Desert Crystal Solutions


Secure and Private Browsing with Squid

Saturday, 08 October 2005 09:13

Browsing a site that supports SSL is a definite way to make sure no one can snoop in on what you're doing -- which is a good thing when you're doing something personal like checking email over the web or buying something from amazon. But if you're just doing stuff like reading the daily news or checking movie times, is privacy that important? The ultra-paranoid will give a resounding "yes" to that question while most people will just shrug. I find myself in between those two parties. At home while I'm reading the news, I could care less if the traffic is encrypted or not. However, when I'm at a public wi-fi spot, it does bother me a bit.

Most public areas that allow access to the internet have absolutely no security in place. Need a good eye-opener? Next time you're at a public hotspot, take a copy of the dsniff tools.

This article will show you a way to protect yourself from something like this -- in a way. This article will only show you how to protect your web traffic. If you still decide to talk to your CEO over AIM about some ultra-secret product coming out next week while waiting for your next flight, this won't save you. Squid can, of course, proxy requests for other applications besides HTTP, but HTTP is all I'll be covering. Maybe I'll go over other applictions in another article.

OK, let's get started. Here's what we'll need:

  • A server running Squid on some other network.
  • A laptop with ssh and port-forwarding support.
  • What we're going to do is set up a Squid server somewhere outside the network we're currently on. Squid will only accept connections from the server itself -- no outside connections. Then how do we use it? We'll create an SSH tunnel into it. Once the tunnel is created, we simply set our webbrowser to use a proxy server with the address of our SSH tunnel. Now any web traffic going out of our laptop to our Squid server will be encrypted.

    But what about from the Squid server to the actual webpage? That stuff won't be encrypted, unfortunately. But hey, atleast we got outside the unprotect LAN securely.

    I'll be using Debian Sarge for the Squid server, but you're more than welcome to use whatever distro you want. After Squid is installed, the configuration will be the exact same. To install Squid on Debian, just do:

    apt-get install squid
    The default configuration for Debian (and maybe other distributions too -- better check!) is to only allow connections from the localhost. This doesn't harm anything, so we can leave it as is. However, we still need a way for us to connect externally. For that, we will add an acl that will prompt us for a password and if we're authenticated it will let us in. We'll add it right before the "deny all" portion" so it'll look something like this:

    acl localhost src http_access allow localhost http_access allow password http_access deny all
    By default, Squid listens on port 3128. I personally like 8080 better, so we'll change it with:

    http_port 8080
    Next we need to set up authentication for Squid. There are a bunch of different authentication methods that come with the Debian package and they can be viewed with:

    ls /usr/lib/squid/*auth
    We'll be using the pam_auth module. This will allow anyone who has a shell account to also be able to use the Squid server. Search for the auth_param section in the config and add these lines:

    auth_param basic program /usr/lib/squid/pam_auth auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours
    Next search for this line and uncomment it:

    acl password proxy_auth REQUIRED
    Now create a pam module called /etc/pam.d/squid that contains:

    auth required /lib/security/ account required /lib/security/
    You will need to give this file SUID access so chmod it 4755. Yeah, I know this isn't the best way to do this but it's the least complicated. You're more than welcome to research the other methods on your own.

    Squid should be all set and ready to go. Next make sure you have shell access to the server via SSH. It doesn't matter if you use a password, passphrase, or blank passphrase. To set the tunnel up, run this:

    ssh -L 8080:squidhost:8080 username@squidhost
    You'll be asked for authentication and if you're successful, it'll look like you've logged into the remote box. If you open another window up and type

    telnet localhost 8080
    You'll see that you're now talking to squid on the remote server.

    Finally, tell your browser to use the SSH tunnel as a proxy. I won't go over each individual browser here, but basically it'll be somewhere in the preferences. For the hostname, just type in localhost and for the port, type in 8080.

    Now whenever you browse to a webpage, you'll be prompted for authentication. Type in your shell account information and you'll be all set to go. The browser might give a warning about authenticating through plaintext -- ignore it. It will be travelling through our SSH tunnel so it will be encrypted.

    Congratulations! You may now surf the web without worry of anyone snooping on you. If anyone has any comments, fixes, or ways to improve this method, please let me know!
    (Original Document from