Tor + Privoxy + Squid 구축
개요
- 단일 서버에 Tor 인스턴스 10개 + Privoxy 인스턴스 10개 + Squid 를 통해 단일 Tor 인스턴스의 단점(대역폭 제한)을 보완 할 것이다.
- tor 와 privoxy 는 멀티 인스턴스를 위해 구동 스크립트를 수정 하였다.
구성도
+----------------------------------------+
+----------------------------------------+
+----------+ +----------+ +----------+
....
+----------+ +----------+ +----------+
+----------+ +----------+ +----------+
........
+----------+ +----------+ +----------+
+-----------------------------+
+----+-----+
+----+-----+
+----+-----+
+----------+
설명
- Tor 를 다중 인스턴스 10개(개별포트)로 구동시킨다.
- Privoxy를 다중 인스턴스 10개(개별포트)로 구동시킨다.
- Squid에 Privoxy 다중 인스턴스 10개를 분산 설정 한다.
Tor 구축
tor 설치
$ yum install tor
tor 다중 인스턴스 설정
아래 형식으로 10개 파일 설정(9050-9059)
$ vi /etc/tor/torrc.{port}
user nobody
runasdaemon 1
PidFile /var/run/tor/tor.{port}.pid
log notice file /var/log/tor/tor.{port}.log
datadirectory /var/lib/tor/tor.{port}
SocksPort {port}
자동 생성 스크립트
$ vi multiTorrc.sh
#!/bin/env bash
torrcPath=/etc/tor/
torMaxInstances=10
torPort=9050
[ -n "$torrcPath" ] && pushd $torrcPath
for ((i=1; i <= torMaxInstances; i++))
do
echo "Created ${torrcPath}torrc.$torPort"
echo "user nobody" > torrc.$torPort
echo "runasdaemon 1" >> torrc.$torPort
echo "PidFile /var/run/tor/tor.$torPort.pid" >> torrc.$torPort
echo "log notice file /var/log/tor/tor.$torPort.log" >> torrc.$torPort
echo "datadirectory /var/lib/tor/tor.$torPort" >> torrc.$torPort
echo "SocksPort $torPort" >> torrc.$torPort
((torPort++))
done
[ -n "$torrcPath" ] && popd
$ bash multiTorrc.sh
Created /etc/tor/torrc.9050
Created /etc/tor/torrc.9051
Created /etc/tor/torrc.9052
Created /etc/tor/torrc.9053
Created /etc/tor/torrc.9054
Created /etc/tor/torrc.9055
Created /etc/tor/torrc.9056
Created /etc/tor/torrc.9057
Created /etc/tor/torrc.9058
Created /etc/tor/torrc.9059
다중 인스턴스 구동 설정
$ vi /etc/sysconfig/tor
n = 0
MAX_FILEDESCRIPTORS = 8192
PIDFILE = /var/run/tor/tor.pid
TOR_CONFIG = /etc/tor/torrc
TOR_USER = _tor
config[n++] = TOR_CONFIG:/etc/tor/torrc.9050
config[n++] = TOR_CONFIG:/etc/tor/torrc.9051
config[n++] = TOR_CONFIG:/etc/tor/torrc.9052
config[n++] = TOR_CONFIG:/etc/tor/torrc.9053
config[n++] = TOR_CONFIG:/etc/tor/torrc.9054
config[n++] = TOR_CONFIG:/etc/tor/torrc.9055
config[n++] = TOR_CONFIG:/etc/tor/torrc.9056
config[n++] = TOR_CONFIG:/etc/tor/torrc.9057
config[n++] = TOR_CONFIG:/etc/tor/torrc.9058
config[n++] = TOR_CONFIG:/etc/tor/torrc.9059
tor 구동
$ /etc/init.d/tor start
Stopping tor with /etc/tor/torrc.9050: [ OK ]
Stopping tor with /etc/tor/torrc.9051: [ OK ]
Stopping tor with /etc/tor/torrc.9052: [ OK ]
Stopping tor with /etc/tor/torrc.9053: [ OK ]
Stopping tor with /etc/tor/torrc.9054: [ OK ]
Stopping tor with /etc/tor/torrc.9055: [ OK ]
Stopping tor with /etc/tor/torrc.9056: [ OK ]
Stopping tor with /etc/tor/torrc.9057: [ OK ]
Stopping tor with /etc/tor/torrc.9058: [ OK ]
Stopping tor with /etc/tor/torrc.9059: [ OK ]
Stopping tor with /etc/tor/torrc.9060: [ OK ]
Privoxy 구축
privoxy 설치
$ yum install privoxy
privoxy 다중 인스턴스 설정
아래 형식으로 10개 파일 설정(8118-8127)
$ vi /etc/privoxy/config.tor.{port}
confdir /etc/privoxy
logdir /var/log/privoxy
actionsfile match-all.action
actionsfile default.action
actionsfile user.action
filterfile default.filter
filterfile user.filter
logfile logfile
toggle 1
enable-remote-toggle 0
enable-remote-http-toggle 0
enable-edit-actions 0
enforce-blocks 0
buffer-limit 4096
enable-proxy-authentication-forwarding 0
forwarded-connect-retries 0
accept-intercepted-requests 0
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 5
tolerate-pipelining 1
socket-timeout 300
# privoxy IP:PORT
listen-address 127.0.0.1:{port}
# tor IP:PORT
forward-socks4a / 127.0.0.1:{torPort} .
