SL Client + Privoxy: Media protection without changing your client - SLUniverse Forums
Navigation » SLUniverse Forums > Virtual World Discussion > General SL Discussion » SL Client + Privoxy: Media protection without changing your client


General SL Discussion Discuss topics related to Second Life

 
Sponsor:
Steampunk Victorian Caledon
Reply
 
LinkBack Thread Tools Display Modes
Old 02-28-2011, 07:32 AM   #1 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,348
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
SL Client + Privoxy: Media protection without changing your client

Using Privoxy to control Media access of your Second Life client. You can add a white list and those not white listed will give you the option to 'go there anyway' or just close it. All without changing your client!

Lets work on this together to make a complete set of instructions.

DISCLAIMER: This information is being shared to continue investigation of this method of protecting ourselves. Privoxy is new to me and I do not understand all the things it can do. You are responsible for what you do with it. Lets investigate it

Notes: This method is not suited to Phoenix viewers because they will try to send UDP packets through the proxy as well and Privoxy cannot handle these. Instead Phoenix users should make sure the media filter is enabled and rely on that.



Install Privoxy

Edit the file: default.action

Change:
Code:
{+block{Host matches generic block pattern.}}
..list of various ad blocking string...
To:
Code:
{+block{Host matches generic block pattern.}}
/ # Block all sites!
Change:
Code:
{-block}
...list of various strings...
To:
Code:
{-block}
# SL Parcel 'Streaming Audio' does not use SL client proxy settings.
# No need to add music URLs to this proxy.
# Consider disabling Streaming Audio in your client when in untrusted areas.

# Any Media URLs not allowed below will result in a BLOCKED web page which
# will let you click 'go there anyway' if you wish to proceed.

# SL Login and login screen
login.agni.lindenlab.com          #main grid
lecs.viewer-login.secondlife.com
viewer-login.agni.lindenlab.com
lecs-viewer-login-agni.s3.amazonaws.com
ws.world-ng.agni.lindenlab.com
common-flash-secondlife-com.s3.amazonaws.com

# SL Web
secondlife.com
my.secondlife.com
www.secondlife.com
marketplace.secondlife.com
id.secondlife.com
community.secondlife.com
support.secondlife.com
wiki.secondlife.com

#SL Client
viewer-help.secondlife.com
viewer-sidebar.secondlife.com
search.secondlife.com
search-beta.secondlife.com
search.secondlife.com/viewer/ads/.*
id.secondlife.com
lecs.viewer-sidebar.secondlife.com.s3.amazonaws.com
static.search.secondlife.com.s3.amazonaws.com
vip.login.agni.lindenlab.com
clearspace.s3.amazonaws.com
s3.amazonaws.com
www.google-analytics.com
*.cloudfront.net
my-secondlife.s3.amazonaws.com
texture-service.agni.lindenlab.com
.edgecastcdn.net
events.secondlife.com
maps.secondlife.com


#Add your trusted sites here
# .youtube.com
# .ytimg.com
If you want to create a Privoxy log file edit the file: config
Uncomment the debug lines by changing them to:
Code:
debug      1 # Log the destination for each request Privoxy let through.
debug   1024 # Log the destination for requests Privoxy didn't let through, and
debug   4096 # Startup banner and warnings
debug   8192 # Non-fatal errors
Finally you need to make a decision regarding convenience versus security. By default Privoxy allows you to click 'go there anyway' to proceed to the blocked site. What this does is it adds PRIVOXY-FORCE to the URL which Privoxy strips and then sends your request through. If a malicious land owner wanted they could simply set the media url to contain PRIVOXY-FORCE and Privoxy would ignore our security. We can disable this feature to close that hole but you lose the 'go there anyway' option.

For greater security and less convenience edit the 'config' file and change:
Code:
enforce-blocks 0
To:
Code:
enforce-blocks 1
Since Privoxy is not in wide use it may not be necessary to be this paranoid as having the option to 'go there anyway' is useful.
If you do 'enforce-blocks 1' and lose the 'go there anyway' option you could copy temporary trusted URLs to your web browser instead, and copy permanently trusted URLs to the -block section in file default.action

Restart Privoxy.

Log in to SL. Change your Proxy settings to:
Proxy Location: 127.0.0.1
Port: 8118

NOTES:
  • Land based streaming music is not proxied. Consider disabling streaming music.
  • Land based media is not clickable so the 'go there anyway' option will only work for prim based media.
Attached Thumbnails
SL Client + Privoxy: Media protection without changing your client-privoxyinslblock2_001.jpg  
__________________
Quote:
WARNING: A chaotic good character acts as his conscience directs him with little regard for what others expect of him. He makes his own way, but he's kind and benevolent. He believes in goodness and right but has little use for laws and regulations. He hates it when people try to intimidate others and tell them what to do. He follows his own moral compass, which, although good, may not agree with that of society.

