Logo

**Psyke Phaeton** · 02-28-2011, 07:32 AM

Using Privoxy to control Media access of your Second Life client. You can add a white list and those not white listed will give you the option to 'go there anyway' or just close it. All without changing your client!

Lets work on this together to make a complete set of instructions.

DISCLAIMER: This information is being shared to continue investigation of this method of protecting ourselves. Privoxy is new to me and I do not understand all the things it can do. You are responsible for what you do with it. Lets investigate it

Notes: This method is not suited to Phoenix viewers because they will try to send UDP packets through the proxy as well and Privoxy cannot handle these. Instead Phoenix users should make sure the media filter is enabled and rely on that.

Install Privoxy

Edit the file: default.action

Change:

Code:

{+block{Host matches generic block pattern.}}
..list of various ad blocking string...

To:

Code:

{+block{Host matches generic block pattern.}}
/ # Block all sites!

Change:

Code:

{-block}
...list of various strings...

To:

Code:

{-block}
# SL Parcel 'Streaming Audio' does not use SL client proxy settings.
# No need to add music URLs to this proxy.
# Consider disabling Streaming Audio in your client when in untrusted areas.

# Any Media URLs not allowed below will result in a BLOCKED web page which
# will let you click 'go there anyway' if you wish to proceed.

# SL Login and login screen
login.agni.lindenlab.com          #main grid
lecs.viewer-login.secondlife.com
viewer-login.agni.lindenlab.com
lecs-viewer-login-agni.s3.amazonaws.com
ws.world-ng.agni.lindenlab.com
common-flash-secondlife-com.s3.amazonaws.com

# SL Web
secondlife.com
my.secondlife.com
www.secondlife.com
marketplace.secondlife.com
id.secondlife.com
community.secondlife.com
support.secondlife.com
wiki.secondlife.com

#SL Client
viewer-help.secondlife.com
viewer-sidebar.secondlife.com
search.secondlife.com
search-beta.secondlife.com
search.secondlife.com/viewer/ads/.*
id.secondlife.com
lecs.viewer-sidebar.secondlife.com.s3.amazonaws.com
static.search.secondlife.com.s3.amazonaws.com
vip.login.agni.lindenlab.com
clearspace.s3.amazonaws.com
s3.amazonaws.com
www.google-analytics.com
*.cloudfront.net
my-secondlife.s3.amazonaws.com
texture-service.agni.lindenlab.com
.edgecastcdn.net
events.secondlife.com
maps.secondlife.com


#Add your trusted sites here
# .youtube.com
# .ytimg.com

If you want to create a Privoxy log file edit the file: config
Uncomment the debug lines by changing them to:

Code:

debug      1 # Log the destination for each request Privoxy let through.
debug   1024 # Log the destination for requests Privoxy didn't let through, and
debug   4096 # Startup banner and warnings
debug   8192 # Non-fatal errors

Finally you need to make a decision regarding convenience versus security. By default Privoxy allows you to click 'go there anyway' to proceed to the blocked site. What this does is it adds PRIVOXY-FORCE to the URL which Privoxy strips and then sends your request through. If a malicious land owner wanted they could simply set the media url to contain PRIVOXY-FORCE and Privoxy would ignore our security. We can disable this feature to close that hole but you lose the 'go there anyway' option.

For greater security and less convenience edit the 'config' file and change:

Code:

enforce-blocks 0

To:

Code:

enforce-blocks 1

Since Privoxy is not in wide use it may not be necessary to be this paranoid as having the option to 'go there anyway' is useful.
If you do 'enforce-blocks 1' and lose the 'go there anyway' option you could copy temporary trusted URLs to your web browser instead, and copy permanently trusted URLs to the -block section in file default.action

Restart Privoxy.

Log in to SL. Change your Proxy settings to:
Proxy Location: 127.0.0.1
Port: 8118

NOTES:

Land based streaming music is not proxied. Consider disabling streaming music.
Land based media is not clickable so the 'go there anyway' option will only work for prim based media.

Sione · 02-28-2011, 07:43 AM

Quote:

# Any Media URLs not allowed below will result in a BLOCKED web page which
# will let you click 'go there anyway' if you wish to proceed.

I don't think land media pages are clickable.

Also think you missed allowing http textures.

Lance Corrimal · 02-28-2011, 07:47 AM

alternative configuration for cases when you'Re already using privoxy for your general, firefox/IE based webbrowsing:

add the domain names from the "How to block redzone" thread to the {+block} group.

