Using a ssh tunnel to retrieve the data from websites is significantly faster than trying to use X forwarding to open a remote copy of Firefox on the remote machine. If a remote browser is used the connection will be saturated by the graphical front end of the remote browser window. Use the tunnel for the web site's data and leave the rendering of the browser to the local machine. This is the most efficient solution.
If you have access to a remote machine by way of ssh you can set up Firefox, or any other SOCKS v5 enabled application, to tunnel its connection through ssh. This way, if you were at work and wanted to browse your favorite sites like MySpace, Facebook or Maxim that are blocked at the company firewall you could.
Getting Started
First you must have ssh access to the remote machine you want to proxy to. Let it be a home machine or a free shell you signed up for on-line. You must also make sure you can ssh from where your browser is to where you want to tunnel to. No need to set this up if port 22 is not open to you from your location to your destination. IMPORTANT NOTE: The Firefox tunnel using SOCKS5 (option 1) is the easiest and quickest proxy to setup. If you just want to get the proxy working then follow the SOCKS5 options.
Configure Firefox for the proxy
You need to configure Firefox to use the proxy. Find the section to add a proxy to the browser. On *nix systems of Firefox you will find the settings in File, Preferences, Advanced, Network, Settings. The setting by default is "Direct Connection to the Internet". We need to setup the "Manual proxy configuration".You have two(2) options to pick from. You can proxy directly to the remote machine and then connect directly to web sites. This is the SOCKS5 method and is the easiest to setup. Or, you could use a Squid web proxy (if available) on the remote machine to accept the traffic from the ssh tunnel. Squid would then request the traffic from web sites. Pick one of the options below.
NOTE: For our example, ssh is going to listen on localhost (127.0.0.1) and port 8080 of the local machine.
Option 1: ssh and direct connect (SOCKS5) : If you are going to use the ssh tunnel with the option "-D 8080" then you need to setup the browser to use a SOCKS5 proxy. Setup the proxy config page with the following entries and leave the rest of the entries blank.
Option 2: ssh tunnel to squid proxy (HTTP/SSL Proxy) : If you are going to use the ssh tunnel with the option "-L 8080:localhost:2020" to connect to the remote machine's Squid proxy then configure the browser to use a HTTP/SSL proxy. Setup the proxy config page with the following entries and leave the rest of the entries blank.Manual proxy configuration: SOCKS Proxy 127.0.0.1 Port 8080 check the box for "SOCKS v5"
Manual proxy configuration: HTTP Proxy: 127.0.0.1 Port 8080 SSL Proxy : 127.0.0.1 Port 8080
Optional Step: DNS proxying through SOCKS5 is highly recommended
This step is optional, but since we are going to be proxying the data over the ssh tunnel then we should also proxy the DNS requests as well. The purpose of this exercise is to get to a site we might not otherwise be able to retrieve or just to anonymize our browsing from your location. If we tunneled our data through ssh and then asked the local DNS server for the ips it would defeat the purpose. So, add a boolean option into the URL "about:config" page in Firefox. Name the entry "network.proxy.socks_remote_dns" and set it to true.This method will only take affect if you use the SOCKS5 proxy method. If you are proxying using the squid method (HTTP/SSL Proxy) you could always check if you can query another, independent DNS server like OpenDNS.
FYI: If you are using the program FoxyProxy you must make sure to go into the "options" section under "miscellaneous" and check the option "use SOCKS proxy for DNS lookups." FoxyProxy will override the about:config option we set above.##Preference Name Status Type Value network.proxy.socks_remote_dns user set boolean true
Making the ssh tunnel
Lastly, we need to start the ssh tunnel. You have two choices depending if you want the packets to be forwarded to squid on the remote machine or not.Option 1: ssh and direct connect (SOCKS5) : The following line will start the ssh client and connect to username@remote_machine.com. Port 8080 on localhost (127.0.0.1) will listen for requests and send them to the remote machine. The remote machine will then send the packets out as if they originated from itself. The ssh options are in the man page of ssh, but to summarize them in order: Compression, SSH2 only, Quite, Force pseudo-tty allocation, Redirect stdin from /dev/null, and Place the ssh client into "master" mode for connection sharing.
Option 2: ssh to squid proxy (HTTP/SSL Proxy) : The following line will also start the ssh client and connect to username@remote_machine.com. Port 8080 on localhost (127.0.0.1) on the current machine will listen for requests and ssh tunnel them to the remote machine. On the remote machine ssh will forward the packets to localhost port 2020. If squid is listening on localhost port 2020 on the remote machine then all requests sent though the ssh tunnel will then be forwarded to squid. You can use squid to block ads and speed up web access. If you need assistance with squid, check out the Calomel.org Squid "how to" page.ssh -C2qTnN -D 8080 username@remote_machine.com
ssh -C2qTnN -L 8080:localhost:2020 username@remote_machine.com
Testing the ssh tunnel
Once you execute the ssh line the encrypted and compressed ssh tunnel will be active in the xterm. We used the "quite" options in ssh so there will not be any logging or output to the terminal.Make sure Firefox is working by checking the proxy is active and then try to go to a web page. You can also try a site like WhatIsMyIp.com to verify the ip you have with the proxy is different than without.
If everything is working then you can be assured that all of your browsing traffic is being encrypted through the tunnel and no one at your current location will be able to see your traffic over the network.
Once you are done with the proxy just exit the ssh xterm or kill this instance of ssh with Ctrl-c. Remember to set Firefox back to "Direct Connection" if you want to directly browse from your location otherwise you will not be going anywhere.
Interested in setting up Squid or Samba? Check out our guides covering the Squid Proxy and Samba file share servers. We offer clear explanations and fully working example configurations.
No comments:
Post a Comment