JAP -- ANONYMITY & PRIVACY

Howto: Compile and run a Mix server on Linux/UNIX with administration scripts

This manual covers helper scripts for the Mix server and a web proxy, and the installation of a web/http and socks proxy. They are useful if you want to automatically update your code instead of doing a lot of hand-work on each update.

Preparing the server

  • Encrypt the file system of your server

    We propose Operators to encrypt their server file system before installation. This will prevent an automatic restart of your server, but gives you some protection from possibly manipulating server hosters.

  • Stop and uninstall all other network services

    Stop all services that accept connections from the internet. Only SSH and the Mix process should listen to outside connections. (If you do not understand these terms, you should better not run a Mix).

  • Protect your server against brute force login attacks

    For making it harder to hack your server login, use SSH certificates for login or install login protection software like fail2ban or portknocking.

Directories

To run the mix you should create the following directories:

/home/mix/Mixproxy binaries and configuration for Mix server
To create a directory, type
mkdir [directory name]
In each of the directories the subdirectories
./backup
./cvs
will be generated by the scripts../backup holds old binaries and their log files. As you see you may easily go back to an old but working installation if an update has failed. In ./cvs the source files are stored (and overwritten) when getting a new source code version.

Executables

Please put the following executable files in the proper directories. Note that the InfoService files are optional. There is also a firewall script, but if you want to use it, you will have to adapt it to your needs first.
/home/mix/runANONServer
common script to start, shutdown update and monitor the Mix and the InfoService
/home/mix/rc.status.anon
script for printing status messages
/home/mix/Mixproxy/mix
Mix server binary
/home/mix/Mixproxy/runMixproxy
script to start, shutdown update and monitor the Mix
/home/mix/squidconfigure
configure script for optimizing the squid 2.6 compilation
Make sure that each of these file is really executable by typing
chmod -R /home/mix/* +x

You might also need to convert the executable files to the unix format by installing the sysutils or tofrodos package

e.g. with apt by

apt-get update
apt-get install tofrodos

and typing

dos2unix <filename>
on each of the files.

Config files

For running the mix, you only need the config file (typically named config.xml) generated by the MixConfig tool. Please name and place the config files as shown below, otherwise you will have to adapt one or more of the executable scripts and the links to them.
/home/mix/Mixproxy/config.xml
config file for the Mix server
/home/mix/squid.conf
config file for squid proxy
/home/mix/squid-block.acl
a file containing blocked websites
/home/mix/danted.conf
configuration file for dante SOCKS server, also containing blocked websites

Squid proxy installation (for last mixes)

Download the newest squid 2.7 stable sourcecode from

http://www.squid-cache.org/Versions/v2/2.7/

and unpack to /home/mix by typing

tar xzf squid-2.7.STABLE6.tar.gz

Copy the executable squidconfigure into the newly created directory squid-2.7.STABLE6 and type

./squidconfigure
make
make install

Squid is now installed in /usr/local/squid. Link the squid executable to /usr/sbin

ln -s /usr/local/squid/sbin/squid /usr/sbin/squid
mv /usr/local/squid/etc/squid.conf /usr/local/squid/etc/squid.conf~
ln -s /home/mix/squid.conf /usr/local/squid/etc/squid.conf
ln -s /home/mix/squid-block.acl /usr/local/squid/etc/squid-block.acl
Create the cache files
mkdir /var/spool/squid
chown proxy:proxy /var/spool/squid
squid -z -d 3

and start squid:

ulimit -HSn 64000
squid

Dante SOCKS server installation (for last Premium Mixes)

Dante is a SOCKS server you may add to your last Mix BESIDES squid. Squid is still necessary, but dante will add more features to your Mix.

For installation with apt, this command should be sufficient:

apt-get install dante-server

For non-Debian-Systems, you might have to use a non-apt package

Download Dante 1.1.9 (FTP) (or try the general download directory)

For Debian Lenny, this trick might work:

http://forums.debian.net/viewtopic.php?p=200782&sid=0ac40513a6bd89bbb5b052640ae09253

Now you may use the prepared configuration. It will block outgoing mail ports to prevent spam. If you do not care about that, you may open them, though. The configuration also contains the list of blocked web sites (for the squid configuration, this is a separate list, not so for dante).

mv /etc/danted.conf /etc/danted.conf~
ln -s /home/mix/danted.conf /etc/danted.conf

Please edit the danted.conf so that your exit IP address is marked as external, e.g.

external: 87.230.20.185 (This is the example entry)

Otherwise dante will not start.

Please note: You will have to edit the Mix configuration, add the SOCKS proxy with the right host and port (localhost, 1080) and restart the Mix before it can use the Dante server.

Then you should start or restart the dante server:

/etc/init.d/danted restart

Link to the executable

You should set some system-wide links, so that you can use the startup scripts from every directoy:
su
ln -s /home/mix/Mixproxy/runMixproxy /usr/bin/mixproxy
exit

Before Mix compilation, may need to install some packages in order to compile the code:

  • cvs
  • g++
  • gcc
  • gpp
  • make
  • automake
  • postgresql
  • postgresql-dev or libpq-dev (might other names on different systems)
  • libssl-dev
  • libxerces27-dev (or newer)

and dependencies. If you do not find one or more of these libraries, you may, on Debian/Ubuntu systems, look for them using the apt-cache search command.

