Re: Polipo web proxy
Roger Dingledine: > Known issues when using Polipo with Tor: > 1) In the config.sample, it suggests > socksParentProxy = "localhost:9050" > You should either change this to 127.0.0.1:9050, or enable the > dnsUseGethostbyname config option -- otherwise polipo asks your name > servers where "localhost" is, with possibly disastrous implications. This should no longer be necessary -- I've made the async resolver hard-wire ``localhost'' and ``localhost.'' to 127.0.0.1. > 6) Polipo writes your hostname in every request. Either define proxyName > to something else, or set DisableVia = true in your config file. disableVia is now the default. Juliusz
Re: Polipo web proxy
> On Wed, Aug 23, 2006 at 03:02:48AM +0200, Juliusz Chroboczek wrote: >> > 6) Polipo writes your hostname in every request. Either define proxyName >> > to something else, or set [d]isableVia = true in your config file. >> This cannot be stressed enough. Unfortunately, use of Via is a MUST >> according to RFC 2616 (it's not completely useless -- Polipo uses it >> to detect proxy loops). > So if you want to follow the RFC, would it be adequate to use the > pseudonym "polipo" in each case? That's a somewhat radical approach to proxy loop avoidance ;-) (It would disallow chaining proxies, and chaining proxies is a somewhat common usage scenario -- when evading firewalls, or when trying to work around a lossy wireless link.) I guess I'll just make disableVia the default, and give up on my policy of conforming by default. People who actually care about loop avoidance can enable it manually. Juliusz
Re: Polipo web proxy
On Wed, Aug 23, 2006 at 03:02:48AM +0200, Juliusz Chroboczek wrote: > > 6) Polipo writes your hostname in every request. Either define proxyName > > to something else, or set [d]isableVia = true in your config file. > > This cannot be stressed enough. Unfortunately, use of Via is a MUST > according to RFC 2616 (it's not completely useless -- Polipo uses it > to detect proxy loops). If you're talking about section 14.45 of RFC 2616 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.45 then it doesn't seem to require any uniqueness. (This is good, since Polipo adds a "Via: 1.1 localhost.localdomain" header for my browsing, and I'd guess I'm not the only one of those out there. :) So if you want to follow the RFC, would it be adequate to use the pseudonym "polipo" in each case? > Hmm, I guess I could have Polipo choose a random name on each startup > -- that would satisfy both RFC 2616 and the privacy-conscious. This approach is dangerous because it lets websites track Tor users by this unique ID. This is exactly what we'd like to avoid: each Tor user is recognizable later on, based on having the same name, even if he has changed to a new exit node. A more subtle example of this attack would happen if you decided to list the version of Polipo in the Via header -- then websites could narrow down which hits aren't from the same user. So the two solutions that come to mind are to use a brand new random string for every page, or to pick a string that everybody uses. The latter approach seems less prone to error. Hope this helps, --Roger
Re: Polipo web proxy
>> > It turns out Privoxy has teh awesoma poweru of being able to have >> > an HTTP proxy after Tor [...] I was unable to find a way for >> > Polipo to do this >> Polipo can do this too. Just set both your parentProxy and your >> socksParentProxy. > Woah. That's very odd behavior, especially that it would magically > decide to put the HTTP one after the socks one. It's actually an unintended feature ;-) Juliusz
Re: Polipo web proxy
Roger Dingledine: > 1) In the config.sample, it suggests > socksParentProxy = "localhost:9050" > You should either change this to 127.0.0.1:9050, or enable the > dnsUseGethostbyname config option -- otherwise polipo asks your name > servers where "localhost" is, with possibly disastrous implications. I guess I'll simply special-case ``localhost'' in the async resolver. > 2) Polipo doesn't do as much application-level scrubbing as Privoxy > tries to do. Yes. In particular, Polipo will never modify an instance's body, only the headers. That would be very difficult to change. As Fabian notes (see below), you can use Polipo together with Privoxy if you really must. > 3) I've seen some funny behavior from its caching. But Privoxy also > gives funny behavior. Please report any