exactly what you need for such a case.

This opportunity is for some reason practically unknown to the general public, therefore this post has appeared.



image





Installing Squid with SSL support



In Ubuntu, squid is compiled without supporting the keys we need (--enable-ssl)

If you have a different distribution and everything is fine with this (you can check it by running the command squid3 -v | grep -E --color "(ssl | tls)") - immediately go to the next item.

And we will build our own package for Ubuntu ( this instruction is used):

sudo apt-get install devscripts build-essential fakeroot libssl-dev apt-get source squid3 sudo apt-get build-dep squid3 




apply the following patches:

 --- squid3-3.3.8/debian/rules 2013-11-15 11:49:59.052362467 +0100 +++ squid3-3.3.8/debian/rules.new 2013-11-15 11:49:35.412362836 +0100 @@ -19,6 +19,8 @@ DEB_CONFIGURE_EXTRA_FLAGS := --datadir=/usr/share/squid3 \ --sysconfdir=/etc/squid3 \ --mandir=/usr/share/man \ + --enable-ssl \ + --enable-ssl-crtd \ --enable-inline \ --enable-async-io=8 \ --enable-storeio="ufs,aufs,diskd,rock" \ 


eng
Squid Proxy needs to be adjusted too (src / ssl / gadgets.cc). Firefox error sec_error_inadequate_key_usage this usually occurs when you prevent HTTPS filtering with the latest Firefox browsers. If you use Google Chrome, Microsoft Internet Explorer or Apple Safari this step is not required.



 --- squid3-3.3.8/src/ssl/gadgets.cc 2013-07-13 09:25:14.000000000 -0400 +++ squid3-3.3.8/src/ssl/gadgets.cc.new 2013-11-26 03:25:25.461794704 -0500 @@ -257,7 +257,7 @@ mimicExtensions(Ssl::X509_Pointer & cert, Ssl::X509_Pointer const & mimicCert) { static int extensions[]= { - NID_key_usage, + //NID_key_usage, NID_ext_key_usage, NID_basic_constraints, 0 


We assemble and install:

 cd squid3-3.3.8 && dpkg-buildpackage -rfakeroot -b sudo apt-get install squid-langpack sudo dpkg -i ../squid-common*.deb ../squid_*.deb 




Acquiring a signed certificate using letsencrypt.org



Download scripts:

 git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto --help 


If you already have a webserver running, stop it, because the letsencrypt script will launch its.

In the case of harsh production, you can verify domain control without stopping the web server, see the documentation .

We get a certificate:

 ./letsencrypt-auto --authenticator standalone --installer apache -d <_.> 




If successful, pem-files can be found in the / etc / letsencrypt / live / <our domain> / directory



Squid setup



Config - default, we add only the https_port option

https_port 3129 cert=/etc/letsencrypt/live/example.com/fullchain.pem key=/etc/letsencrypt/live/example.com/privkey.pem



Optional - acl for access only from certain ip or by password .

for example

acl mynet src <__ip>/32

http_access allow mynet



We start squid

 sudo /etc/init.d/squid3 start 




We learn browser encrypted connections with proxy



As stated in the Squid documentation , it is possible to configure an https connection to a proxy server in Firefox and Chrome recently, but only using a PAC file.

PAC file switch line switch. GUI configuration appears not to be possible (yet).

...

Firefox 33.0 Browser PAC file. GUI configuration appears not to be possible (yet).



PAC (Proxy Auto Configuration) is a javascript file that is executed by the browser in order to determine the proxy for each request.

I used the following code:

 // encrypted_squid.pac var hosts = 'myip.ru internet.yandex.ru'; var blocked = hosts.split(' '); function FindProxyForURL(url, host) { var shost = host.split('.').reverse(); shost = shost[1] + '.' + shost[0]; for(var i = 0; i < blocked.length; i++) { if( shost == blocked[i] ) return "HTTPS <__FQDN>:3129"; } return "DIRECT"; } 


Addresses in the list of hosts are taken for the test, dilute them with the ones you need;)



We connect the file in the appropriate field of the browser settings (Preferences -> Advanced -> Network -> Settings), check how our external address on myip.ru now looks, we enjoy stable work.

In this case, the traffic goes directly to all hosts, except those specified in the hosts line.

This pac-file can be put on a web server, connected via http and changes in it will automatically pull up on all hosts, for example, on a laptop, desktop and even a smartphone .



You can also use foxyproxy to filter hosts that need to work through a proxy in combination with a simpler PAC file — then you can edit this list directly in the browser.



Conclusion



The topic was written in hot pursuit solely to demonstrate the concept of an encrypted tunnel in a browser without using VPN / ssh / third-party extensions.

Source: https://habr.com/ru/post/280236/



All Articles