Wireless Hacks. 1917 IndustrialStrength Tips and Tools [Electronic resources] نسخه متنی

Hack 91 Squid Proxy over SSH

Secure your web traffic from prying
eyesand improve performance in the process.

squid
is normally used as an HTTP-accelerator. It is a large,
well-managed, and full-featured caching HTTP proxy that is finding its way into
many commercial web platforms. Since it performs all of its magic on
a single TCP port, it is an ideal candidate for use with an SSH
tunnel. This not only helps to secure your web browser when using
wireless networks, but also potentially makes your browser run even
faster. Best of all, squid is open source and freely available from
http://www.squid-cache.org/.

First, choose a server on which to host your squid cache. Typically,
this will be a Linux or BSD machine on your local wired
networkalthough squid also runs in Windows, under Cygwin
(http://www.cygwin.com/). You
want to have a fast connection to your cache, so choosing a squid
cache at the other end of a dial-up connection is probably a bad idea
(unless you enjoy simulating what the Internet was like in 1995). On
a home network, this is typically the same machine you use as a
firewall or DNS server. Fortunately, squid isn't
very demanding when it supports only a few simultaneous users, so it
can happily share a box that runs other services.

It is beyond the scope of this hack to include full squid
installation instructions, but configuration isn't
especially difficult. Just be sure to check your access rules and set
a password for the management interface. If you have trouble getting
it to run, check out Jennifer Vesperman's
"Installing and Configuring Squid"
at http://linux.oreillynet.com/pub/a/linux/2001/07/26/squidl.

When squid is installed and running, it binds to TCP port 3128 by
default. Once you have it running, you should test it manually by
setting your HTTP proxy to the server. For example, suppose your
server is running on mysquid.house (assuming
that you are running the TLD of .house [Hack #56]). In Mozilla, go to
Preferences
Advanced
Proxies, as in Figure 7-7.

Enter "mysquid.house" as the HTTP
Proxy host, and "3128" for the
port. Click OK, and try to load any web page. You should immediately
see the page you requested. If you see an "Access
Denied" error, look over the
http_access lines in your
squid.conf, and restart squid if necessary.

Once you are satisfied that you have a happy squid, then you need
only to forward your connection to it over SSH. Set up a local
listener on port 3128, forwarding to
mysquid.house:3128 like this:

rob@caligula:~$ ssh -L3128:localhost:3128 mysquid.house -f -N

This will set up an SSH tunnel and fork into the background
automatically. Next, change the HTTP Proxy host in your browser to
localhost, and reload your page. As long as your SSH tunnel is
running, your web traffic will be encrypted all the way to
mysquid.house, where it is
decrypted and sent on to the Internet.

The biggest advantage of technique (compared to using the SSH SOCKS 4
proxy [Hack #92]) is that virtually all
browsers support the use of HTTP proxies, while not every browser
supports SOCKS 4. Also, if you are using OS X, there is support for
HTTP proxies built into the OS itself. This means that every properly
written application will use your proxy settings transparently.
I'll go into that in more detail later [Hack #97].

Note that HTTP proxies have the same difficulties with DNS as a SOCKS
4 proxy, so keep those points in mind when using your proxy.
Typically, your squid proxy is used from a local network, so you
don't usually run into the DNS schizophrenia issue.
But your squid can theoretically run anywhere (even behind a remote
firewall), so be sure to check out the notes on DNS in that hack.

Running squid takes a little bit of preparation, but can both secure
and accelerate your web traffic when using wireless. Of course, squid
will support as many simultaneous wireless users as you care to throw
at it, so be sure to set it up for all of your regular wireless
users, and keep your web traffic private.