Last edited by Psyke Phaeton; 09-03-2011 at 09:47 PM. Reason: Editing as needed, thanks everyone.
Psyke Phaeton is offline   Reply With Quote
3 Users Said Thanks :
Old 02-28-2011, 07:43 AM   #2 (permalink)
Senior Member
 
Sione's Avatar
see-oh-neh
 
Join Date: Sep 2010
Location: UK
Posts: 3,437

Awards: 1
Thank You 
Quote:
# Any Media URLs not allowed below will result in a BLOCKED web page which
# will let you click 'go there anyway' if you wish to proceed.
I don't think land media pages are clickable.

Also think you missed allowing http textures.
Sione is offline   Reply With Quote
Old 02-28-2011, 07:47 AM   #3 (permalink)
I don't do stupid.
 
Lance Corrimal's Avatar
 
Join Date: Feb 2010
Posts: 2,100
My Mood:
SL Join Date: 2006-06-09
Business: My!
Client: Dolphin Viewer 3
Send a message via Yahoo to Lance Corrimal
alternative configuration for cases when you'Re already using privoxy for your general, firefox/IE based webbrowsing:

add the domain names from the "How to block redzone" thread to the {+block} group.
__________________
Lance Corrimal is offline   Reply With Quote
Old 02-28-2011, 07:48 AM   #4 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,348
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
Quote:
Originally Posted by Sione View Post
I don't think land media pages are clickable.
I'll check that, thanks
Quote:
Also think you missed allowing http textures.
I have HTTP textures on but no problems. I think HTTP textures might ignore the proxy setting.
Psyke Phaeton is offline   Reply With Quote
Old 02-28-2011, 07:50 AM   #5 (permalink)
Senior Member
 
Sione's Avatar
see-oh-neh
 
Join Date: Sep 2010
Location: UK
Posts: 3,437

Awards: 1
Thank You 
Quote:
Originally Posted by Psyke Phaeton View Post
I'll check that, thanks

I have HTTP textures on but no problems. I think HTTP textures might ignore the proxy setting.
Yeah I think you are ok with viewer 2. But it redirects to the proxy on Phoenix for caching. squid_proxy_cache [Phoenix Viewer]
Sione is offline   Reply With Quote
Old 02-28-2011, 07:56 AM   #6 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,348
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
I guess I better grab phoenix! :O
Psyke Phaeton is offline   Reply With Quote
1 User Agreed:
Old 02-28-2011, 08:00 AM   #7 (permalink)
Tea Bitch

*SLU Supporter*
 
Tyche Shepherd's Avatar
Cherry red lips and sick on her boots
 
Join Date: Aug 2007
Location: UK
Posts: 8,238
My Mood:
SL Join Date: 26th April 2007

Awards: 1
Best Anglo-Saxon High Horse Reference 
If you are setting up a whitelist you may find it more useful to allow anything from any secondlife.com subdomain instead of listing each one as you find them - this should allow for LL making changes which get blocked such as when they start using the weownyourfirstborn.secondlife.com subdomain

Code:
{-block}


# allow any secondlife.com subdomain 
.secondlife.com
You could of course do the same with .s3.amazonaws.com but that's slightly riskier
__________________

Vanguard of the LolCatz Revolution
This Post was financed by The National LolCatz Archives

Clancy Sullivan :Yeah. YEAH! The sultry seamstress of mirth is definitely in charge now.
Certified 7.8 on the Official Non-Arbitrary Trout Algorithmic Slut scale

A public copy of my Second Life Main Grid Survey Database can be found at http://www.gridsurvey.com - Now with added Second Life Incidents !!


Tyche Shepherd is offline   Reply With Quote
Old 02-28-2011, 08:04 AM   #8 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,348
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
Quote:
Originally Posted by Tyche Shepherd View Post
If you are setting up a whitelist you may find it more useful to allow anything from any secondlife.com subdomain instead of listing each one as you find them - this should allow for LL making changes which get blocked such as when they start using the weownyourfirstborn.secondlife.com subdomain

Code:
{-block}


# allow any secondlife.com subdomain 
.secondlife.com
You could of course do the same with .s3.amazonaws.com but that's slightly riskier
It was pointed out that giving web access to every scripted web serving object on all grids was a bad idea.
Psyke Phaeton is offline   Reply With Quote
1 User Said Thanks:
Old 02-28-2011, 08:19 AM   #9 (permalink)
Senior Member
 
Ann Otoole's Avatar
 
Join Date: Oct 2008
Posts: 16,374
what we need is a media redirector that simply points all intercepted media assaults to zFires IP address. Then bit by bit everyone in SL becomes zfires alt.
Ann Otoole is offline   Reply With Quote
2 Users Agreed:
Old 02-28-2011, 08:30 AM   #10 (permalink)
Banned
 
Join Date: Apr 2010
Posts: 2,996
SL Join Date: 2006-12-31
Client: Viewer 3
Two weeks ago I wrote a simple interactive proxy service in Java which pops up a confirmation dialog every time a URL in a non-whitelisted domain is requested. It works fine with Viewer 2, but I could not test it for media URLs in particular because the viewer is still a 32bit app and cannot open media on 64bit Linux anyway.

