[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

(FWD) How to run tor with Polipo



[I'm forwarding to the list since Juliusz is not subscribed. -RD]

----- Forwarded message from owner-or-talk@xxxxxxxxxxxxx -----

To: or-talk@xxxxxxxxxxxxx
From:  Juliusz Chroboczek <jch@xxxxxxxxxxxxxx>
Subject:  How to run tor with Polipo
Date:  Fri, 26 May 2006 19:57:35 +0200

--=-=-=

Dear all,

[ Sorry if you receive this multiple times -- it's the third time I'm
  trying to reach or-talk. ]

I've just finished implementing experimental support for SOCKS4a in
the unstable branch of Polipo.  This makes it possible to use Polipo
instead of Privoxy for browsing using tor.

Unlike Privoxy, Polipo has a number of features (pipelining, caching,
smart use of range requests) that make it faster on slow networks;
and, since tor is not the fastest network around, Polipo/tor is
noticeably more responsive than Privoxy/tor.

The downside is that Polipo does not perform application-layer
anonimisation by default.  In fact, in its default configuration
Polipo is an (almost) HTTP/1.1 compliant proxy, and hence leaks data
like crazy.  While it is possible to configure Polipo to perform some
sanitisation of HTTP headers, this does not come even close to the
amount of munging that Privoxy can do.  Please make sure you read
section (5) below before you decide whether to switch to Polipo.

Additionally, Polipo has some rather specific traffic patterns
(agressive pipelining, range requests) that make it rather easy to
spot.  The websites you access won't know who you are, but they might
realise you're running Polipo.

If you're willing to live with that, here's how to run Polipo with
tor.  Please let me know on the polipo-users list

    polipo-users@xxxxxxxxxxxxxxxxxxxxx

whether it works for you.


1. Get yourself tor

Download, compile and run the tor client.  Make sure the log file says

  [notice] Tor has successfully opened a circuit. Looks like it's working.

If you're under Debian, just apt-get install tor.  If you're using a
different system, please see

    http://tor.eff.org


2. Get yourself a recent polipo binary

You will need a binary of the unstable branch of Polipo dated 21 May
2006 or later.  For now, the only way is to compile it from the Darcs
repository itself:

  $ darcs get http://www.pps.jussieu.fr/~jch/software/repos/polipo/
  $ cd polipo
  $ make

(In case you don't have Darcs: if you're running Debian, just do
``apt-get install darcs''; if you're not, please have a look at
http://www.darcs.net/DarcsWiki/CategoryBinaries .)

If you've got the right tools, you can build the manual by running one
of

  $ make polipo.info
  $ make polipo.html
  $ make html/index.html
  $ make polipo.ps
  $ make polipo.pdf

If you don't, please see one of

  http://www.pps.jussieu.fr/~jch/software/polipo/manual/
  http://www.pps.jussieu.fr/~jch/software/polipo/polipo.pdf

You do not need to install Polipo -- Polipo will happily run from your
home directory.  But if you insist, you can do

  $ make all
  $ su -c 'make install'


3. Run Polipo and test it

 $ ./polipo socksParentProxy=localhost:9050

At this point, Polipo should be speaking to tor; however, it is
behaving as a compliant HTTP/1.1 proxy and hence LEAKING INFORMATION.
In particular, it is PUTTING YOUR HOSTNAME IN EVERY REQUEST.  Only use
this configuration for testing.

Point your browser at the proxy on localhost:8123 (for both HTTP and
HTTPS) and check whether everything is working -- have a look at

    http://ipid.shat.net/

which should show that you're coming from an IP you've never heard
about.


4. Tweak your Polipo configuration

You really need to tweak your Polipo configuration.  You do that by
creating a config file in either ~/.polipo or /etc/polipo/config.  A
sample config file is included in the file ``polipo.config''.  You can
check that Polipo is taking your configuration into account by running
``polipo -v'' or by checking http://localhost:8123/polipo/config? .

The very least you can do is to set

  disableVia = true

which will prevent Polipo from putting your hostname in every request.
I also recommend having at least

  censoredHeaders = set-cookie, cookie, cookie2, from, accept-language, x-pad
  censorReferer = maybe

which will cause Polipo to randomly munge random HTTP headers.

There are some other options that will make Polipo faster (but less
standard); please check the Polipo manual for the variables
``relaxTransparency'' and ``mindlesslyCacheVary'' (you should only set
them if you understand what they do).  It might also be worthwile to
experiment with the optimal values of serverSlots and maxServerSlots.


5. Create an on-disk cache (optional)

If you want a persistent cache of previously retrieved pages, just
create a directory /var/cache/polipo/ that the user running Polipo can
write to.  You will also want to arrange to run ``polipo -x'' once in
a while (for example from a cron job).

If you want to put your on-disk cache elsewhere, just set the variable
``diskCacheRoot'' in your config file.

Note that the persistent cache contains all of your browsing history;
additionally, it enables remote sites to see which images you already
have locally.  You will not want to enable this functionality if you
are serious about anonimity.


6. Tweak Polipo further (optional)

There's a lot of tweakables in Polipo, and the manual should pretty
much describe them all.

  http://www.pps.jussieu.fr/~jch/software/polipo/manual/
  http://www.pps.jussieu.fr/~jch/software/polipo/polipo.pdf

And of course I will gratefully accept any patches to Polipo that
improve its tweakability.

However, I will not include any functionality that attempts to rewrite
instance bodies (as opposed to headers).  I will also not cause Polipo
to perform sanitisation of headers in its default configuration, but I
will be glad to include a sanitising config file in the distribution.

                                        Juliusz

--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEd0GTOyf6h3f/XzsRAiOTAJ4yqS4MbUIRwi3lErtbZCWZjPXiFACdHRX8
1JmQWnsO+YBg+3AOKRN+Lv0=
=Xy6a
-----END PGP SIGNATURE-----
--=-=-=--

----- End forwarded message -----