PDA

Bekijk de volledige versie : bypass corporate webfiltering - squid proxy through ssh tunnel



dp79
08-08-2009, 20:38
Hi everybody,

I was trying to follow several tutorials online about how to get around corporate proxies. My company for example is using websense to block private web access. I have squid and dropbear running on my asus and what I'm trying to do is to set up a secure ssh tunnel and use it to connect from firefox on my company PC to squid proxy on my asus at home. Since my company blocks almost all outgoing ports, I used port 443 (https) for the ssh channel (in my router I forwarded port 443 to port 22). It works like a charm.
I also installed squid - many thanks for wpte for his help on that!
Squid is listening to port 9091 and I forwarded port 80 to 9091, so that I can connect to squid from work. It works like a charm as well.

Squid by itself can fool websense in some cases, so even by using the simple proxy "feature" I can visit previously blocked sites. Unfortunately not all, because wesense is blind on IP filtering, but not on text filtering, since the connection between firefox and squid is not encrypted.

My question is, how can I create a ssh tunnel to squid?

I was trying to follow this tutorial, but I got stuck at the authentication feature of squid (without authentication, the ssh -L* command doesn't work).

http://www.howtoforge.com/linux_secure_browsing_squid

Any advise is greatly appreciated.

Cheers,

dp79

BE AWARE: You might get fired if getting caught on doing this at work!

wpte
08-08-2009, 20:57
Oh, but that's easy!:p
just set up putty like in the attached screenshot.

You can add rules with the "Add" button.
with the rules I put in the screenshot, the proxy will be hosted at 127.0.0.1 and port 9091... so it's like the service is running on your pc (but it isn't)

You might need to accept some firewall settings on your PC, or turn them off... windows firewall usually pops up, and when accepted it works;)

I can't say doing a portforward for your proxy is a good idea... in the end anyone can access it and possibly abuse it, unless you got a password on it;)

dp79
08-08-2009, 22:35
Hi wpte!

Thanks for your instant reply! I knew this "trick" from before, but actually it never worked for me. Can you tell me which line(s) I should fill in the firefox proxy setup window? http, ssl, ftp,gopher,socks

Other thing... After I set up putty as you described, I assume that I have to log in to my router the usual way and I leave the session open. At least, this is what I did...

I also checked, that localhost is enabled in squid.conf, so that is not the case here.

Cheers,
dp79

dp79
08-08-2009, 23:19
I got it working. The Putty menu was the bastard who was fooling me. Or I was the fool, I should say :o.

For others, who might do the same mistake: If you set up the tunnel and then you go back to "session" menu and log in by clicking on your saved session, this bastard disregards your entry in the "tunnel" menu and does not forward. Which actually makes sense, since you load a session without tunnel settings. So, if this is the first time you are using tunneling in Putty, save a new session and make sure that the tunnel settings are included in your saved session. To verify if port forwarding is active, click on Putty's header after log in and cick on event log. This is what you should see:

2009-08-08 22:56:03 Looking up host "192.168.3.2"
2009-08-08 22:56:03 Connecting to 192.168.3.2 port 22
2009-08-08 22:56:03 Server version: SSH-2.0-dropbear_0.50
2009-08-08 22:56:03 We claim version: SSH-2.0-PuTTY_Release_0.60
2009-08-08 22:56:03 Using SSH protocol version 2
2009-08-08 22:56:03 Using Diffie-Hellman with standard group "group1"
2009-08-08 22:56:03 Doing Diffie-Hellman key exchange with hash SHA-1
2009-08-08 22:56:04 Host key fingerprint is:
2009-08-08 22:56:04 ssh-rsa *******************************
2009-08-08 22:56:04 Initialised AES-256 CBC client->server encryption
2009-08-08 22:56:04 Initialised HMAC-SHA1 client->server MAC algorithm
2009-08-08 22:56:04 Initialised AES-256 CBC server->client encryption
2009-08-08 22:56:04 Initialised HMAC-SHA1 server->client MAC algorithm
2009-08-08 22:56:11 Sent password
2009-08-08 22:56:11 Access granted
2009-08-08 22:56:11 Opened channel for session
2009-08-08 22:56:11 Local port 9091 forwarding to 127.0.0.1:9091
2009-08-08 22:56:11 Allocated pty (ospeed 38400bps, ispeed 38400bps)
2009-08-08 22:56:11 Started a shell/command

Cheers,
dp79

wpte
08-08-2009, 23:24
Hi wpte!

Thanks for your instant reply! I knew this "trick" from before, but actually it never worked for me. Can you tell me which line(s) I should fill in the firefox proxy setup window? http, ssl, ftp,gopher,socks

Other thing... After I set up putty as you described, I assume that I have to log in to my router the usual way and I leave the session open. At least, this is what I did...

I also checked, that localhost is enabled in squid.conf, so that is not the case here.

Cheers,
dp79
ok, if you have something saved already, click the load button on putty first, then set the tunnel stuff.

what you fill in at firefox:
http
ip: 127.0.0.1
port: 9091

just leave the session open from putty... and it should work.

I have localhost enabled in squid... but it's standart in the how-to I believe:)

wpte
08-08-2009, 23:28
ah good, you got it working :)