Comments on Secure and Private Browsing with Squid

proxy auth along with max_ip acl would make it even more secure. i think max_ip is wrong but i can't remeber exact acl. I faced problem with it. i hope somebody would come up with how to with it.

I used to use this exact method but with tinyproxy instead of squid. A stronger, more distributed method of browsing anonymously can be accomplished with Tor (http://tor.eff.org/). There is no server required for you to configure. You just run a Tor client on your machine and it connects (securely) to the Tor network, with randomized entry and exit nodes. The method in this article ties your traffic to a single server which can be watched and which is most definitely connected to your client.

I briefly read something about Tor yesterday.. I'll have to look at it in more depth now. Thanks!

Forgot to login.. that comment was from me :P

Sorry, but how does adding squid help? You do know you can just run a Socks proxy through ssh right? ssh -D 8128 remote.host.name and then setup your laptop to use localhost and port 8128 as the socks proxy - much simpler. Your only concern with my method being that dns lookups are done locally and so are viewable, but really - who cares about that most of the time?

I was unaware of using Socks and SSH. Thanks for the input, I'll look into that as well.

Using SSH also has some problems when using it as a proxy, sometimes it locks up and you have to exit the connection using "~." and then log back in. The OpenSSH programmer guy is a pain in the ass to talk to, he thinks everyone else is of a lower evolution then he is and thinks he is the SSH god of the world so never mind ever seeing it get fixed. Even when just using it for a tunnel it has the same sort of problem. Socks 4 is the only thing supported. Basicly it sucks as any type of tunnel, sorry. If you have nothing else to use then oh well.

The finished http_access section, according to this article, would be:

http_access allow localhost
http_access allow password
http_access deny all

This will NOT prompt for proxy authentication for SSH-tunneled connections - they come from localhost and will be allowed before authentication is used.

That first http_access line should be re-written:

http_access deny !localhost

The logic of Squid access controls is explained in the FAQ:

http://www.squid-cache.org/Doc/FAQ/FAQ-10.html

Actually, we are both wrong.

I assumed that when creating an SSH tunnel all network traffic coming out of the tunnel would be viewed as being sourced locally. This isn't the case. All traffic is still viewed as coming from the external interface. Therefore, denying anything but local connections would mean we could not access squid at all. So adding "deny !localhost" completely shuts us off. You were correct when saying that the "allow password" was the key acl prompting us for a password and letting us in.

Thank you for pointing this out.. I will update the howto accordingly!

Hi,

? thanks for the info on this. I thougtht I'd be having to pay for a service to have electronic privacy at work. So, now that I'm setup I would like to ask: How secure is this whole http over ssh tunneling connection?

Justin

For instance, how is DNS resolved?

Its realy very useful site and one more small request/doubt.

How can i get the proxy user log?

Please mail me, email id : [email protected]

vicky