**Psyke Phaeton** · 02-28-2011, 07:48 AM

Quote:

Originally Posted by Sione

I don't think land media pages are clickable.

I'll check that, thanks

Quote:

Also think you missed allowing http textures.

I have HTTP textures on but no problems. I think HTTP textures might ignore the proxy setting.

Sione · 02-28-2011, 07:50 AM

Quote:

Originally Posted by Psyke Phaeton

I'll check that, thanks

I have HTTP textures on but no problems. I think HTTP textures might ignore the proxy setting.

Yeah I think you are ok with viewer 2. But it redirects to the proxy on Phoenix for caching. squid_proxy_cache [Phoenix Viewer]

**Psyke Phaeton** · 02-28-2011, 07:56 AM

I guess I better grab phoenix! :O

**Tyche Shepherd** · 02-28-2011, 08:00 AM

If you are setting up a whitelist you may find it more useful to allow anything from any secondlife.com subdomain instead of listing each one as you find them - this should allow for LL making changes which get blocked such as when they start using the weownyourfirstborn.secondlife.com subdomain

Code:

{-block}


# allow any secondlife.com subdomain 
.secondlife.com

You could of course do the same with .s3.amazonaws.com but that's slightly riskier

**Psyke Phaeton** · 02-28-2011, 08:04 AM

Quote:

Originally Posted by Tyche Shepherd

If you are setting up a whitelist you may find it more useful to allow anything from any secondlife.com subdomain instead of listing each one as you find them - this should allow for LL making changes which get blocked such as when they start using the weownyourfirstborn.secondlife.com subdomain

Code:

{-block}


# allow any secondlife.com subdomain 
.secondlife.com

You could of course do the same with .s3.amazonaws.com but that's slightly riskier

It was pointed out that giving web access to every scripted web serving object on all grids was a bad idea.

Ann Otoole · 02-28-2011, 08:19 AM

what we need is a media redirector that simply points all intercepted media assaults to zFires IP address. Then bit by bit everyone in SL becomes zfires alt.

Masami Kuramoto · 02-28-2011, 08:30 AM

Two weeks ago I wrote a simple interactive proxy service in Java which pops up a confirmation dialog every time a URL in a non-whitelisted domain is requested. It works fine with Viewer 2, but I could not test it for media URLs in particular because the viewer is still a 32bit app and cannot open media on 64bit Linux anyway.

I tested the service with Imprudence 64bit as well, but Imprudence seems to ignore the proxy setting for many things. For example, it bypasses the proxy when it phones home or loads the login page for the selected grid. Of course this should not happen, so it's probably a bug.

Proxies are a very appealing solution (if they work) because they are not bound by the Lab's policy on hiding media URLs.

Cerise · 02-28-2011, 08:34 AM

My build does not like the <-------> thing on the login.agni.secondlife.com line. It could be a library version difference somewhere.

If you do not want to use a wildcard, some more specific SL sites to unblock:

id.secondlife.com
community.secondlife.com
support.secondlife.com
wiki.secondlife.com

Sione · 02-28-2011, 08:38 AM

Quote:

Originally Posted by Masami Kuramoto

Two weeks ago I wrote a simple interactive proxy service in Java which pops up a confirmation dialog every time a URL in a non-whitelisted domain is requested. It works fine with Viewer 2, but I could not test it for media URLs in particular because the viewer is still a 32bit app and cannot open media on 64bit Linux anyway.

I tested the service with Imprudence 64bit as well, but Imprudence seems to ignore the proxy setting for many things. For example, it bypasses the proxy when it phones home or loads the login page for the selected grid. Of course this should not happen, so it's probably a bug.

Proxies are a very appealing solution (if they work) because they are not bound by the Lab's policy on hiding media URLs.

Yeah I have squid, IPTables and DansGuardian all running on my gateway box so I am pretty covered for blocking stuff. But the majority of SL users need a viewer implementation because they will be lost trying to mess around with proxies. Even if they manage to install it they will still get confused when things start getting blocked that they want to see.

**Psyke Phaeton** · 02-28-2011, 08:43 AM

Quote:

Originally Posted by Psyke Phaeton

I guess I better grab phoenix! :O

Phoenix locks up after I set the proxy before logging in.