자동 생성 스크립트
$ vi multiPrivoxyConfig.sh
#!/bin/env bash
privoxyPath=/etc/privoxy/
torMaxInstances=10
torPort=9050
privoxyPort=8118
[ -n "$privoxyPath" ] && pushd $privoxyPath
for ((i=1; i <= torMaxInstances; i++))
do
buf=$(cat << EOF
confdir /etc/privoxy
logdir /var/log/privoxy
actionsfile match-all.action
actionsfile default.action
actionsfile user.action
filterfile default.filter
filterfile user.filter
logfile logfile
toggle 1
enable-remote-toggle 0
enable-remote-http-toggle 0
enable-edit-actions 0
enforce-blocks 0
buffer-limit 4096
enable-proxy-authentication-forwarding 0
forwarded-connect-retries 0
accept-intercepted-requests 0
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 5
tolerate-pipelining 1
socket-timeout 300
listen-address 127.0.0.1:$privoxyPort
forward-socks4a / 127.0.0.1:$torPort .
EOF
)
echo "Created ${privoxyPath}config.tor.$privoxyPort"
echo "$buf" > config.tor.$privoxyPort
((privoxyPort++))
((torPort++))
done
[ -n "$privoxyPath" ] && popd
$ bash multiPrivoxyConfig.sh
Created /etc/privoxy/config.tor.8118
Created /etc/privoxy/config.tor.8119
Created /etc/privoxy/config.tor.8120
Created /etc/privoxy/config.tor.8121
Created /etc/privoxy/config.tor.8122
Created /etc/privoxy/config.tor.8123
Created /etc/privoxy/config.tor.8124
Created /etc/privoxy/config.tor.8125
Created /etc/privoxy/config.tor.8126
Created /etc/privoxy/config.tor.8127
다중 인스턴스 구동 설정
$ vi /etc/sysconfig/privoxy
n = 0
PIDFILE = /var/run/privoxy/privoxy.pid
PRIVOXY_CONFIG = /etc/privoxy/config.tor
PRIVOXY_USER = nobody
config[n++] = PRIVOXY_CONFIG:/etc/privoxy/config.tor.8118,PRIVOXY_PIDFILE:/var/run/privoxy/privoxy.8118.pid
config[n++] = PRIVOXY_CONFIG:/etc/privoxy/config.tor.8119,PRIVOXY_PIDFILE:/var/run/privoxy/privoxy.8119.pid
config[n++] = PRIVOXY_CONFIG:/etc/privoxy/config.tor.8120,PRIVOXY_PIDFILE:/var/run/privoxy/privoxy.8120.pid
config[n++] = PRIVOXY_CONFIG:/etc/privoxy/config.tor.8121,PRIVOXY_PIDFILE:/var/run/privoxy/privoxy.8121.pid
config[n++] = PRIVOXY_CONFIG:/etc/privoxy/config.tor.8122,PRIVOXY_PIDFILE:/var/run/privoxy/privoxy.8122.pid
config[n++] = PRIVOXY_CONFIG:/etc/privoxy/config.tor.8123,PRIVOXY_PIDFILE:/var/run/privoxy/privoxy.8123.pid
config[n++] = PRIVOXY_CONFIG:/etc/privoxy/config.tor.8124,PRIVOXY_PIDFILE:/var/run/privoxy/privoxy.8124.pid
config[n++] = PRIVOXY_CONFIG:/etc/privoxy/config.tor.8125,PRIVOXY_PIDFILE:/var/run/privoxy/privoxy.8125.pid
config[n++] = PRIVOXY_CONFIG:/etc/privoxy/config.tor.8126,PRIVOXY_PIDFILE:/var/run/privoxy/privoxy.8126.pid
config[n++] = PRIVOXY_CONFIG:/etc/privoxy/config.tor.8127,PRIVOXY_PIDFILE:/var/run/privoxy/privoxy.8127.pid
privoxy 구동
$ /etc/init.d/privoxy start
Starting privoxy with /etc/privoxy/config.tor.8118: [ OK ]
Starting privoxy with /etc/privoxy/config.tor.8119: [ OK ]
Starting privoxy with /etc/privoxy/config.tor.8120: [ OK ]
Starting privoxy with /etc/privoxy/config.tor.8121: [ OK ]
Starting privoxy with /etc/privoxy/config.tor.8122: [ OK ]
Starting privoxy with /etc/privoxy/config.tor.8123: [ OK ]
Starting privoxy with /etc/privoxy/config.tor.8124: [ OK ]
Starting privoxy with /etc/privoxy/config.tor.8125: [ OK ]
Starting privoxy with /etc/privoxy/config.tor.8126: [ OK ]
Starting privoxy with /etc/privoxy/config.tor.8127: [ OK ]
Squid 구축
squid 설치
$ yum install squid
squid 분산 설정
$ vi /etc/squid/squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_peer localhost parent 8118 0 round-robin no-query
cache_peer localhost1 parent 8119 0 round-robin no-query
cache_peer localhost2 parent 8120 0 round-robin no-query
cache_peer localhost3 parent 8121 0 round-robin no-query
cache_peer localhost4 parent 8122 0 round-robin no-query
cache_peer localhost5 parent 8123 0 round-robin no-query
cache_peer localhost6 parent 8124 0 round-robin no-query
cache_peer localhost7 parent 8125 0 round-robin no-query
cache_peer localhost8 parent 8126 0 round-robin no-query
cache_peer localhost9 parent 8127 0 round-robin no-query
never_direct allow all
always_direct deny all
forwarded_for off
설명
- cache_peer 에서는 중복되는 호스트이름을 사용 할 수 없기 때문에 위처럼 개별적인 호스트 이름을 부여후 /etc/hosts 에서 추가 해준다.