such issues on polipo-users (I don't check or-talk regularly). But first check whether setting dontCacheCookies and dontCacheRedirects fixes your issues -- if it does, the website's broken. > 4) It crashes (albeit rarely). The developer knows and is looking for > more clues. ... and has been stuck for months. Sigh. A workaround is to use runit to monitor Polipo. > 5) I've never tried it on Windows. I don't think its developer has either. The Cygwin build is believed to be fully functional. There's an experimental native build, but it's very new. > 6) Polipo writes your hostname in every request. Either define proxyName > to something else, or set [d]isableVia = true in your config file. This cannot be stressed enough. Unfortunately, use of Via is a MUST according to RFC 2616 (it's not completely useless -- Polipo uses it to detect proxy loops). Hmm, I guess I could have Polipo choose a random name on each startup -- that would satisfy both RFC 2616 and the privacy-conscious. Juliusz
Re: Polipo web proxy
Roger Dingledine <[EMAIL PROTECTED]> wrote: > What I'd like to do actually is move to some other http proxy one day. I'd like to hear your reasons and if you tried Privoxy's cvs version already. Please have a look at: http://ijbswa.cvs.sourceforge.net/ijbswa/current/ChangeLog?revision=1.35 and: http://www.fabiankeil.de/sourcecode/privoxy/ to see the changes, at least some of them are relevant for Tor users. > I am thinking Polipo is a nice next option: > http://www.pps.jussieu.fr/~jch/software/polipo/ > I've been using it the past month or two with good success. Can other > people here give it a try and see if we can clean it up? (You will need > the latest development version.) I haven't tried it yet, but to me it doesn't look like a Privoxy replacement, but more like a nice addition for the proxy chain. Browser -> Privoxy -> Polipo -> Tor Should bring you HTTP pipelining without loosing Privoxy's filtering capabilities. > 2) Polipo doesn't do as much application-level scrubbing as Privoxy tries > to do. But Privoxy isn't very good at it anymore anyway, and Firefox > is getting better. As far as I can see, Polipo merely blocks HTTP headers if requested. Its referrer blocking seems to be smarter than the one of Privoxy 3.0.3, but Privoxy's cvs version offers the hide-referrer option conditional-block, which should be equivalent to Polipo's "maybe" setting. > 3) I've seen some funny behavior from its caching. But Privoxy also > gives funny behavior. And Polipo breaks fewer sites than Privoxy does. :) At least some of the "funny behaviour" should be fixed in cvs, and if you disable the more aggressive Privoxy filters, the site breaking problem should be solved as well. Please let me know if you still see "funny behaviour" with Privoxy's cvs version that isn't caused by your filter choice. Fabian -- http://www.fabiankeil.de/ signature.asc Description: PGP signature
Re: Polipo web proxy (was Re: Tor and Google Image search)
Thus spake Roger Dingledine ([EMAIL PROTECTED]): > On Fri, Aug 18, 2006 at 07:49:56PM -0500, Mike Perry wrote: > > 7) The definition of parent proxy is different between Polipo and > > Privoxy. It turns out Privoxy has teh awesoma poweru of being able to > > have an HTTP proxy after Tor. This is useful for sites that block Tor, > > such as slashdot & wikipedia (for posting), craigslist, IRC, etc etc > > etc. I was unable to find a way for Polipo to do this. It made me > > sad. Course it aint exactly convenient for Privoxy, but at least it's > > there when you absolutely need to start some flame wars on /. ;) > > Polipo can do this too. Just set both your parentProxy and your > socksParentProxy. Woah. That's very odd behavior, especially that it would magically decide to put the HTTP one after the socks one. From the manual I assumed they were mutually exclusive. Privoxy also allows the flexibility to do it for specific hosts/domains/wildcards (ex: irc.) though, which is nice. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Polipo web proxy (was Re: Tor and Google Image search)
On Fri, Aug 18, 2006 at 07:49:56PM -0500, Mike Perry wrote: > 7) The definition of parent proxy is different between Polipo and > Privoxy. It turns out Privoxy has teh awesoma poweru of being able to > have an HTTP proxy after Tor. This is useful for sites that block Tor, > such as slashdot & wikipedia (for posting), craigslist, IRC, etc etc > etc. I was unable to find a way for Polipo to do this. It made me > sad. Course it aint exactly convenient for Privoxy, but at least it's > there when you absolutely need to start some flame wars on /. ;) Polipo can do this too. Just set both your parentProxy and your socksParentProxy. --Roger
