home Mail List
Info
Info
Meetings
Goals
Upcoming
Projects
FAQ
Security
Links
[Date Prev][Date Next] [Chronological] [Thread] [Top]

[NMLUG] simple proxy

  • Subject: [NMLUG] simple proxy
  • From: timothyemerick at yahoo.com (Tim Emerick)
  • Date: Tue Oct 5 01:07:46 2004
  • In-reply-to: <41615063.2090706@boim.com>
OK, I gotcha.  I know that there are a few simple proxies out there but I found that squid worked the best for me right out of the box and it's also supported by debian's apt-get.  The only thing that I had to change in the /etc/squid.conf file was the hostname.  Your users would ssh into the box and forward their localhost port 3128 (see http://squid.visolve.com/squid/index.htm) to your ssh server.  Setting up squid after the apt-get should take you less than 5 minutes, especially after checking out the quick setup guide on the site I cited earlier.
 
As for your debian updates.  Here are a few links you might like to investigate:
http://apt-proxy.sourceforge.net/
http://www.nick-andrew.net/projects/apt-cacher/
http://talk.trekweb.com/~jasonb/software.shtml
 
Good luck on your project.  I've gotten fairly adept at maneuvering past my draconian MS based firewall at work for just the reasons you stated.
 
Tim
Aaron Birenboim <aaron@boim.com> wrote:
Tim Emerick wrote:
> OK, let me see if I've got this straight. You want to have folks on the 
> outside of your network SSH in throught their firewall and through your 
> firewall and use the proxy inside your network to access resources 
> outside your network.

Ummm... I'm not quite following.

What I have is a remote machine, on a less secure network
running SSH. We use it as a relay.
Both corporate and customer networks allow SSH out.

I can SSH to this machine, and open tunnels to get things
like Debin updates. (Corprate does not allow UN*X machines
access to the HTTP proxy)
If I put a simple proxy on this less-firewalled SSH server,
I can get HTTP(FTP?) access to the world through its proxy.
{Remember, the corporate proxy allows only authenticated MS clients...)

I can also open tunnels,
and the customer can open tunnels to this machine...
we can hook the tunnels together to communicate using
the LESS-FIREWALLED ssh server as a relay device.


> Here's what I have in place at home. My debian box is running sshd. My 
> firewall (smoothwall.org) has a few ports open, one of them is an 
> unstandard SSH port (Firewall at my work blocks all but port 80/443/21 
> traffic) which port forwards incoming TCP/21 to my Debian SSH machine on 
> TCP/22. My firewall also has a transparent proxy (squid) that only 
> accepts connections from my internal network.

sounds somethat similar... except that the ONLY access to my ssh server
is ssh. I need to tunnel the proxy port over ssh... which is ok.

> 
> At work I use Windows XP and Putty ( 
> www.chiark.greenend.org.uk/~sgtatham/*putty*/ 
> ) to initiate my 
> SSH connection. I have putty forward port X requests to my 
> firewall/proxy Port X. My Firefox browser is setup to use the proxy 
> (localhost:x) for http, https, and ftp. I now have a secure tunnel 
> between my work PC and my proxy at home with unfettered access out to 
> the internet (and back in of course ) through the tunneled proxy.

similar again. I will tunnel the proxy port(s).

> The data path would go something like this. their browser (with proxy 
> server being localhost:x) -> their ssh -> their firewall -> your 
> firewall -> your sshd -> your proxy server -> back out your firewall to 
> the internet. And back again of course.

I do things like open REVERSE tunnels to the remote SSH server.
(-R option). Customers can then log into this SSH server
with a forward tunnel (-F) to this same port and communicate
with our corporate servers.

I'm just looking into setting up a very simple proxy so
our corporate LINUX boxen can get HTTP(FTP?).

> I don't know enough about the linux ssh client to tell you how to 
> configure it to allow the port forward once the connection is made...


The ssh stuff is a solved problem for me.

In the past, I have opened tunnels directly to WWW sites
to get things like debian updates. Its a pain, difficult to manage,
and assumes that users all know as much as I do about
establishing SSH tunnels. If the SSH server had a real
proxy, I think there is a way to configure debian to use
a proxy, and then I can list actual update URL's in sources.list.

-- 
Aaron Birenboim | This space available!
Albuquerque, NM |
aaron_at_birenboim.com |
>http://aaron.boim.com |


		
---------------------------------
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.b9.com/pipermail/nmlug/attachments/20041004/92ce9c79/attachment.html
Please send sugestions and comments to webmaster@nmlug.org.
Valid XHTML 1.1! Valid CSS! Powered by Debian Powered by Apache