If you do not run a Premium Mix but only a free one, please remove the respective compile command "--enable-payment" from the runMixproxy script first:

...

export COMPILE_OPTIONS="--enable-payment --enable-server_monitoring"

...

You may now update the mix with the newest CVS code by typing

mixproxy cvs compile update

Troubleshooting

If, for some reason, the scripts do not work on your system, you should first check the script options in runMixproxy.

  • COMPILE_OPTIONS

    Maybe you find some unnecessary options here? if you do not run a Premium Mix, you have to remove the option --enable-payment, for example.

  • CVS_DATE

    Maybe you forgot to comment this option? If CVS_DATE is uncommented, the scripts will fetch the code for a specific date. That means that you will not necessarily get the latest code. You might want to put a # before this line to comment it out, like

    # CVS_DATE...

    The date command is useful when you would like to stick to a stable version until the next one comes out.

If this does not help, you may try the following:

Accounting database configuration

If you run pay Mixes, you moreover have to initialise the postgres database. it is only needed for the first Mix. However, you do not know if you may not switch position some time, and therefore also other Mixes should do that.

  1. su postgres (switches to user postgres)
  2. createuser -A -D aiuser (creates the new user aiuser)
  3. createdb -O aiuser aidb (creates the accounting database)
  4. psql -d aidb (logs you into the database environment as user postgres)
  5. alter user aiuser with password 'PASSWORD'; (set the password for this user)
  6. \q (leave the database environment)
  7. Edit the postgres configuration file pg_hba.conf located somewhere in /etc/postgresql and allow connections with password. Replace the commands there that enforce ident or md5 login. Note that Postgres looks only for the first line matching a connection type, so don't insert several lines for the same connection type.

    # All other connections by UNIX sockets

    local all all password

    # All IPv4 connections from localhost

    host all all 127.0.0.1 255.255.255.255 ident passwordş

  8. Restart postgres (often done by /etc/init.d/postgresql restart or similar commands)
  9. psql -U aiuser -d aidb < /home/mix/Mixproxy/cvs/proxytest/mixtables.sql (Fill the accounting database with the accounting tables)
  10. psql -U aiuser -d aidb (Login as aiuser with your password)
  11. \dt Check if you see the created tables or not... If you do, everything is OK!)
  12. \q (logout)
  13. exit (switch back to your local user)

Log files

New messages will be appended on the end of the logfiles. Please configure the Mix to store its logs at those positions:

/home/mix/Mixproxy/messages messages / logging of the Mix server

Please note: if you have configured the Mix to use the Syslog only, no messages will be stored in this file.

Start/Stop/Restart

The mix has to be started with 'root' rights if it should listen on ports lower than 1024. Start the process by running the skripts with the 'start', 'stop' and 'restart' options. With the 'process' option you can list the running processes, 'log' will list the log file entries. 'status' shows you if the Mix process is currently running.

You can test if the Mix process has started by typing

mixproxy status

If the status is "running", the configuration could be parsed and the Mix process has started so far.

If you expect your Mix to connect to other Mixes now, you should now check the logfile for an entry "connected" by typing

mixproxy log | grep connected

If you do not find this entry, you could further examine the log files, for example by typing

mixproxy log | less

and after the log file has opened

Shift+G

Troubleshooting

If your Mix does not start by using the scripts, you maybe should start it "by hand"

  • got to the directory where the Mix is located

    cd /home/mix/Mixproxy

  • execute this command

    ./mix --config=config.xml

If the Mix starts, but takes much more than a minute for the connection, this usually has one of the following reasons:

  • If the Mix tries to connect but always gets a timeout, then either the Mixes bad connections to each other, the next/previous Mixes are currently not running or you have entered the wrong port for a connection to the next Mix. Please try a telnet connection on the expected listen port of your next mix.
  • You Mix listens on the wrong port(s). Please tell the Operator of the previous Mix to make a telnet connection to your Mix port, just to make sure that he really connects to your port(s).
  • The shared Mix certificates between your Mix and the next/previous Mix may be wrong. Please verify that you really have the right next/previous certificates in your configuration, and that you are really starting the Mix with its current certificate. To do this, use the config tool for reading the certificates and comparing their hash values with those that the other operators have.

Runlevel links

If you want the services started automatically when starting the server machine, you have to set links to the executables in runlevel 3 and runlevel 5. Please note that this will only work if you have not set a password for your Mix certificate.

su
ln - s /home/mix/Mixproxy/runMixproxy /etc/init.d/mixproxy
exit

Default runlevel

The default runlevel has been set to 3 so that the the graphical environment will not be loaded. This can be changed by the administrator either while the system is running with:
init 5
or permanently with editing the /etc/inittab entries.

 

Download

Stable Version
00.20.001


Beta Version
00.20.010


InfoService

Status of available AN.ON services and information about them.


Aktuell / News

Restrictions for the Dresden (JAP) anonymisation servers
After careful consideration we have decided to restrict the size of downloads over the Dresden (JAP) mixes a little. The reason is to allow a more fair use of scarce resources of our servers especially for users who simply want to surf the Web. more...

 

 
---