호스트 추가
$ vi /etc/hosts
127.0.0.1 localhost1
127.0.0.1 localhost2
127.0.0.1 localhost3
127.0.0.1 localhost4
127.0.0.1 localhost5
127.0.0.1 localhost6
127.0.0.1 localhost7
127.0.0.1 localhost8
127.0.0.1 localhost9
squid 구동
$ /etc/init.d/squid start
squid (을)를 시작 중: [ OK ]
테스트
tor+privoxy+squid연동확인
Tor Hidden Service구축
로컬서비스
설정
현재 서버의 서비스를 익명으로 제공 할 수 있는 방법이다. 도메인 *.onion 형식으로 현재 자신의 위치가 부여 되기 때문에 서비스에 접속하기 위해선 tor 를 사용해야 한다.
현재 서버의 80에 실행중인 데몬을 *.onion:80 으로 제공 하기 위한 설정은 아래와 같다.
$ vi /etc/tor/torrc
HiddenServiceDir /var/lib/tor/tor.hidden.localhost.80
HiddenServicePort 80 127.0.0.1:80
$ /etc/init.d/tor restart
할당된 도메인 확인
$ cat /var/lib/tor/tor.hidden.localhost.80/hostname
wys7q5rvgioasdhj.onion
테스트
$ curl --proxy localhost:3128 --header "Host: localhost" http://wys7q5rvgioasdhj.onion
외부서비스
설정
현재 서버의 서비스가 아닌 외부 서비스를 익명으로 제공 할 수 있는 방법이다.
현재 서버(*.onion:80)로 오는 모든 요청을 ip.example.com:80 으로 보내기 위한 설정은 아래와 같다.
$ vi /etc/tor/torrc
HiddenServiceDir /var/lib/tor/tor.hidden.ip.example.com.80
HiddenServicePort 80 ip.example.com:80
$ /etc/init.d/tor restart
할당된 도메인 확인
$ cat /var/lib/tor/tor.hidden.ip.example.com.80/hostname
wys7q5rvgioasdhj.onion
테스트
$ curl --proxy localhost:3128 --header "Host: ip.example.com" http://wys7q5rvgioasdhj.onion
IP 변경 확인
IP 확인 URL
text 모드(기본)
http://ip.vozlt.com/myip
html 모드
http://ip.vozlt.com/myip/html
xml 모드
http://ip.vozlt.com/myip/xml
tor+privoxy연동확인
REMOTE_ADDR 의 변경 여부 확인
$ curl --proxy localhost:8118 http://ip.vozlt.com/myip
>>> REMOTE_ADDR: 46.38.57.196
>>> REMOTE_PORT: 46021
>>> HTTP_USER_AGENT: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
>>> OS: N/A
>>> BROWSER: N/A
>>> ISP_CODE: --
>>> ISP_NAME: N/A
>>> COUNTRY_CODE: RU
>>> COUNTRY_NAME: Russian Federation
>>> CITY:
>>> LATITUDE: 60
>>> LONGITUDE: 100
tor+privoxy+squid연동확인
Privoxy의 개별 포트 질의시 IP 변경 여부 확인(8118-8127)
$ curl --proxy localhost:8118 http://ip.vozlt.com/myip
>>> REMOTE_ADDR: 212.83.151.26
>>> REMOTE_PORT: 34334
>>> HTTP_USER_AGENT: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
>>> OS: N/A
>>> BROWSER: N/A
>>> ISP_CODE: --
>>> ISP_NAME: N/A
>>> COUNTRY_CODE: FR
>>> COUNTRY_NAME: France
>>> CITY:
>>> LATITUDE: 46
>>> LONGITUDE: 2
Squid 포트로 연속적인 질의시 IP 변경 여부 확인(3128)
$ curl --proxy localhost:3128 http://ip.vozlt.com/myip
>>> REMOTE_ADDR: 37.130.227.133
>>> REMOTE_PORT: 21687
>>> HTTP_USER_AGENT: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
>>> OS: N/A
>>> BROWSER: N/A
>>> ISP_CODE: --
>>> ISP_NAME: N/A
>>> COUNTRY_CODE: GB
>>> COUNTRY_NAME: United Kingdom
>>> CITY:
>>> LATITUDE:
>>> LONGITUDE: