Secure and Private Browsing with Squid
Author: Joe Topjian <joe [at] adminspotting [dot] net>
Browsing a site that supports SSL is a definite way to make sure no one can snoop in on what you're doing -- which is a good thing when you're doing something personal like checking email over the web or buying something from amazon. But if you're just doing stuff like reading the daily news or checking movie times, is privacy that important? The ultra-paranoid will give a resounding "yes" to that question while most people will just shrug. I find myself in between those two parties. At home while I'm reading the news, I could care less if the traffic is encrypted or not. However, when I'm at a public wi-fi spot, it does bother me a bit.
What we're going to do is set up a Squid server somewhere outside the network we're currently on. Squid will only accept connections from the server itself -- no outside connections. Then how do we use it? We'll create an SSH tunnel into it. Once the tunnel is created, we simply set our webbrowser to use a proxy server with the address of our SSH tunnel. Now any web traffic going out of our laptop to our Squid server will be encrypted.
But what about from the Squid server to the actual webpage? That stuff won't be encrypted, unfortunately. But hey, atleast we got outside the unprotect LAN securely.
I'll be using Debian Sarge for the Squid server, but you're more than welcome to use whatever distro you want. After Squid is installed, the configuration will be the exact same. To install Squid on Debian, just do:
apt-get install squid
The default configuration for Debian (and maybe other distributions too -- better check!) is to only allow connections from the localhost. This doesn't harm anything, so we can leave it as is. However, we still need a way for us to connect externally. For that, we will add an acl that will prompt us for a password and if we're authenticated it will let us in. We'll add it right before the "deny all" portion" so it'll look something like this:
acl localhost src 127.0.0.1/255.255.255.255
http_access allow localhost
http_access allow password
http_access deny all
By default, Squid listens on port 3128. I personally like 8080 better, so we'll change it with:
Next we need to set up authentication for Squid. There are a bunch of different authentication methods that come with the Debian package and they can be viewed with:
We'll be using the pam_auth module. This will allow anyone who has a shell account to also be able to use the Squid server. Search for the auth_param section in the config and add these lines:
auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
Next search for this line and uncomment it:
acl password proxy_auth REQUIRED
Now create a pam module called /etc/pam.d/squid that contains:
auth required /lib/security/pam_unix.so
account required /lib/security/pam_unix.so
You will need to give this file SUID access so chmod it 4755. Yeah, I know this isn't the best way to do this but it's the least complicated. You're more than welcome to research the other methods on your own.
Squid should be all set and ready to go. Next make sure you have shell access to the server via SSH. It doesn't matter if you use a password, passphrase, or blank passphrase. To set the tunnel up, run this:
ssh -L 8080:squidhost:8080 username@squidhost
You'll be asked for authentication and if you're successful, it'll look like you've logged into the remote box. If you open another window up and type
telnet localhost 8080
You'll see that you're now talking to squid on the remote server.
Finally, tell your browser to use the SSH tunnel as a proxy. I won't go over each individual browser here, but basically it'll be somewhere in the preferences. For the hostname, just type in localhost and for the port, type in 8080.
Now whenever you browse to a webpage, you'll be prompted for authentication. Type in your shell account information and you'll be all set to go. The browser might give a warning about authenticating through plaintext -- ignore it. It will be travelling through our SSH tunnel so it will be encrypted.
Congratulations! You may now surf the web without worry of anyone snooping on you. If anyone has any comments, fixes, or ways to improve this method, please let me know!
Original location of this document: http://adminspotting.net/howtos/securesquid.html