Setup 3Proxy With Tor Network Gateway For Anonymous Browsing

Indeed, it is considered impossible to achieve the maximum level of security when surfing the internet, there are lots of spam, ads and bots that can spy on our data and identity. However, we can minimize the level of crime on the internet. There are tools and software that can help achieve at least a level of anonymity and privacy that approaches perfect security. Here I will explain how to set up a secure internet environment by relying on the powerful FreeBSD server which is equipped with the 3Proxy, Tor and Privoxy applications. Combining these 3 applications can improve our computer security system, especially on ports 80 and 443.

I will not explain the TOR and Privoxy installation in these tutorials. We focus on installing and configuring 3Proxy. You can read articles about installing TOR and Privoxy in other articles on the internet.

System specifications:

OS: FreeBSD 13.2 Stable
CPU: AMD Phenom(tm) II X4 955 Processor
IP Server:
Interface: em0 ( 1 Land Card )
Hostname: router2

1. What is 3Proxy

Three Proxy is a Unix-based proxy system server that can run on HTTP, HTTPS, FTP ports and also supports SOCKSv4, SOCKSv5 and POP3, SMTP proxies. 3Proxy works on TCP and UDP ports. You can use each proxy as a standalone program (socks, proxy, tcppm, udppm, pop3p) or use a combined program (3proxy). Federated proxies also support features like access control, bandwidth limiting, limiting the amount of daily/weekly/monthly traffic, proxy chaining, log rotation, sylog and ODBC logging, etc.

2. Three Proxy Installation

To carry out the installation we should use FreeBSD Ports. First we log in as root on the FreeBSD server. After logging in successfully, type the following script to install 3PRoxy.

root@router2:~ # cd /usr/ports/net/3proxy
root@router2:/usr/ports/net/3proxy # make install clean

Next, we add the script in the /etc/rc.conf file.

root@router2:~ # ee /etc/rc.conf
This script is useful for the boot process, if our FreeBSD server is rebooted or turned off, 3Proxy will automatically run, because the rc.conf file has the status enabled.

Then we Restart our FReeBSD Server.

root@router2:~ # reboot
After we reboot the FreeBSD Server, try opening the log file, look and pay attention to which ports are running on 3Proxy. Below is an example of a 3Proxy log file.

It turns out that 3PRoxy supports many ports, one of which is even the DNS port, namely port 53. Now that we know the port that runs on 3Proxy, we continue by editing the 3proxy.cfg file in the /usr/local/etc/3proxy.cfg folder.

nscache 65536
log /var/log/3proxy/log D
logformat "- +_L%t.%.  %N.%p %E %U %C:%c %R:%r %O %I %h %T"
rotate 30
Parent is the BACKEND proxy IP and Port, in this tutorial we will use BACKEND TOR and Privoxy. TOR IP/Port 9050, Privoxy IP/Port 8008.

parent 500 socks5 9050
parent 1000 connect 8008
What you need to pay attention to is filling in the external and internal IP, if your FreeBSD server computer only uses 1 interface or 1 landcard, then the internal and external IP must be the same.

For the complete source code for the 3proxy.cfg file, you can copy and paste it at the end of this article.

After the 3proxy.cfg file configuration is complete, restart 3PRoxy

root@router2:~ # service 3proxy restart

3. Test Three Proxy

The 3Proxy test will be carried out on the Mozilla Firefox browser. You can also do it in other browsers such as Yandex, Opera, Comodo etc.

Open the Firefox browser, click the settings menu, follow the image instructions.

Complete the installation and configuration of 3Proxy with BACKEND TOR and Privoxy. Well... now you have your own Proxy server. Enjoy and feel the sensation of surfing safely and comfortably, without any interference from advertisements or hackers tracking the identity of our data.

Example of  Complete Source Code from the 3proxy.cfg file in the /usr/local/etc/3proxy.cfg folder. You can copy and paste this source code directly, because the practice in this tutorial uses this Source Code. You just need to adjust the internal IP, external IP and parent.

# Yes, 3proxy.cfg can be executable, in this case you should place
# something like
#config /usr/local/3proxy/3proxy.cfg
# to show which configuration 3proxy should re-read on realod.

#system "echo Hello world!"
# you may use system to execute some external command if proxy starts

# We can configure nservers to avoid unsafe gethostbyname() usage
# nscache is good to save speed, traffic and bandwidth
nscache 65536

# nobody will be able to access by the name.
# will resolve to for
# clients

timeouts 1 5 30 60 180 1800 15 60
# Here we can change timeout values

users 3APA3A:CL:3apa3a "test:CR:$1$qwer$CHFTUFGqkjue9HyhcMHEe1"
# note that "" required, overvise $... is treated as include file name.
# $1$qwer$CHFTUFGqkjue9HyhcMHEe1 is 'test' in MD5 crypt format.
#users $/usr/local/etc/3proxy/passwd
# this example shows you how to include passwd file. For included files
# <CR> and <LF> are treated as field separators.

