thechangelab.com

Accessing a caching proxy using SSH

Most people use a web caching proxy like Squid over their LAN. But how about over the Internet? Securing remote access to a caching proxy can be a real pain to configure. I found a lot of confusing and sometimes conflicting documentation. Hopefully, this will simplify things for some of you out there.

Last year, I had a temp. job at a large company. For web browsing, everyone was stuck using Internet Explorer. During breaktime, I wanted to access the webmail service offered by my ISP. However, I didn’t want all my web browsing running in the clear across the company’s network.

On my LAN at home, there’s a Debian (stable) box running Squid, OpenSSH and ddclient (dynamic DNS client) amongst other things. All of it sitting behind a simple NAT router/modem provided by my ISP. The Debian box (headless) is an ancient PII 450 MHz, with 256MB RAM, DVD and floppy drive, and some hard drives. I keep the thing running 24/7. So horsepower or having the latest and greatest machinery is not relevant to this setup.

In the beginning, the simple answer seemed to be to use SSH to tunnel a secure connection from work to my server at home. The question was how.

The first sticking point was having a stable IP address for the proxy server on the Internet. A free account with www.dyndns.org ensured a domain name for the dynamic IP address provided by my ISP. As for work, they had their own static IP address. To find out what it was, I just went to http://checkip.dyndns.org This automatically provided me with the IP address.

On my server, I edited my /etc/hosts.allow and /etc/squid/squid.conf file to respectively allow SSH and proxy access from the company’s IP address.

From a line in hosts.allow (assume 192.168.2.3 is the server’s IP address):

sshd: 127.0.0.1 192.168.2.3 [other addresses on my LAN] [company IP address]

From a line in squid.conf:

acl mynetwork src 192.168.2.3 [other addresses on my LAN] [company IP address]

Next, I opened up TCP port 22 on my router and forwarded it to the server. Since the server’s IP address was static it was no problem.

On the Windows PC at work, I downloaded a copy of Putty – the free Windows SSH client. Just the .exe file.

I then configured Putty so that it could SSH in to the server, and have it forward TCP port 3128. This gave the PC a secure, encrypted connection to the remote proxy server.

To configure Putty, save the session with a name like “remote”, for example.

Enter the hostname you got from your dynamic DNS account. “myhostname.dyndns.org” for example.

Click on “Tunnels” under “SSH”.

For “Source port” enter “3128” and “localhost” for “Destination”, then click on Add.

Finally, click back to “session” and click on Save.

The next step is to configure the web browser to use the proxy.

For Internet Explorer, select “Tools” -> “Options” -> “Connections” tab -> “LAN settings” -> check “Use a proxy server…” and “Bypass proxy server for local addresses”

For the proxy server address use “127.0.0.1” and “3128” for the port.

These settings are pretty much the same if you use Firefox.

Now the next time Putty is started up, double click on “remote” under “Saved Sessions”. Log in to the server as usual with your username and password. Start up your web browser. You should now be able to browse the web securely using your own caching proxy server.

A reminder.

This is no guarantee to privacy. There’s always going to be a way to get around this. The simplest being VNC. The corporation simply monitors whatever appears on your monitor. Another way is to just look at your web browser’s cache or history.

Also, you probably don’t want to do this if it’s in violation of your contract regarding computer/Internet usage.