encrypt your web traffic with ssh and squid

This is a great way to encrypt your web traffic from one location to your server. Doesn't everyone have their own OpenBSD server?


Taken from http://www.pantz.org/os/openbsd/squidsetup.shtml

How to setup a Squid SSH tunnel. Update: I found out any eaiser way to do a encrypted http tunnel through an untrusted network with just SSH. Please see May 2006 blog entry on it. It can also be done with Putty on windows. I'll leave the info below anyway. I want to setup SSH to tunnel my web traffic through Squid. Squid would be the proxy server for my web traffic when I'm connected to a network I don't trust. For example if I'm using a public WiFi connection. SSH would tunnel http requests from the remote machine through my gateway at home. All http traffic is usually sent in the clear so anyone can see what sites your visiting because your on their network connection. So lets encrypt the traffic. I plan on doing this by tunneling my traffic thru SSH and running the Squid http proxy on localhost. I know all the traffic going from the gateway squid proxy to the internet is not encrypted but I trust the gateway. Any http request going out of there anyway would be unencrypted. It's just the way the protocol was designed. Squid will be setup on my gateway machine at home. Squid will be listening on 127.0.0.1 (localhost) so no one can connect to it from the internal lan or the internet. The gateway machine only has SSHD running on it and is only available to certian IP ranges from the internet. The http requests will be tunneled from the client machine through SSH and sent to squid on the gateway machine. Squid will process the request and sent it back the browser on the client machine which has been setup to use proxy settings. Do the following steps below. 1. Install the simple version of squid without any packages with the words like "transparent" or "SNMP" on the OpenBSD gateway machine with: pkg_add -vf http://blah.com/OpenBSD/squid-xxx-STABLExx.tgz 2. Edit /etc/squid/squid.conf and see below for the only lines I changed from the default config file. The rest of the settings were left to default. Just check yours match the ones below at a minimum. Change your file according to your tastes and setup then save it. 3. Initialize the cache with the command "squid -z". 4. Start squid with the command "/usr/local/sbin/squid". 5. To test it go to a machine on the inside lan or a machine that can access the gateway from outside the lan. SSh to the gateway machine with the command "ssh -L 8080:localhost:8080 192.168.0.1". This command creates a port that listens on port 8080 on the local machine (locahost). We will be pointing our browsers to this port to have our traffic tunneled to the gateway machine. When that encrypted traffic gets to the other side it is directed to localhost port 8080 on the gateway where Squid has been setup to listen for requests. 6. After that ssh connection is connected open your web browser. Go to the proxy settings of the browser (in firefox Edit->Preferences->General->Connection->Connection Settings->Manual Proxy Configuration"). Under the http proxy section put in the proxy host name of "locahost" and port "8080". Click ok and your done. 7. Surf to ipchicken.com and your IP address that shows up should be the IP address of the gateway. If your on the internal lan then this is no big deal but if you set the proxy settings correctly you should be able to hit any webpage and if it comes up your working through the proxy. 8. If it worked then make Squid start on boot by putting this in your /etc/rc.local file: if [ -x /usr/local/sbin/squid ]; then echo -n ' squid'; /usr/local/sbin/squid fi /etc/squid/squid.conf # These lines are only the ones that were # changed from the default config. There # are more config options the conf file. http_port 127.0.0.1:8080 udp_incoming_address 127.0.0.1 cache_access_log none cache_store_log none dns_nameservers 192.168.0.1 acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl our_networks src 127.0.0.1