Copyright © 2004 Brian St. Pierre
Permission to use, copy, modify, and distribute this document for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in copies and/or derived works, and that the name of the author not be used in advertising or publicity pertaining to distribution of the document without specific, written prior permission.
THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THE INFORMATION CONTAINED IN THIS DOCUMENT, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THE INFORMATION CONTAINED THIS DOCUMENT.
|First published draft|
This document describes how to set up a secure web proxy using SSH and Squid. Such a setup can, among other things, be used to circumvent web censorship.
This is an early draft. I'm actively seeking feedback. Send email to <SSH+SQUID-HOWTO@bstpierre.org>. Thanks in advance for your help.
Table of Contents
Many organizations (e.g. public libraries, employers) and some countries (e.g. Iran, China) have put mandatory web censorship in place through the use of filters like Websense or by blocking off large portions of the Internet at the (national) network. One way of getting around this is by setting up a proxy server that is hosted outside the purview of the censoring organization, but is still accessible from computers on the censored network.
In order for any of this to work, you need:
A computer that you control (the "server") with an Internet connection hosted outside the censored network.
A static IP address is helpful, but not required.
It is helpful to be running linux on the server, but not required.
Sufficient administrative privileges on the censored computer (the "client") to be able to install software -- or you need to have an SSH client already installed on the client.
Unless specified otherwise, it is assumed that all commands below are run as root on the server.
You need to have an SSH server installed on the server. If you are running Debian, this is "apt-get install ssh". If you are running something else, install the ssh package from your distribution or go to http://www.openssh.com/ and follow the installation instructions.
You can manually start SSHD by running "/etc/init.d/ssh start" (Debian), or "service sshd start" (Red Hat). However, this may not cause SSHD to start when the server is rebooted. You want SSHD to start every time the server boots. To do this, use "ksysv" (Debian) or "chkconfig" (Red Hat).
On Debian, you may need to remove the file /etc/ssh/ssh_not_to_be_started so that SSHD will start.
Squid is a caching web proxy, and is the guts of this setup. It is also the most complicated to configure.
Install Squid using "apt-get install squid" (Debian) or the appropriate command for your distribution. If all else fails, go to http://www.squid-cache.org/ and follow the download, installation, and configuration instructions there.
Squid configuration is a bit hairy. I installed from a Debian package and accepted most of the defaults. My changes are outlined here:
In the ACL section, disable a bunch of ports that are not going to be used. I'm only enabling the main SSL and SSH ports, in addition to Gopher and FTP. Disable these ports by removing or commenting out the corresponding lines.
Still in the ACL section, define an acl for "our_networks" (this is in the default config I have) that is 127.0.0.1/32. This should be the only connection you allow -- essentially restricting access to the proxy to the local machine.
If you have problems configuring Squid, check the website above.
Starting Squid is eerily similar to starting SSHD see the section called “Start SSH”. The squid startup script is "/etc/init.d/squid".
You'll need to restart Squid when/if you make changes to the configuration file.
From the server, fire up a browser. Configure the browser to use localhost:3128 as a proxy. Go to a few different websites. Check the log file (on Debian this is in /var/log/squid/access.log). You should see one (possibly several) entry for each web page you visited.
Celebrate. The hard part is over.
Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier using these utilities.
|--From the website (http://olivier.sessink.nl/jailkit/)|
Jailkit is highly recommended if you're going to allow other users (especially people you've never met and/or don't completely trust). Many security holes are only vulnerable to local users. You can reduce your exposure to security holes by limiting the programs that your users can access. For the purposes of setting up a secure web proxy, they really don't need anything beyond a login shell.
Jailkit is recommended even if you're just setting this up for yourself. In this case, you should create a separate "jailed" account for yourself. This limits your exposure in the case where the client computer is hijacked or otherwise compromised.
Go to the website referred to above, click the download link, and grab the latest source tarball. From a prompt, run the following commands. (If you are paranoid, run the first four commands as a non-root user.)
$ tar zxvf jailkit-VERSION.tar.gz $ cd jailkit-VERSION $ ./configure $ make $ make install
Follow these instructions at the jailkit website.
Note that "basicshell" is the only required piece of initialization. You don't really need to give your users editors or anything -- they're just going to be forwarding data via SSH.
Run the "jk_check" command when you're done and put this command in your crontab as suggested by the instructions referenced above.
If more than one user will be using the proxy and you want to keep them separate, you can create an additional user and perform the steps in the section called “Prepare the jail” again.
Now launch a browser and change your proxy to localhost:3128. Detailed instructions for particular browsers are below.
Select the General tab.
Push the Connection Settings button.
Choose Manual Proxy Configuration.
In the HTTP box, type "localhost".
In the Port box next to that, type "8118".
Push OK to close Connection Settings.
Push OK to close Options.
Test the changes by going to http://www.google.com/