UPDATE: There is a much easier way to achieve a secure tunnel/proxy that doesn’t require squid to be installed. I’ve blogged it here. The method described on this page may be useful if you want to log the pages you visit. Also, if you wanted to block out ads, you could swap out sphinx for another proxy such as privoxy.
I’m currently on holiday in Avoriaz in France, and I’m browsing the Internet via an open wireless hotspot. Given how easy it is to intercept traffic on an open wlan, this could have posed a bit of a security problem as a lot of the website admin panels I access (including my blog’s wordpress admin) are in an insecure (http) area.
However, there is a solution that ensures that all my traffic (not just https) is encrypted, at least until it gets back to a more trusted part of the Internet.
The solution involves setting up a proxy server (squid) on a trusted server somwhere (e.g. a datacentre, or your home or office) and then connecting to this server via an SSH tunnel.
For this particular howto you will need the following:
- An Apple laptop running OS X 10.5 (Leopard)
- A Linux server (preferably running Centos / RHEL) in a trusted location
Installing Squid on your Linux Server
Firstly install squid using your desired package manager… I have a Centos 5 server, so I’m going to use yum:
[root@pablo ~]# yum install squid
Next, edit the squid config to allow any local ips that might be listening on that server:
[root@pablo ~]# vim /etc/squid/squid.conf
I added a line to allow my servers public ip. NB, at this point we aren’t permitting your laptop’s IP, only the local IP addresses on your server.
acl localhost src 127.0.0.1/255.255.255.255
acl localhost src 87.124.70.62/255.255.255.255
Now setup the runlevels for squid so that it starts when your server starts:
[root@pablo ~]# chkconfig squid on
If that worked, it should be set to on for run levels 2,3,4 and 5:
[root@pablo ~]# chkconfig --list squid
squid 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Finally start squid if it isn’t already running:
[root@pablo ~]# service squid start
Setting up your laptop to use the secure proxy
To get the laptop using our secure proxy, we must do two things. Open an ssh tunnel to the proxy, and then setup Safari (or your browser of choice) to use this proxy for any required connections.
To setup the secure SSH tunnel from port 3128 on your laptop to port 3128 on the squid server, just run the following command:
paul-macbook:~ paul$ ssh -L 3128:localhost:3128 [email protected]
Then all you need to do is configure Safari (or Firefox) to use port 3128 on your local machine as its proxy, and all traffic will be routed via this secure tunnel before being re-routed to the rest of the Internet. Of course, this won’t secure your browsing from then on, but you can at least be sure that it is not being intercepted by fellow users of the wifi hotspot.
So click on the Safari Menu at the top of the screen, and then click preferences (or press CMD + ,) This will open up the Safari preferences. Make sure you have the advanced tab open.
On this menu, click the Change Settings button next to Proxies. This will take you to the System Preferences Proxy menu.
Select the protocols you wish to enable the proxy for (in my case I just chose HTTP), then fill out the proxy server address, which is 127.0.0.1 (localhost) and the port, 3128.
And that’s it! You should now be able to browse the web as if you were using your Linux server directly. This method has the added advantage that it can be used to bypass geographic ip based restrictions, as it makes you appear to be where you server is located.
Sorry to burst your bubble Paul, but there is a much easier way, using SSH’s dynamic port forwarding, ssh only required:
ssh -D 3128 [email protected]
Then as the same with the proxy settings, but SOCKS proxy instead.
Wow, you learn something every day! That is much easier. OK I guess I should do a new post with the easier method!