# now we will not depend on any console (daemonize). daemon must be given
# before any significant command on *nix.

# service is required under NT if you want 3proxy to start as service

log /var/log/3proxy/log D
#log c:\3proxy\logs\3proxy.log D
# log allows to specify log file location and rotation, D means logfile
# is created daily

#logformat "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
#logformat "Linsert into log (l_date, l_user, l_service, l_in, l_out, l_descr) values ('%d-%m-%Y %H:%M:%S', '%U', '%N', %I, %O, '%T')"
#Compatible with Squid access.log:
#"- +_G%t.%. %D %C TCP_MISS/200 %I %1-1T %2-2T %U DIRECT/%R application/unknown"
#or, more compatible format without %D
#"- +_G%t.%.      1 %C TCP_MISS/200 %I %1-1T %2-2T %U DIRECT/%R application/unknown"
#Compatible with ISA 2000 proxy WEBEXTD.LOG (fields are TAB-delimited):
#"-	+ L%C	%U	Unknown	Y	%Y-%m-%d	%H:%M:%S	w3proxy	3PROXY	-	%n	%R	%r	%D	%O	%I	http	TCP	%1-1T	%2-2T	-	-	%E	-	-	-"
#Compatible with ISA 2004 proxy WEB.w3c
#"-	+ L%C	%U	Unknown	%Y-%m-%d	%H:%M:%S	3PROXY	-	%n	%R	%r	%D	%O	%I	http	%1-1T	%2-2T	-	%E	-	-	Internal	External	0x0	Allowed"
#Compatible with ISA 2000/2004 firewall FWSEXTD.log (fields are TAB-delimited):
#"-	+ L%C	%U	unnknown:0:0.0	N	%Y-%m-%d	%H:%M:%S	fwsrv	3PROXY	-	%n	%R	%r	%D	%O	%I	%r	TCP	Connect	-	-	-	%E	-	-	-	-	-"
#Compatible with HTTPD standard log (Apache and others)
#"-""+_L%C - %U [%d/%o/%Y:%H:%M:%S %z] ""%T"" %E %I"
#or more compatible without error code
#"-""+_L%C - %U [%d/%o/%Y:%H:%M:%S %z] ""%T"" 200 %I"

# in log file we want to have underscores instead of spaces
logformat "- +_L%t.%.  %N.%p %E %U %C:%c %R:%r %O %I %h %T"

archiver gz /usr/bin/gzip %F
#archiver zip zip -m -qq %A %F
#archiver zip pkzipc -add -silent -move %A %F
#archiver rar rar a -df -inul %A %F
# if archiver specified log file will be compressed after closing.
# you should specify extension, path to archiver and command line, %A will be
# substituted with archive file name, %f - with original file name.
# Original file will not be removed, so archiver should care about it.

rotate 30
# We will keep last 30 log files

#auth iponly
#auth nbname
#auth strong
# auth specifies type of user authentication. If you specify none proxy
# will not do anything to check name of the user. If you specify
# nbname proxy will send NetBIOS name request packet to UDP/137 of
# client and parse request for NetBIOS name of messanger service.
# Strong means that proxy will check password. For strong authentication
# unknown user will not be allowed to use proxy regardless of ACL.
# If you do not want username to be checked but wanna ACL to work you should
# specify auth iponly.

#allow *, * *
allow * * *
#allow * * 25,53,110,20-21,1024-65535
parent 500 socks5 9050
parent 1000 connect 8008
# we will allow everything if username matches ADMINISTRATOR or root or
# client ip is or Overwise we will redirect any request
# to port 80 to our Web-server
# We will allow any outgoing connections from network to
# SMTP, POP3, FTP, DNS and unprivileged ports.
# Note, that redirect may also be used with proxy or portmapper. It will
# allow you to redirect requests to different ports or different server
# for different clients.

#  sharing access to internet

# external is address 3proxy uses for outgoing connections. means any
# interface. Using is not good because it allows to connect to

# internal is address of interface proxy will listen for incoming requests
# means only localhost will be able to use this proxy. This is
# address you should specify for clients as proxy IP.
# You MAY use but you shouldn't, because it's a chance for you to
# have open proxy in your network in this case.

auth none
# no authentication is requires


# dnsproxy listens on UDP/53 to answer client's DNS requests. It requires
# nserver/nscache configuration.

#external $./external.ip
#internal $./internal.ip
# this is just an alternative form fo giving external and internal address
# allows you to read this addresses from files

#auth strong
# We want to protect internal interface
deny * *,
# and llow HTTP and HTTPS traffic.
allow * * * 80-88,8080-8088 HTTP
allow * * * 443,8443 HTTPS
proxy -n

auth none
# pop3p will be used without any authentication. It's bad choice
# because it's possible to use pop3p to access any port

tcppm 25 25
#udppm -s 53 53
# we can portmap port TCP/25 to provider's SMTP server and UDP/53
# to provider's DNS.
# Now we can use our proxy as SMTP and DNS server.
# -s switch for UDP means "single packet" service - instead of setting
# association for period of time association will only be set for 1 packet.
# It's very userfull for services like DNS but not for some massive services
# like multimedia streams or online games.

#auth strong
allow 3APA3A,test
maxconn 20
# for socks we will use password authentication and different access control -
# we flush previously configured ACL list and create new one to allow users
# test and 3APA3A to connect from any location

#auth strong
allow 3APA3A
maxconn 3
#only allow acces to admin interface for user 3APA3A from address
#via address.

# map external 80 and 443 ports to internal Web server
# examples below show how to use 3proxy to publish Web server in internal
# network to Internet. We must switch internal and external addresses and
# flush any ACLs

#auth none
#external $./internal.ip
#internal $./external.ip
#maxconn 300
#tcppm 80 websrv 80
#tcppm 443 websrv 443

#chroot /usr/local/jail
#setgid 65535
#setuid 65535
# now we needn't any root rights. We can chroot and setgid/setuid.
Iwan Setiawan

I Like Adventure: Mahameru Mount, Rinjani Mount I Like Writer FreeBSD

Post a Comment

Previous Post Next Post