Re: Polipo web proxy (was Re: Tor and Google Image search)
Thus spake Roger Dingledine ([EMAIL PROTECTED]): > What I'd like to do actually is move to some other http proxy one day. > > 1) In the config.sample, it suggests > socksParentProxy = "localhost:9050" > You should either change this to 127.0.0.1:9050, or enable the > dnsUseGethostbyname config option -- otherwise polipo asks your name > servers where "localhost" is, with possibly disastrous implications. > > 2) Polipo doesn't do as much application-level scrubbing as Privoxy tries > to do. But Privoxy isn't very good at it anymore anyway, and Firefox > is getting better. See previous threads about all the Firefox plugins > you need so you can discard Privoxy -- I recommend Noscript, Adblock, > and Adblock Filterset.G. > > 3) I've seen some funny behavior from its caching. But Privoxy also > gives funny behavior. And Polipo breaks fewer sites than Privoxy does. :) > > 4) It crashes (albeit rarely). The developer knows and is looking for > more clues. > > 5) I've never tried it on Windows. I don't think its developer has either. > > 6) Polipo writes your hostname in every request. Either define proxyName > to something else, or set DisableVia = true in your config file. > > See also http://article.gmane.org/gmane.comp.web.polipo.user/1016 > 7) The definition of parent proxy is different between Polipo and Privoxy. It turns out Privoxy has teh awesoma poweru of being able to have an HTTP proxy after Tor. This is useful for sites that block Tor, such as slashdot & wikipedia (for posting), craigslist, IRC, etc etc etc. I was unable to find a way for Polipo to do this. It made me sad. Course it aint exactly convenient for Privoxy, but at least it's there when you absolutely need to start some flame wars on /. ;) -- Mike Perry Mad Computer Scientist fscked.org evil labs
Polipo web proxy (was Re: Tor and Google Image search)
On Fri, Aug 18, 2006 at 06:42:28PM -0500, Mike Perry wrote: > Actually, I've started noticing this even though my privoxy config > hasn't changed in a long while. I think its something new that > images.google.com is doing that privoxy doesn't like. Exciting. Thanks for tracking this down. > Perhaps the images.google.com declairation should be added to the > Privoxy that is shipped with vidalia/tor. It is likely to be pretty > frustrating to new users. What I'd like to do actually is move to some other http proxy one day. (I once dreamed of taking the http proxy out of the loop entirely now that Firefox supports safe socks, but it turns out that the entire networking component of Firefox blocks during socks handshakes, so that is not an option until somebody does a major overhaul of Firefox.) I am thinking Polipo is a nice next option: http://www.pps.jussieu.fr/~jch/software/polipo/ I've been using it the past month or two with good success. Can other people here give it a try and see if we can clean it up? (You will need the latest development version.) Known issues when using Polipo with Tor: 1) In the config.sample, it suggests socksParentProxy = "localhost:9050" You should either change this to 127.0.0.1:9050, or enable the dnsUseGethostbyname config option -- otherwise polipo asks your name servers where "localhost" is, with possibly disastrous implications. 2) Polipo doesn't do as much application-level scrubbing as Privoxy tries to do. But Privoxy isn't very good at it anymore anyway, and Firefox is getting better. See previous threads about all the Firefox plugins you need so you can discard Privoxy -- I recommend Noscript, Adblock, and Adblock Filterset.G. 3) I've seen some funny behavior from its caching. But Privoxy also gives funny behavior. And Polipo breaks fewer sites than Privoxy does. :) 4) It crashes (albeit rarely). The developer knows and is looking for more clues. 5) I've never tried it on Windows. I don't think its developer has either. 6) Polipo writes your hostname in every request. Either define proxyName to something else, or set DisableVia = true in your config file. See also http://article.gmane.org/gmane.comp.web.polipo.user/1016 Thanks, --Roger