Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 27

Thread: how to configure squid to use ssh tunnel for external sites?

  1. #11
    Join Date
    Nov 2018
    Location
    Lucknow, India
    Beans
    90
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: how to configure squid to use ssh tunnel for external sites?

    To check that the traffic between local proxy and upstream proxy is encrypted or not, capture the packets on local squid server using wireshark or tcpdump and analyze them.
    Learning...... Little odd way for here, read as much as you can before trying anything....
    and get confused enough to forget the actual task.........

  2. #12
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: how to configure squid to use ssh tunnel for external sites?

    If the traffic between the local and remote proxies is sent through an SSH or Open VPN tunnel, then it will be encrypted as a matter of course.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  3. #13
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: how to configure squid to use ssh tunnel for external sites?

    If you want TOR, why not just use TOR? That's a proxy to a proxy, just controlling the specific exit node.

    ssh leaks DNS queries. I use a ssh-based SOCKS proxy when I'm away from home and don't want to deal with openvpn. I've posted my ssh-socks-proxy script somewhere here at least once. It uses port 64000.

    OpenVPN is what I use, but there are newer, easier to configure, VPN solutions. They don't have the same time-in-wild proof of security, but at least 1 is being added to the Linux kernel.

    I've never tried to have 2 proxies in series. I'd use a VPN to get to a proxy, if that was even needed
    OR
    I'd use TOR.

  4. #14
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: how to configure squid to use ssh tunnel for external sites?

    Quote Originally Posted by TheFu View Post
    ssh leaks DNS queries.
    I don't care about things like that myself, but wouldn't one solution be to run BIND on the remote and have the clients use that as their default DNS server over the tunnel?
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  5. #15
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: how to configure squid to use ssh tunnel for external sites?

    Default DNS is UDP. ssh only handles TCP, so if trying to hide DNS (and you probably should), then either use a real VPN that handles **all** traffic or only access sites that in your /etc/hosts or a LAN-based DNS that doesn't leak externally.

    Just like GPS data, DNS data provides a huge level of "metadata" for anyone who gains access to that data. People aren't paranoid enough about metadata.

    Of course, everyone has a different level of "security" needs. My needs probably don't match those for others. My target security stance is like for a mid-CAP company, not doing any DoD business. Not quite Fortune 500 and definitely not secure enough to stop state attackers.

    IMHO.

  6. #16
    Join Date
    Jul 2017
    Beans
    28
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: how to configure squid to use ssh tunnel for external sites?

    Quote Originally Posted by SeijiSensei View Post
    If the traffic between the local and remote proxies is sent through an SSH or Open VPN tunnel, then it will be encrypted as a matter of course.
    Exactly, so that is my question. How to configure two proxies so that traffic between local and remote proxy is sent through SSH. Are there any documentation I can refer to ?

    Thanks
    Kunal

  7. #17
    Join Date
    Nov 2018
    Location
    Lucknow, India
    Beans
    90
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: how to configure squid to use ssh tunnel for external sites?

    Exactly, so that is my question. How to configure two proxies so that traffic between local and remote proxy is sent through SSH. Are there any documentation I can refer to ?
    The OpenVPN or layer three tunnel can be formed between two parties only when both agree to do so. The VPN solution providers set the servers for the client to connect securely. The proxies only forward the request(s) made my the host/local user, hence if the connection is initiated as SSL (read HTTPS connection) then it must forward the same to obtain the reply. As most of the websites support HTTPS only over HTTP, hence, the data is already encrypted. Even still if you want to ensure that the connection is secured by SSL or not, please use the solution provided earlier - wireshark or tcpdump. The best way to understand the network better!

    If the Squid server is not used as cache server but only for security purpose, IMO it is better to use a hardware/software firewall. They will provide more control over the network, better than proxy server. To manage SSL on squid check the command list in the text file attached.
    Attached Files Attached Files
    Learning...... Little odd way for here, read as much as you can before trying anything....
    and get confused enough to forget the actual task.........

  8. #18
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: how to configure squid to use ssh tunnel for external sites?

    Quote Originally Posted by TheFu View Post
    Default DNS is UDP. ssh only handles TCP, so if trying to hide DNS (and you probably should), then either use a real VPN that handles **all** traffic or only access sites that in your /etc/hosts or a LAN-based DNS that doesn't leak externally.
    I only use OpenVPN tunnels so the UDP/TCP issue doesn't arise.

    Quote Originally Posted by kunalv-shah View Post
    Exactly, so that is my question. How to configure two proxies so that traffic between local and remote proxy is sent through SSH. Are there any documentation I can refer to ?
    If you set up an OpenVPN tunnel, each end will have a unique tunnel IP address in addition to its external address. For instance, on my local machine I have this configuration for OpenVPN:

    Code:
    dev tun
    remote xxx.xxx.xxx.xxx
    ifconfig 10.1.1.30 10.1.1.1
    port 43435
    secret /etc/openvpn/keys/my.key
    [other stuff]
    That designates the local end of the tunnel as 10.1.1.30 and the remote 10.1.1.1. On the remote the values would be reversed. I could then configure the local squid to forward requests to the remote squid's 10.1.1.1 address. Then all the transactions are encrypted by default.

    The "port" directive allows you to set a custom port. Usually I use the same value at both ends. The value should be >1023 because the connection does not run as the root user.

    Again, read this for details: https://openvpn.net/community-resour...ey-mini-howto/

    One more thing. If you set up such an OpenVPN tunnel, you don't really need two squid caches. You could simply run squid on the remote machine and point the clients on the local network to its tunnel IP. You would need to set up a static route on your network so that requests for, say, the 10.1.1.0/24 network would be forwarded to the remote over the tunnel. On my network, the local OpenVPN machine is just another workstation. Thus I have added a static route to my router that directs traffic for the 10.1.1.0/24 network to that workstation so it can be forwarded on to the remote.
    Last edited by SeijiSensei; November 15th, 2018 at 06:23 PM.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  9. #19
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: how to configure squid to use ssh tunnel for external sites?

    I would use a VPN to get to any remote Squid proxy too
    or
    I'd use TOR.

  10. #20
    Join Date
    Jul 2017
    Beans
    28
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: how to configure squid to use ssh tunnel for external sites?

    so finally between openvpn and ssh I chose openvpn-as. sure it is heavier then SSH but I am sure I am going to use more functionalities of open-vpn as I learn about it. Good thing is that it has module in dd-wrt so in a way my entire home network can be vpn'ed to openvpn-as server I host on google cloud platform.

    Thanks SeijiSensei for the pointers.

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •