Secure Browsing With Squid and SSH

Public areas that offer access to the Internet (airports, open wireless networks, etc.) have no security in place. If you’re at a public WiFi spot, your personal information can be sniffed by other malicious users. This hack will show you a way to secure your web browser when using public networks.

In a nutshell, we’re going to setup a proxy server (Squid) on a trusted SSH server and create a secure connection from our laptop, over a public network to a secure remote server. We’ll tell the browser to use the secure SSH tunnel as an HTTP proxy.

First, choose a server on which to host your Squid proxy. Typically, on a home network, the server for your Squid proxy is the same machine you use as a firewall or a router. If you’re a network administrator of a corporate network, you should consider installing Squid on a dedicated machine.

For the scope of this post, I’ll show how to install Squid on a typical UNIX-based system. If you’re going to run Squid on a Windows-based server, take a look at this Squid-Windows installation How-To. As of writing, the latest stable release of Squid is 2.6. Obtain the latest source and run the following commands:

tar -xzf squid-2.6.STABLE14.tar.gz
cd squid-2.6.STABLE14
./configure && make && make install
groupadd squid
useradd -g squid squid

Open squid.conf (default location is /usr/local/squid/etc/squid.conf) and add the following values:

cache_effective_user squid
cache_effective_group squid

Now, run the following commands to start Squid as a daemon:

/usr/local/squid/sbin/squid -z (first time)
/usr/local/squid/sbin/squid

When Squid is installed and running, it uses port 3128 by default. You should test it manually by setting your HTTP proxy to the server that runs Squid. For instance, in Firefox to go Tools -> Options -> Advanced -> Network -> Settings and enter the IP address or host of the Squid proxy (e.g. 192.168.0.100) and 3128 for the port. Try to load any web page. If you see an access denied error, check out the http_access configuration in the squid configuration file.

Once Squid is all set and ready to go, you need to forward your connection to it over SSH. To set the tunnel up on your Windows laptop, download Plink, a command-line version of Putty SSH client, and run this command:

plink.exe -batch -N -l UserName -pw Password -L 3128:localhost:3128 SSH_Server

On Unix-based systems, simply run this command:

ssh -L 3128:localhost:3128 SSH_Server -f -N

Finally, tell your browser to use the SSH tunnel as a proxy. I won’t go over each browser here, but basically, you need to change the host to localhost and the port number to 3128.