Secure Proxy with Squid and SSH Tunnels

Today I decided to build myself a small, yet very secure proxy tunnel to use at work. Not that I have anything to hide, I'd just prefer my boss not to know what sites I browse in my lunch hour, or get curious as to why I enjoy watching stand up comedy while I work. Luckily most of the services I use are https enabled anyways, but for the few that aren't, this is my workaround.

I'm going to start off by saying this option isn't cheap if you don't have a dedicated machine at home, which a lot of people don't, and you wish to host this service on a 3rd party. You have a few options and I will outline them all below, letting you decide which is best for you. You may also be asking “can't I just use a free proxy website?” and my answer would be “only if you want do the opposite of secure your web data”. Although using free web proxy's get around things like content filters, but they also have the option of looking at any data that passes through them, and won't be secured.

Step 1. Running entirely  from an always-on home PC or Remote Server
This is the cheapest and easiest way to set-up a secure proxy. You will need an SSH Client if you're using windows, but on Linux you can do this via the command line. On your home machine you will need to have a Linux install. I'm sure this can be done with windows too, but this tutorial focuses on Squid using the Linux User login system. You can install Squid using yum install squid (apt-get install squid for Debian). Once you have that installed you're going to need to change the configuration files a little. nano /etc/squid/squid.conf should do the trick. Once you're in there you're going to want to give yourself access to your IP. Since we're going to be logging in with SSH we don't need to add a username/password to the config right now; just make sure you don't tell anyone your host or port and you will be fine with this method. Adding acl users src x.x.x.x where x.x.x.x is the IP address where you want to be able to access the proxy. You can add as many lines as you like for different IPs or IP ranges. By default Squid already has access from local address's in case you need to do internal routing. Now you will need to add http_access allow users to your config file. Save your changes then start Squid (/etc/init.d/squid start). All done, however very basic, you can play around with Squid yourself later on.


Step 2: Setting up a SSH Connection from your client machine
Now comes the part where you connect from your local machine. Personally I am using Putty on Windows 7 as I like my games too much to switch fully to Linux for personal use. One day when Linux supports Steam properly. or I switch entirely to Xbox 360 then maybe I'll run Linux are my primary OS, but for now.. Windows 7! Inside Putty you're going to want to create a new connection like you normally would to your server. This is no different to a standard SSH log in, whether it require username/password and/or private key files. Once that's done, there's one extra thing you have to do. Inside the “Auth” directory, you will see a section called “Tunnels”. In here you must add the port you wish to listen locally (we will use 8080) in the first box, then your host:port (default Squid port is 3128) configuration in the next box. Once you've added that, save your session for easy access next time. Click connection and login!


Step 3: Modifying your connection settings in your browser
I use Google Chrome as my primary browser, but many of you may not. Changing proxy settings can be done either via your actual connection on your network, or within the browser settings panels, which are pretty easy to find in all browsers. For ease of use I am going to refer you to Proxy Switchy!, which is an amazing tool for quickly switching between multiple proxy configurations. In the host section you will want to put localhost, and for port you will put your local listening port (I used 8080 in my example). Activate your proxy and navigate to a website. If you setup everything correctly you should see the website load fine. If not then double check everything is running and your firewall is allowing access to the right ports.

I realise this tutorial is very basic, but it's almost 3am here and I've had a very long day! If you have any questions at all please leave them in the comments below and I will do my best to assist you! If you want a more simple set-up you can use another tutorial I wrote a few weeks ago using Hamachi and Privoxy. This is just another way of doing what I mentioned above, with less configuration and more likely to work straight off.