[geeks] Encrypted Web Proxy

Sheldon T. Hall shel at tandem.artell.net
Fri Aug 25 09:51:28 CDT 2006


 Writes Sridhar Ayengar ...
> 
> I'm looking at setting up an encrypted web proxy at home for my own 
> personal use.  Anyone have any suggestions as to where to 
> start looking? 
>   End-to-end encryption (using https even) would be a plus.  
> I can get a certificate, if necessary.

There was an article on SANS about this very thing the other day.  They said
...

--- quote SANS ---

This tip is how to use SSH port forwarding to browse the web at your
favorite coffee shop (or hacker conference).

1) Setup a machine on your home network.  If you don't have a static IP
address, then use dynamic DNS.

2) On this machine setup squid (http://www.squid-cache.org/) and bind it
only to localhost.  Do this with the "http_port 127.0.0.1:3128" line in
squid.conf.  This will prevent others on the Internet from abusing your open
proxy.

3) Setup SSHD on this machine.  And do yourself a favor, require SSH key
authentication and run SSHD on a port that is NOT 22.  This will keep all
those brute force SSH grinders from filling your log files.

4) At the coffee shop, do ssh -p <sshd_port> -L3128:127.0.0.1:3128
<user at IP>.  This will setup your SSH tunnel.

5) The most critical piece is to configure your web browser to use a proxy.
Host: 127.0.0.1; port 3128

6) Surf away.  All your web surfing will be encrypted to your home box
before travelling to the Internet.  Be advised that your outbound DNS
requests are still sent to the local network unencrypted.  But you have at
least prevented snooping and/or modification on the HTTP(S) traffic.

You can forward almost any standard TCP application though an SSH tunnel and
OpenSSH has recently introduced lightweight VPN features.  But that's a
topic for another day.

--- end quote ---

Now, I don't travel much thee days, so I haven't tried this myself, yet, but
it seems easy enough.

-Shel



More information about the geeks mailing list