Help with setting up SSH proxy

I would like to set up an SSH proxy (on a VPS) to be used exclusively by a few authenticated user, with FireFox. Ideally, they would get a USB key with the pre-configured FireFox on it and they shouldn't adjust anything on their PC. Is this possible? If yes, what would you suggest as the ideal complete set up?

Thanks for any help!
Jay
jiiins2Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mchkorgCommented:
Hello,
My understanding is you want to bypass some official proxy with an SSH tunnel to another proxy you're controlling.
If I'm not wrong, you should do the following :

1) On the SSH server, make SSHD listen or redirect input port to, let say, 443, which is https port. Just to let most official proxies allow this outgoing connection to something that looks like an https server
I suppose you have a proxy on the remote server, like squid on port 3128.

2) on the client's side, start an SSH connection with "putty" to your SSH server and account, port 443.
In the "tunnel" menu, create one or both elements :
- dynamic tunnel, let say on port 1080. This will be used for SOCKS proxying (instant messaging for example)
- local tunnel, local port = 12345, remote addr & port = 127.0.0.1:3128 (to reach squid)
SAVE and open the connection

3) on firefox portable, configure your proxy for eveything but SOCKS to use localhost:12345
SOCKS is on localhost 1080

That's what I've been using for years... :)
0
jiiins2Author Commented:
Hello,

thanks for the extensive answer. I'm sorry I didn't explain better the situation:
- Luckily I don't need to bypass a firewall. This is supposed to be used only to "camouflage" the source of  searches of "politically dangerous" terms in some countries' search engines. So the server will be in a neutral country and will just act as a proxy. It can listen to the normal port 22, no problem.
- The server is a Ubuntu 10.10 with OpenSSH installed but no Squid. Is it necessary?
- Although I believe I can learn my way through the configuration of the server, my main problem is with the client side as I would need an all-in-one package for windows. Do you think it could be possible to have some sort of a script on the USB key that would perform the necessary steps and launch Firefox? The users shouldn't be required to do anything else than a double-click.

Many thanks in advance!
Jay
0
mchkorgCommented:
OK,

Squid is the (one) proxy that will handle your http requests. On a ubuntu, simply "sudo aptitude install squid" ("aptitude" or "apt-get"). That's all. Its default configuration is to listen on localhost only (which is fine for you, as your request come from the end of the tunnel, on the SSHD, same server).
"Putty" doesn't work as a http proxy, that's why you need squid. But it can handle SOCKS connection, like MSN, ICQ, Jabber...

On the client side, if you want something the most automatic as possible, in my opinion, it's :

1) Use some autorun usb stick program, like PStart. When you insert the key, the user will have to click on PStart. That's all. Then:
2) PStart can run programs when started (and when closed): example : your "portable putty" where you have saved your SSH connection/tunnel/auto-login. If you use public/private keys on ssh to authenticate, it means the connection is fully automatic.
3) make Pstart start "portable firefox" as well, at the same moment, no problem as putty will load faster, so the tunnel will be up when firefox arrives. As your firefox is portable, too, it's proxy configuration is saved. It finds your SSH tunnels (http(s) proxy port, socks proxy port) and it's OK.

Finally, it's all automatic.
Is that clear enough?

Be careful about security: in my opinion you should encrypt your key (truecrypt) or put putty/firefox in a truecrypt container at least. It'll slow down the speed of it all, but at least if you loose your key, nobody gets your automatic SSH + accounts saved in firefox.

If you plan to start this portable firefox with a "regular" firefox beside it, you should start the portable firefox first, then the regular one, with parameter "-no-remote". Or it'll will say "firefox already started".


With putty, you can load your session in command-line with "putty -load your_session". So you can start it from PStart.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Exploring SQL Server 2016: Fundamentals

Learn the fundamentals of Microsoft SQL Server, a relational database management system that stores and retrieves data when requested by other software applications.

jiiins2Author Commented:
AWSOME! Thanks so much, you are very clear and helpful. I wish I could give you more points :-)

Thanks again!
Jay
0
mchkorgCommented:
You're welcome
0
jiiins2Author Commented:
One more thing that probably you know: with the above configuration, do Firefox's DNS queries go through the SSH tunnel or do I have do anything else?

Thanks again!
Jay
0
mchkorgCommented:
I think the end of the tunnel is performing the whole operation, so squid does the DNS request.
To be sure, remove your DNS server from your windows network configuration, then "ipconfig /flushdns" to flush your local cache, then open a tunnel (with your SSH server's IP, not its name), then make some request on new domains (to avoid caching effects)
0
jiiins2Author Commented:
Thanks! Very last question: why do we need the local tunnel AND the dynamic one? By reading around, it seems people just set up the dynamic tunnel and insert the SOCKS host in firefox leaving the other fields blank. Sorry for my ignorance...

Thanks!

Jay
0
mchkorgCommented:
mmmmm, OK, I always made it work this way because I always have a squid proxy somewhere (work, SSH tunnel...)
This way I have logs, stats with squid, as it's a shared "remote proxy"

And I always used SOCKS for instant messaging, some years ago, before most of these IM softwares were able to use http proxies

If only the SOCKS is enough, fine, you don't have to install squid or any other proxy on the ssh server
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSH / Telnet Software

From novice to tech pro — start learning today.