Hack 91 Squid Proxy over SSH

Secure your web traffic from prying eyes and improve performance in the process.

squid is normally used as an HTTP-accelerator. It is a large, well-managed, and full-featured caching HTTP proxy that is finding its way into many commercial web platforms. Since it performs all of its magic on a single TCP port, it is an ideal candidate for use with an SSH tunnel. This not only helps to secure your web browser when using wireless networks, but also potentially makes your browser run even faster. Best of all, squid is open source and freely available from http://www.squid-cache.org/.

First, choose a server on which to host your squid cache. Typically, this will be a Linux or BSD machine on your local wired network although squid also runs in Windows, under Cygwin (http://www.cygwin.com/). You want to have a fast connection to your cache, so choosing a squid cache at the other end of a dial-up connection is probably a bad idea (unless you enjoy simulating what the Internet was like in 1995). On a home network, this is typically the same machine you use as a firewall or DNS server. Fortunately, squid isn't very demanding when it supports only a few simultaneous users, so it can happily share a box that runs other services.

It is beyond the scope of this hack to include full squid installation instructions, but configuration isn't especially difficult. Just be sure to check your access rules and set a password for the management interface. If you have trouble getting it to run, check out Jennifer Vesperman's "Installing and Configuring Squid" at http://linux.oreillynet.com/pub/a/linux/2001/07/26/squid.html.

When squid is installed and running, it binds to TCP port 3128 by default. Once you have it running, you should test it manually by setting your HTTP proxy to the server. For example, suppose your server is running on mysquid.house (assuming that you are running the TLD of .house [Hack #56]). In Mozilla, go to Preferences Advanced Proxies, as in Figure 7-7.

Figure 7-7. Test your squid using the HTTP Proxy field in Mozilla.

Enter "mysquid.house" as the HTTP Proxy host, and "3128" for the port. Click OK, and try to load any web page. You should immediately see the page you requested. If you see an "Access Denied" error, look over the http_access lines in your squid.conf, and restart squid if necessary.

Once you are satisfied that you have a happy squid, then you need only to forward your connection to it over SSH. Set up a local listener on port 3128, forwarding to mysquid.house:3128 like this:

rob@caligula:~$ ssh -L3128:localhost:3128 mysquid.house -f -N

This will set up an SSH tunnel and fork into the background automatically. Next, change the HTTP Proxy host in your browser to localhost, and reload your page. As long as your SSH tunnel is running, your web traffic will be encrypted all the way to mysquid.house, where it is decrypted and sent on to the Internet.

The biggest advantage of technique (compared to using the SSH SOCKS 4 proxy [Hack #92]) is that virtually all browsers support the use of HTTP proxies, while not every browser supports SOCKS 4. Also, if you are using OS X, there is support for HTTP proxies built into the OS itself. This means that every properly written application will use your proxy settings transparently. I'll go into that in more detail later [Hack #97].

Note that HTTP proxies have the same difficulties with DNS as a SOCKS 4 proxy, so keep those points in mind when using your proxy. Typically, your squid proxy is used from a local network, so you don't usually run into the DNS schizophrenia issue. But your squid can theoretically run anywhere (even behind a remote firewall), so be sure to check out the notes on DNS in that hack.

Running squid takes a little bit of preparation, but can both secure and accelerate your web traffic when using wireless. Of course, squid will support as many simultaneous wireless users as you care to throw at it, so be sure to set it up for all of your regular wireless users, and keep your web traffic private.