[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Exit-node keeps .$mynode.exit in dns name

M wrote:
> Thank you for the information. I'll reconfigure Squid to strip some
> heades off, that should help.
> I'll also add some options transparent redirect so it only redirects
> http-traffic. Squid saves a lot of bandwidth every month even that I
> recreate cache every time Squid is restarted.
> Squid's cache and logs are encrypted with random key (/dev/urandom)
> using aes256. Every time Squid stops file containing encypted fs is
> umounted and cryptsetup deletes that device. A new encrypted loop device
> is created when Squid starts. Also / and swap are encrypted, the only
> partition that isn't is /boot. So squids cache and logs are contained in
> encrypted container that resides on encrypted partition. Should be
> pretty safe? I could not hand out keys to squids logs and cache event if
> I wanted to because key is derived from /dev/urandom.

Interesting. I too run a squid cache, set up extremely similar to 
yours (temporary key, fs rebuilt at reboot). Since it is much 
easier to rate limit upstream rather than downstream, I find it 
is beneficial to reduce my downstream of the tor node to be 
consistently below my upstream so that other services on the
box are not choked out.

How do you plan on configuring the header stripping though? I saw
http://www.3gwt.net/zvi/squid-redirector.html and 
http://squirm.foote.com.au/ which both look like they can do the job, 
but I worry running sketchy external programs may be both a 
performance drain and a security risk. Squid seems to have plans 
for adding this support built-in in 3.0, so I was kinda hoping to 
just ignore the problem and hope it goes away :)

Also, how do you set it to pass through non-http traffic? Does
the transparent proxy support of squid do this automagically?
It seems to me there might be no way for squid to know where
to send the traffic without help from Tor... 

Maybe Tor can provide a ServerHttpProxy option for chaining a 
non-transparent http proxy after your tor node (for specific 
ports/IP ranges)? This should fix it (since there would always 
be an HTTP CONNECT issued to the correct IP by Tor), and may 
have use in other situations also..

http://www.fastmail.fm - Email service worth paying for. Try it for free