I tested the service with Imprudence 64bit as well, but Imprudence seems to ignore the proxy setting for many things. For example, it bypasses the proxy when it phones home or loads the login page for the selected grid. Of course this should not happen, so it's probably a bug.

Proxies are a very appealing solution (if they work) because they are not bound by the Lab's policy on hiding media URLs.
Masami Kuramoto is offline   Reply With Quote
1 User Agreed:
Old 02-28-2011, 08:34 AM   #11 (permalink)
Placeholder
 
Cerise's Avatar
Mauves ovriers ne trovera ja bon hostill
 
Join Date: Oct 2010
Posts: 2,156
My Mood:
Client: SL Viewer 3
My build does not like the <-------> thing on the login.agni.secondlife.com line. It could be a library version difference somewhere.

If you do not want to use a wildcard, some more specific SL sites to unblock:

id.secondlife.com
community.secondlife.com
support.secondlife.com
wiki.secondlife.com
Cerise is offline   Reply With Quote
1 User Said Thanks:
Old 02-28-2011, 08:38 AM   #12 (permalink)
Senior Member
 
Sione's Avatar
see-oh-neh
 
Join Date: Sep 2010
Location: UK
Posts: 3,437

Awards: 1
Thank You 
Quote:
Originally Posted by Masami Kuramoto View Post
Two weeks ago I wrote a simple interactive proxy service in Java which pops up a confirmation dialog every time a URL in a non-whitelisted domain is requested. It works fine with Viewer 2, but I could not test it for media URLs in particular because the viewer is still a 32bit app and cannot open media on 64bit Linux anyway.

I tested the service with Imprudence 64bit as well, but Imprudence seems to ignore the proxy setting for many things. For example, it bypasses the proxy when it phones home or loads the login page for the selected grid. Of course this should not happen, so it's probably a bug.

Proxies are a very appealing solution (if they work) because they are not bound by the Lab's policy on hiding media URLs.
Yeah I have squid, IPTables and DansGuardian all running on my gateway box so I am pretty covered for blocking stuff. But the majority of SL users need a viewer implementation because they will be lost trying to mess around with proxies. Even if they manage to install it they will still get confused when things start getting blocked that they want to see.
Sione is offline   Reply With Quote
1 User Agreed:
Old 02-28-2011, 08:43 AM   #13 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,348
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
Quote:
Originally Posted by Psyke Phaeton View Post
I guess I better grab phoenix! :O
Phoenix locks up after I set the proxy before logging in.

Last edited by Psyke Phaeton; 02-28-2011 at 08:55 AM.
Psyke Phaeton is offline   Reply With Quote
1 User Laughed:
Old 02-28-2011, 08:46 AM   #14 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,348
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
Quote:
Originally Posted by Cerise View Post
My build does not like the <-------> thing on the login.agni.secondlife.com line. It could be a library version difference somewhere.

If you do not want to use a wildcard, some more specific SL sites to unblock:

id.secondlife.com
community.secondlife.com
support.secondlife.com
wiki.secondlife.com
Remove the <----> my editor shows that to represent tabs. When I copied the file over it grabbed that too by mistake. I removed it above ages ago. Not sure why you see it.

Thanks for more URLs.
Psyke Phaeton is offline   Reply With Quote
Old 02-28-2011, 08:55 AM   #15 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,348
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
I can't make phoenix work, someone will have to tell me the HTTP Texture URLs
Psyke Phaeton is offline   Reply With Quote
Old 02-28-2011, 09:17 AM   #16 (permalink)
Placeholder
 
Cerise's Avatar
Mauves ovriers ne trovera ja bon hostill
 
Join Date: Oct 2010
Posts: 2,156
My Mood:
Client: SL Viewer 3
Quote:
Originally Posted by Psyke Phaeton View Post
I can't make phoenix work, someone will have to tell me the HTTP Texture URLs
On the privoxy config file, look for these lines and uncomment them, or at least the 1024 to see blocks.

