We make our friGate with anonymity and without advertising
Introduction
All good plugins for bypassing locks like the popular friGate, but they have one drawback - they like to embed their ads and, in the long run, keep track of everything you do on the Internet.
VPN has its drawbacks: either all traffic will go through a remote server, or it will be necessary to set up complex routing rules.
')
Ssh-tunnel on a constantly falling asleep and waking up laptop has to be restarted each time.
There are solutions like autossh, but they will not satisfy the real perfectionist.
Let's try to achieve convenience similar to friGate using services that are completely under our control.
We will need: a dedicated server with Linux / FreeBSD (I used Ubuntu), a domain, letsencrypt, squid and a bit of magic PAC-files.
Domain you can take a free 3rd level from your hoster or here: freedomain.co.nr , registry.cu.cc .
Squid supports an encrypted connection to the browser - exactly what you need for such a case.
This opportunity is for some reason practically unknown to the general public, therefore this post has appeared.
Installing Squid with SSL support
In Ubuntu, squid is compiled without supporting the keys we need (--enable-ssl)
If you have a different distribution and everything is fine with this (you can check it by running the command squid3 -v | grep -E --color "(ssl | tls)") - immediately go to the next item.
And we will build our own package for Ubuntu ( this instruction is used):
apply the following patches:
We assemble and install:
Acquiring a signed certificate using letsencrypt.org
Download scripts:
If you already have a webserver running, stop it, because the letsencrypt script will launch its.
In the case of harsh production, you can verify domain control without stopping the web server, see the documentation .
We get a certificate:
If successful, pem-files can be found in the / etc / letsencrypt / live / <our domain> / directory
Squid setup
Config - default, we add only the https_port option
Optional - acl for access only from certain ip or by password .
for example
We start squid
We learn browser encrypted connections with proxy
As stated in the Squid documentation , it is possible to configure an https connection to a proxy server in Firefox and Chrome recently, but only using a PAC file.
PAC (Proxy Auto Configuration) is a javascript file that is executed by the browser in order to determine the proxy for each request.
I used the following code:
Addresses in the list of hosts are taken for the test, dilute them with the ones you need;)
We connect the file in the appropriate field of the browser settings (Preferences -> Advanced -> Network -> Settings), check how our external address on myip.ru now looks, we enjoy stable work.
In this case, the traffic goes directly to all hosts, except those specified in the hosts line.
This pac-file can be put on a web server, connected via http and changes in it will automatically pull up on all hosts, for example, on a laptop, desktop and even a smartphone .
You can also use foxyproxy to filter hosts that need to work through a proxy in combination with a simpler PAC file — then you can edit this list directly in the browser.
Conclusion
The topic was written in hot pursuit solely to demonstrate the concept of an encrypted tunnel in a browser without using VPN / ssh / third-party extensions.
All good plugins for bypassing locks like the popular friGate, but they have one drawback - they like to embed their ads and, in the long run, keep track of everything you do on the Internet.
VPN has its drawbacks: either all traffic will go through a remote server, or it will be necessary to set up complex routing rules.
')
Ssh-tunnel on a constantly falling asleep and waking up laptop has to be restarted each time.
There are solutions like autossh, but they will not satisfy the real perfectionist.
Let's try to achieve convenience similar to friGate using services that are completely under our control.
We will need: a dedicated server with Linux / FreeBSD (I used Ubuntu), a domain, letsencrypt, squid and a bit of magic PAC-files.
Domain you can take a free 3rd level from your hoster or here: freedomain.co.nr , registry.cu.cc .
Squid supports an encrypted connection to the browser - exactly what you need for such a case.
This opportunity is for some reason practically unknown to the general public, therefore this post has appeared.
Installing Squid with SSL support
In Ubuntu, squid is compiled without supporting the keys we need (--enable-ssl)
If you have a different distribution and everything is fine with this (you can check it by running the command squid3 -v | grep -E --color "(ssl | tls)") - immediately go to the next item.
