A trending topic on twitter right now is "iran proxy"--since the Iranian government blocks access to sites like YouTube, the only way to use that service from within Iran is to use a "public proxy server," a server operating on a nondescript IP and port that doesn't raise any red flags to the censor software. The proxy server handles all communication with the prohibited site.
This is a diary about setting up such a server on Ubuntu/Linux, along with noting the pitfalls in doing so.
The main pitfall in setting up an open proxy is that in addition to giving access to the desired parties, anyone else can use the proxy for possibly nefarious purposes, for example, trafficking in child porn. Since any traffic logs would contain the proxy server's IP, this could lead to an unpleasant call from law enforcement.
Since that would be a bad thing, in my opinion the risk should at least be lessened (although not totally eliminated) by only allowing certain websites, for example YouTube, to be accessible through the proxy.
First, here's how to install proxy software, namely squid, on an ubuntu linux server:
# apt-get install squid
That will install squid and squid-common and when finished there should be an instance of squid running:
# ps aux | egrep squid
root 7097 0.0 0.1 5572 688 ? Ss 15:06 0:00 /usr/sbin/squid -D -YC
proxy 7099 0.0 1.0 8368 5276 ? S 15:06 0:01 (squid) -D -YC
The file /etc/squid/squid.conf then needs to be edited to set up access permissions. To set up a totally open server, it's only necessary to change the line:
http_access allow manager localhost
to
http_access allow all
More restrictively, to only allow access to YouTube, it's necessary to list all the domains that YouTube needs to operate and deny all others. By trial and error I find that these domains are needed:
.youtube.com .ytimg.com .google.com .doubleclick.net .googlevideo.com
Here's the squid.conf setup for YouTube:
acl domain1 dstdomain .youtube.com .ytimg.com .google.com .doubleclick.net .googlevideo.com
http_access allow domain1
acl allotherwebsites dst 0.0.0.0/0.0.0.0
http_access deny allotherwebsites
acl MyLAN src 192.168.0.0/255.255.255.0
http_access allow MyLAN
I verified that this allows YouTube posting and viewing from a foreign IP, and denies access to domains other than those listed.
To allow another website, say twitter, start with adding the base domain .twitter.com and then look at /var/log/squid/access.log to see what other domains are required. They'll show up as TCP-DENIED:
1245078445.512 86 192.168.1.109 TCP_DENIED/403 1568 GET http://s3.amazonaws.com/... - NONE/- text/html
So .amazonaws.com needs to be added.
Here's what I get to allow facebook, YouTube and twitter:
acl domain1 dstdomain .youtube.com .ytimg.com .twitter.com .gmail.com .google.com .flickr.com .yimg.com .digg.com .facebook.com .fbcdn.net .doubleclick.net .googlevideo.com .amazonaws.com
After changing squid.conf it's necessary to restart squid for the settings to take effect:
# /etc/init.d/squid restart
Note that even with the proxy locked down to certain websites, some mischief is still possible on those websites which would trace back to the proxy's IP.
To use the proxy with, say, firefox, in the browser go into tools->options->Advanced->Network->Settings, select Manual Proxy Configuration and set the HTTP and SSL proxies to the server's IP and port 3128.
If a firewall is active, it may be necessary to open up port 3128 to outside traffic.