Code:
debug      1 # Log the destination for each request Privoxy let through.
debug   1024 # Log the destination for requests Privoxy didn't let through, and
debug   4096 # Startup banner and warnings
debug   8192 # Non-fatal errors
Old versions had those enabled by default. That will help you see any URLs that the viewer wants legitimately and can't get. And a tail -f on the privoxy/logfile lets us know when the alt sniffers are probing.
Cerise is offline   Reply With Quote
Old 02-28-2011, 09:17 AM   #17 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,348
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
Ann, What client are you using?
Psyke Phaeton is offline   Reply With Quote
Old 02-28-2011, 09:18 AM   #18 (permalink)
Senior Member
 
Ann Otoole's Avatar
 
Join Date: Oct 2008
Posts: 16,374
Quote:
Originally Posted by Psyke Phaeton View Post
What client are you using?
i'm using the production release of LL's viewer. You should document the connections for whatever you are using.
Ann Otoole is offline   Reply With Quote
Old 02-28-2011, 09:19 AM   #19 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,348
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
Quote:
Originally Posted by Cerise View Post
On the privoxy config file, look for these lines and uncomment them, or at least the 1024 to see blocks.

Code:
debug      1 # Log the destination for each request Privoxy let through.
debug   1024 # Log the destination for requests Privoxy didn't let through, and
debug   4096 # Startup banner and warnings
debug   8192 # Non-fatal errors
Old versions had those enabled by default. That will help you see any URLs that the viewer wants legitimately and can't get. And a tail -f on the privoxy/logfile lets us know when the alt sniffers are probing.
Done. My Phoenix refuses to run. My Viewer 2 works correctly without any extra entries. Someone else needs to tell me what Phoenix needs.

Last edited by Psyke Phaeton; 02-28-2011 at 09:25 AM.
Psyke Phaeton is offline   Reply With Quote
Old 02-28-2011, 09:23 AM   #20 (permalink)
Senior Member
 
Ann Otoole's Avatar
 
Join Date: Oct 2008
Posts: 16,374
Quote:
Originally Posted by Psyke Phaeton View Post
Done. My Phoenix refuses to run. My Viewer works correctly without any extra entries. Someone else needs to tell me what Phoenix needs.
just take out the proxy and look at the connections that open before logging in. and what it connects to when logged in.

Then set up the proxy.
Ann Otoole is offline   Reply With Quote
Old 02-28-2011, 09:26 AM   #21 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,348
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
Quote:
Originally Posted by Ann Otoole View Post
i'm using the production release of LL's viewer. You should document the connections for whatever you are using.
This proxy is only for media, not for all client connections. The client ignores the proxy settings for non-media.
Psyke Phaeton is offline   Reply With Quote
Old 02-28-2011, 09:28 AM   #22 (permalink)
Senior Member
 
Ann Otoole's Avatar
 
Join Date: Oct 2008
Posts: 16,374
Quote:
Originally Posted by Psyke Phaeton View Post
This proxy is only for media, not for all client connections. The client ignores the proxy settings for non-media.
ok. i'll delete my unhelpful posts.
Ann Otoole is offline   Reply With Quote
1 User Said Thanks:
Old 02-28-2011, 09:28 AM   #23 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,348
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
Quote:
Originally Posted by Ann Otoole View Post
just take out the proxy and look at the connections that open before logging in. and what it connects to when logged in.

Then set up the proxy.
Can't. Launch Phoenix and I get a black screen nothing else. On two different releases. Care factor for Phoenix now equals zero

Very happy to add what Phoenix needs if someone can find out.
Psyke Phaeton is offline   Reply With Quote
1 User Laughed:
Old 02-28-2011, 09:35 AM   #24 (permalink)
Senior Member
 
Sione's Avatar
see-oh-neh
 
Join Date: Sep 2010
Location: UK
Posts: 3,437

Awards: 1
Thank You 
Quote:
Originally Posted by Psyke Phaeton View Post
Can't. Launch Phoenix and I get a black screen nothing else. On two different releases. Care factor for Phoenix now equals zero

Very happy to add what Phoenix needs if someone can find out.
Yeah Phoenix has directed pretty much everything http through the proxy setting including the login screen.

I'll have a look later when I get the chance
Sione is offline   Reply With Quote
1 User Hugged You:
Old 02-28-2011, 11:43 AM   #25 (permalink)
Senior Member
 
Sione's Avatar
see-oh-neh
 
Join Date: Sep 2010
Location: UK
Posts: 3,437

Awards: 1
Thank You 
Well without logging on to Phoenix I can tell you that http textures are

agni.lindenlab.com
Sione is offline   Reply With Quote
Reply

Tags
privacy, privoxy, proxy, redzone, shared media

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are On