HowTo/Gateway
How to setup an EepGateway
Why EepGateways
Normally running a outproxy (a proxy to the clearnet) brings a lot risk. You do not know if the users will abuse you kindness by p2ping over your proxy, spaming others' email box or even publishing CP content onto the public domain. And all these will bring you trouble. The police could show up at your front door and seize your computer for inspection. What about setting up a outproxy for certain sites you like exclusively. Well, its possible. but not good for a proxy which requires extra configuration in browsers. Hm, what about a gateway ?, for example if a user visit http://yourdomain.i2p/oforum/ he will see the onion forum from Tor. In this way the user can only visit and play on the onion forum through your service. It's safer than running a wide open out-proxy.
What you need to run an EepGateway
If you want to run a EepGateway which access the internet directly. All you need is a reverse proxy. I recommend the software Nginx. This is a amazing webserver/reverse proxy from Russia. You can run in on either linux or Windows. It acts as a front end and pass all requests through to the real servers. It's Windows binary is less than 1 MB. Much easier to operate then Apache.
Oh what about through our onion forum? It requires Tor. Well, connecting through a proxy behind Nginx is a bit tricky. Nginx doesnt support normal proxy. So we need to modify the headers to mimic web browser requests. On Windows I vote for Proxomitron, a brilliant intercept proxy from Japan. Since the talented developer has passed away at an early age. There is no futher development on it. the latest version is 4.5Nj . Don't use 4.5Nm which is flawed.
How to set up an EepGateway
Lets see the right requests flow in our proxy chain. Take TwiGate (twitter) for example:
| User | Gateway | Proxy Chain | |
|---|---|---|---|
| browser1=>i2p | i2p=>nginx | nginx=>normal internet | |
| HOST | example.i2p | example.i2p | twitter.com |
| URI | TwiGate/** | TwiGate/** | /** |
Here you can see, Nginx should change the URI from /TwiGate/** to /**, and REDIRECT this request to "twitter.com"
This is easy to deal with Nginx's rewrite URI module. Using the rewrite URI function and proxy_pass command, you can do the following:
location /TwiGate {
rewrite TwiGate(\/|)(.*)$ /$2 break;
proxy_pass http://www.twitter.com
allow 127.0.0.1;
deny all;
break;
}
But what if through a normal proxy? For example OFGate (Onion Forum: l6nvqsqivhrunqvs.onion).
First Lets learn some basic about the proxy request.
In HTTP 1.1, the requests send to a proxy looks basically like this:
GET /targetURI HTTP/1.1 HOST: targetHOST.com
While in HTTP 1.0, the HOST header hasn't been introduced, so it has to look like this:
GET http://targetHOST/targetURI HTTP/1.0
Nginx happens to support HTTP 1.0 only at the back end. In another word, Nginx can only talk HTTP 1.0 to the downstream proxy.
After learnt the limitations, let see what requests we need in the proxy chain:
| HTTP/1.0 | User | Gateway | Proxy Chain |
|---|---|---|---|
| browser2=>i2p | i2p=>nginx | nginx=>polipo/privoxy/polipo/privoxy=>tor | |
| HOST | example.i2p | example.i2p | 127.0.0.1:{ProxyPort eg 777} |
| URI | /OFGate/** | /OFGate/** | http://l6nvqsqivhrunqvs.onion/** |
hm, easy, this following configuration looks enough:
location /onionpickers {
rewrite TwiGate(\/|)(.*)$ http://'''www.twitter.com'''/$2 break;
proxy_pass 127.0.0.1:777;
allow 127.0.0.1;
deny all;
break;
}
Though the requests are passed onto 127.0.0.1:777 (our local proxy) and the URI contains the target site where everything seems alright, it doesn't work in reality.
Let's see another limitation/ feature in Nginx:
Important: Rewriting a URI with a URI containing a HOST name will cause a forced REDIRECT. So even if break and proxy_pass command are all set, Nginx will still send a REDIRECT response to User, telling browser to navigate away from our site and visit the HOST directly.
Now this seems a dead end. But I have found sth interesting. Rewriting URI with "http://twitter.com/.../" will cause a REDIRECT, while "HTTP://twitter.com/../" will not. The bad thing is that neither Privoxy nor Polipo recognize such Requests.
But Proxomitron do recognize it and sanitize the malformed HTTP request while passing it to the downstream proxy. So now we do the following configuration in nginx:
location /onionpickers {
rewrite OFGate(\/|)(.*)$ HTTP://l6nvqsqivhrunqvs.onion/$2 break;
proxy_pass 127.0.0.1:777;
allow 127.0.0.1;
deny all;
break;
}
In additional to request sanitizing, Proximitron can also help use modify the source of the webpage. To change all hard coded URL into relative URI. So that it will not be connected to directly by the user.
Click the Web page Button on Proxomitron and create the following rules:
[Patterns]
Name = Oinon-redirect
URL = *l6nvqsqivhrunqvs.onion/*
Limit = 256
Match = ("[^"']++|url\([^\(]++)\1http://l6nvqsqivhrunqvs.onion[/]+
Replace = \1/onionpickers/
Name = Oinon-redirect2
URL = *l6nvqsqivhrunqvs.onion/*
Limit = 256
Match = : url\(("|)\1(/[^\)]++\);)\2
Replace = : url\(\1/onionpickers\2
Name = Oinon-redirect
Img Active = TRUE
URL = *l6nvqsqivhrunqvs.onion/*
Limit = 256
Match = <img\ssrc(\s|)=("/)\2
Replace = <img src=\2onionpickers/
Name = Oinon-redirect3
URL = *l6nvqsqivhrunqvs.onion/*
Limit = 256
Match = (")\1(/|)\?\w\2\=(\w")\3
Replace = \1/onionpickers/?\2=\3