**Psyke Phaeton** · 02-28-2011, 08:46 AM

Quote:

Originally Posted by Cerise

My build does not like the <-------> thing on the login.agni.secondlife.com line. It could be a library version difference somewhere.

If you do not want to use a wildcard, some more specific SL sites to unblock:

id.secondlife.com
community.secondlife.com
support.secondlife.com
wiki.secondlife.com

Remove the <----> my editor shows that to represent tabs. When I copied the file over it grabbed that too by mistake. I removed it above ages ago. Not sure why you see it.

Thanks for more URLs.

**Psyke Phaeton** · 02-28-2011, 08:55 AM

I can't make phoenix work, someone will have to tell me the HTTP Texture URLs

Cerise · 02-28-2011, 09:17 AM

Quote:

Originally Posted by Psyke Phaeton

I can't make phoenix work, someone will have to tell me the HTTP Texture URLs

On the privoxy config file, look for these lines and uncomment them, or at least the 1024 to see blocks.

Code:

debug      1 # Log the destination for each request Privoxy let through.
debug   1024 # Log the destination for requests Privoxy didn't let through, and
debug   4096 # Startup banner and warnings
debug   8192 # Non-fatal errors

Old versions had those enabled by default. That will help you see any URLs that the viewer wants legitimately and can't get. And a tail -f on the privoxy/logfile lets us know when the alt sniffers are probing.

**Psyke Phaeton** · 02-28-2011, 09:17 AM

Ann, What client are you using?

Ann Otoole · 02-28-2011, 09:18 AM

Quote:

Originally Posted by Psyke Phaeton

What client are you using?

i'm using the production release of LL's viewer. You should document the connections for whatever you are using.

**Psyke Phaeton** · 02-28-2011, 09:19 AM

Quote:

Originally Posted by Cerise

On the privoxy config file, look for these lines and uncomment them, or at least the 1024 to see blocks.

Code:

debug      1 # Log the destination for each request Privoxy let through.
debug   1024 # Log the destination for requests Privoxy didn't let through, and
debug   4096 # Startup banner and warnings
debug   8192 # Non-fatal errors

Old versions had those enabled by default. That will help you see any URLs that the viewer wants legitimately and can't get. And a tail -f on the privoxy/logfile lets us know when the alt sniffers are probing.

Done. My Phoenix refuses to run. My Viewer 2 works correctly without any extra entries. Someone else needs to tell me what Phoenix needs.

Ann Otoole · 02-28-2011, 09:23 AM

Quote:

Originally Posted by Psyke Phaeton

Done. My Phoenix refuses to run. My Viewer works correctly without any extra entries. Someone else needs to tell me what Phoenix needs.

just take out the proxy and look at the connections that open before logging in. and what it connects to when logged in.

Then set up the proxy.

**Psyke Phaeton** · 02-28-2011, 09:26 AM

Quote:

Originally Posted by Ann Otoole

i'm using the production release of LL's viewer. You should document the connections for whatever you are using.

This proxy is only for media, not for all client connections. The client ignores the proxy settings for non-media.

Ann Otoole · 02-28-2011, 09:28 AM

Quote:

Originally Posted by Psyke Phaeton

This proxy is only for media, not for all client connections. The client ignores the proxy settings for non-media.

ok. i'll delete my unhelpful posts.

**Psyke Phaeton** · 02-28-2011, 09:28 AM

Quote:

Originally Posted by Ann Otoole

just take out the proxy and look at the connections that open before logging in. and what it connects to when logged in.

Then set up the proxy.

Can't. Launch Phoenix and I get a black screen nothing else. On two different releases. Care factor for Phoenix now equals zero

Very happy to add what Phoenix needs if someone can find out.

Sione · 02-28-2011, 09:35 AM

Quote:

Originally Posted by Psyke Phaeton

Can't. Launch Phoenix and I get a black screen nothing else. On two different releases. Care factor for Phoenix now equals zero

Very happy to add what Phoenix needs if someone can find out.

Yeah Phoenix has directed pretty much everything http through the proxy setting including the login screen.

