[Freedombox-discuss] Privoxy via Tor, and APT via Privoxy?

Petter Reinholdtsen pere at hungry.com
Wed Apr 16 12:14:58 UTC 2014

One thing mentioned by Jacob Appelbaum in his talk the other day, was
the advantages of upgrading packages via Tor, to make it harder to
target a given machine with fake packages.

I suggest we implement this in the Freedombox, by asking Provixy to
send all requests via Tor, and ask APT to fetch data via Privoxy.
What do the rest of you think about doing this?

The following untested patch for freedombox-setup should implement the
feature, redirection APT via privoxy through Tor.  I've tested the
configuration, but not a freedombox-setup package with these scripts
in place to set up this change.  We could also include the
/etc/apt/apt.conf.d/10freedombox-setup-privoxy file as part of the
package, but then APT on machines with the package installed but no
configured provixy running will stop working.  The privoxy setup do
not handle IPv6.  Not quite sure how to fix that.

diff --git a/setup.d/91_privoxy b/setup.d/91_privoxy
index d975a42..9fbfd5a 100755
--- a/setup.d/91_privoxy
+++ b/setup.d/91_privoxy
@@ -4,3 +4,15 @@ apt-get install -y privoxy
 # Listen on all interfaces
 sed -i 's/listen-address  localhost:8118/listen-address  *:8118/' /etc/privoxy/config
+# Send outgoing connections via Tor
+if grep -q ^forward-socks5 ; then
+    :
+    cat >> /etc/privoxy/config <<EOF
+forward-socks5   /      .
+forward         192.168.*.*/     .
+forward            10.*.*.*/     .
+forward           127.*.*.*/     .
diff --git a/setup.d/92_privoxy_apt b/setup.d/92_privoxy_apt
new file mode 100755
index 0000000..818965d
--- /dev/null
+++ b/setup.d/92_privoxy_apt
@@ -0,0 +1,12 @@
+# Tell APT to use provixy.
+# The pipeline change is to avoid <URL: https://bugs.debian.org/565555 >.
+# Not sure if it affect privoxy.
+cat > /etc/apt/apt.conf.d/10freedombox-setup-privoxy <<EOF
+Acquire::http::Proxy "http://localhost:8118/";
+Acquire::ftp::Proxy "http://localhost:8118/";
+Acquire::http::Pipeline-Depth 0;

Happy hacking
Petter Reinholdtsen

More information about the Freedombox-discuss mailing list