And we will build our own package for Ubuntu ( this instruction is used):
sudo apt-get install devscripts build-essential fakeroot libssl-dev apt-get source squid3 sudo apt-get build-dep squid3 apply the following patches:
--- squid3-3.3.8/debian/rules 2013-11-15 11:49:59.052362467 +0100 +++ squid3-3.3.8/debian/rules.new 2013-11-15 11:49:35.412362836 +0100 @@ -19,6 +19,8 @@ DEB_CONFIGURE_EXTRA_FLAGS := --datadir=/usr/share/squid3 \ --sysconfdir=/etc/squid3 \ --mandir=/usr/share/man \ + --enable-ssl \ + --enable-ssl-crtd \ --enable-inline \ --enable-async-io=8 \ --enable-storeio="ufs,aufs,diskd,rock" \
eng
Squid Proxy needs to be adjusted too (src / ssl / gadgets.cc). Firefox error sec_error_inadequate_key_usage this usually occurs when you prevent HTTPS filtering with the latest Firefox browsers. If you use Google Chrome, Microsoft Internet Explorer or Apple Safari this step is not required.
--- squid3-3.3.8/src/ssl/gadgets.cc 2013-07-13 09:25:14.000000000 -0400 +++ squid3-3.3.8/src/ssl/gadgets.cc.new 2013-11-26 03:25:25.461794704 -0500 @@ -257,7 +257,7 @@ mimicExtensions(Ssl::X509_Pointer & cert, Ssl::X509_Pointer const & mimicCert) { static int extensions[]= { - NID_key_usage, + //NID_key_usage, NID_ext_key_usage, NID_basic_constraints, 0
We assemble and install:
cd squid3-3.3.8 && dpkg-buildpackage -rfakeroot -b sudo apt-get install squid-langpack sudo dpkg -i ../squid-common*.deb ../squid_*.deb
Acquiring a signed certificate using letsencrypt.org
Download scripts:
git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto --help
If you already have a webserver running, stop it, because the letsencrypt script will launch its.
In the case of harsh production, you can verify domain control without stopping the web server, see the documentation .
We get a certificate:
./letsencrypt-auto --authenticator standalone --installer apache -d <_.>
If successful, pem-files can be found in the / etc / letsencrypt / live / <our domain> / directory
Squid setup
Config - default, we add only the https_port option
https_port 3129 cert=/etc/letsencrypt/live/example.com/fullchain.pem key=/etc/letsencrypt/live/example.com/privkey.pem
Optional - acl for access only from certain ip or by password .
for example
acl mynet src <__ip>/32
http_access allow mynet
We start squid
sudo /etc/init.d/squid3 start
We learn browser encrypted connections with proxy
As stated in the Squid documentation , it is possible to configure an https connection to a proxy server in Firefox and Chrome recently, but only using a PAC file.
PAC file switch line switch. GUI configuration appears not to be possible (yet).
...
Firefox 33.0 Browser PAC file. GUI configuration appears not to be possible (yet).
PAC (Proxy Auto Configuration) is a javascript file that is executed by the browser in order to determine the proxy for each request.
I used the following code:
// encrypted_squid.pac var hosts = 'myip.ru internet.yandex.ru'; var blocked = hosts.split(' '); function FindProxyForURL(url, host) { var shost = host.split('.').reverse(); shost = shost[1] + '.' + shost[0]; for(var i = 0; i < blocked.length; i++) { if( shost == blocked[i] ) return "HTTPS <__FQDN>:3129"; } return "DIRECT"; }
Addresses in the list of hosts are taken for the test, dilute them with the ones you need;)
We connect the file in the appropriate field of the browser settings (Preferences -> Advanced -> Network -> Settings), check how our external address on myip.ru now looks, we enjoy stable work.
In this case, the traffic goes directly to all hosts, except those specified in the hosts line.
This pac-file can be put on a web server, connected via http and changes in it will automatically pull up on all hosts, for example, on a laptop, desktop and even a smartphone .
You can also use foxyproxy to filter hosts that need to work through a proxy in combination with a simpler PAC file — then you can edit this list directly in the browser.
Conclusion
The topic was written in hot pursuit solely to demonstrate the concept of an encrypted tunnel in a browser without using VPN / ssh / third-party extensions.
Source: https://habr.com/ru/post/280236/
All Articles