I'll have a look later when I get the chance

Sione · 02-28-2011, 11:43 AM

Well without logging on to Phoenix I can tell you that http textures are

agni.lindenlab.com

02-28-2011, 07:47 AM	#3 (permalink)
Lance Corrimal I don't do stupid. Join Date: Feb 2010 Posts: 1,894 My Mood: SL Join Date: 2006-06-09 Business: My! Client: Dolphin Viewer 3	alternative configuration for cases when you'Re already using privoxy for your general, firefox/IE based webbrowsing: add the domain names from the "How to block redzone" thread to the {+block} group. __________________

02-28-2011, 08:00 AM	#7 (permalink)
Tyche Shepherd Fortuna vitrea est *SLU Supporter* Cherry red lips and sick on her boots Join Date: Aug 2007 Location: UK Posts: 7,858 My Mood: SL Join Date: 26th April 2007 Awards: 1	If you are setting up a whitelist you may find it more useful to allow anything from any secondlife.com subdomain instead of listing each one as you find them - this should allow for LL making changes which get blocked such as when they start using the weownyourfirstborn.secondlife.com subdomain Code: {-block} # allow any secondlife.com subdomain .secondlife.com You could of course do the same with .s3.amazonaws.com but that's slightly riskier __________________ Vanguard of the LolCatz Revolution This Post was financed by The National LolCatz Archives Clancy Sullivan :Yeah. YEAH! The sultry seamstress of mirth is definitely in charge now. Certified 7.8 on the Official Non-Arbitrary Trout Algorithmic Slut scale A public copy of my Second Life Main Grid Survey Database can be found at http://www.gridsurvey.com - Now with added Second Life Incidents !!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

02-28-2011, 07:56 AM	#6 (permalink)
Psyke Phaeton Senior Member *SLU Supporter* Join Date: Sep 2007 Location: Australia Posts: 9,064 SL Join Date: 12-Oct-2003 Business: PDS HomeSecurity™ Orb - Security Orbs since 2004 Client: Viewer 3 Blog Entries: 4	I guess I better grab phoenix! :O

02-28-2011, 08:19 AM	#9 (permalink)
Ann Otoole Senior Member Join Date: Oct 2008 Posts: 16,374	what we need is a media redirector that simply points all intercepted media assaults to zFires IP address. Then bit by bit everyone in SL becomes zfires alt.

02-28-2011, 08:30 AM	#10 (permalink)
Masami Kuramoto Banned Join Date: Apr 2010 Posts: 2,996 SL Join Date: 2006-12-31 Client: Viewer 3	Two weeks ago I wrote a simple interactive proxy service in Java which pops up a confirmation dialog every time a URL in a non-whitelisted domain is requested. It works fine with Viewer 2, but I could not test it for media URLs in particular because the viewer is still a 32bit app and cannot open media on 64bit Linux anyway. I tested the service with Imprudence 64bit as well, but Imprudence seems to ignore the proxy setting for many things. For example, it bypasses the proxy when it phones home or loads the login page for the selected grid. Of course this should not happen, so it's probably a bug. Proxies are a very appealing solution (if they work) because they are not bound by the Lab's policy on hiding media URLs.

02-28-2011, 08:34 AM	#11 (permalink)
Cerise Placeholder Mauves ovriers ne trovera ja bon hostill Join Date: Oct 2010 Posts: 1,720 My Mood: Client: SL Viewer 3	My build does not like the <-------> thing on the login.agni.secondlife.com line. It could be a library version difference somewhere. If you do not want to use a wildcard, some more specific SL sites to unblock: id.secondlife.com community.secondlife.com support.secondlife.com wiki.secondlife.com

02-28-2011, 08:55 AM	#15 (permalink)
Psyke Phaeton Senior Member *SLU Supporter* Join Date: Sep 2007 Location: Australia Posts: 9,064 SL Join Date: 12-Oct-2003 Business: PDS HomeSecurity™ Orb - Security Orbs since 2004 Client: Viewer 3 Blog Entries: 4	I can't make phoenix work, someone will have to tell me the HTTP Texture URLs

02-28-2011, 09:17 AM	#17 (permalink)
Psyke Phaeton Senior Member *SLU Supporter* Join Date: Sep 2007 Location: Australia Posts: 9,064 SL Join Date: 12-Oct-2003 Business: PDS HomeSecurity™ Orb - Security Orbs since 2004 Client: Viewer 3 Blog Entries: 4	Ann, What client are you using?

02-28-2011, 11:43 AM	#25 (permalink)
Sione Senior Member see-oh-neh Join Date: Sep 2010 Location: UK Posts: 3,040 Awards: 1	Well without logging on to Phoenix I can tell you that http textures are agni.lindenlab.com

Logo

Site Navigation