HOW-TO: SSH HTTP Proxy Setup

putty config

We’ve been linking to a couple proxy options in the links posts recently and [tom] thought it would be a good idea to write up how to use Privoxy. In [tom]’s case he wanted to route all of his internet surfing at work through an encrypted tunnel to his home machine. The guide is Windows based, but it won’t be to hard to translate to your OS of choice. It starts by setting up an OpenSSH server and new user on the home machine. Then Privoxy is installed. Next PuTTY is used to establish the secure tunnel from the work machine. The last step is to configure the browser to use the proxy. You can use this for IM too. You may not need this at work or school, but it should offer you some decent protection if you’re out using open access points.

67 thoughts on “HOW-TO: SSH HTTP Proxy Setup

  1. The CGIProxy links posted last week were pretty helpful, but I’d like to find something like it that allows me to use any protocol through our corporate firewall (which only allows port 80 & 443 connections). I’ve looked at a couple of packages, but none seem to support ssl connections. I tried using http://www.http-tunnel.com, and their product works nice, but I’d rather not have to spend money, even though $4.99/month is not too shabby. :)

  2. I used a similar setup all through highschool to bypass my school’s censors. I even wrote a small script package that would allow anyone who downloaded it to get on AIM… the administrators hated me, but never caught me.

  3. if you don’t need the features of privoxy, you can get this same functionality by setting up the SSH tunnel and setting up socks4 port forwarding (i.e. dynamic) from your SSH client, and in your browser.

    You could use this at work for firefox and trillian, while IE goes out through the normal “work” firewall.

  4. This will be great for getting around schools firewalls.

    The only problem I have is that when i load up putty to connect through my external IP on port 80 (forwarded) it does load, yet localhost does.

  5. 4: a socks proxy will offer more flexibility, but remember that it will leak DNS requests. this may not be a problem if you’re just trying to get to a blocked site, but if you’re trying to conceal which sites you’re visiting, it’s worth using privoxy.

    5: not sure I understand your problem. You *are* outside your home network when trying to connect using your external IP, right? if not, you probably won’t be able to connect properly.

  6. so……..would you have to dl the program to each machine you want to use or could you run it from a thumbdrive a la portable firefox? running from a thumbdrive would be highly desireable, as the admins at my school are…well, id call them nazis but thatd be blasphemous (theyre jesuits). anyway, could someone could give me a step by step on how to use this to stick it to the man and bypass their retarded filters? thatd be REALLY useful…..thanks

  7. How secure is this set up to by pass the proxy from a company’s network to the uncensored internet? Is there a chance of being caught by a system administrator if they are monotoring the network? Would love to use this set up but don’t want to risk it if they can trace my activities.
    Thanks

  8. To no. 8:

    The encryption is pretty secure. Most versions of SSH and the most current version of Putty can force the highest levels of encryption for the traffic that goes back and forth. As was stated before, the biggest concern here is using your work or school’s network’s DNS, they can see where you are going, but they can’t see what you are doing when you are there. With Privoxy, this becomes kinda moot, but you need to be a local administrator to install Privoxy properly, otherwise you will be leaking DNS requests to the local network.

    Trillian and Portable Firefox work fine off of a thumbdrive, Putty does as well but does leave a small registry entry on the local machine…not a big deal because it doesnt save a password in that or anything (unless you specifically tell it to.)

    An administrator can *see* what you are trying to accomplish, a well trained administrator knows that you are using SSH if you leave Putty set to a default port, if you change it he/she might be able to tell because they see the DNS request in their logs and then a bunch of encrypted traffic. Worst they could do is lock down a bunch of ports, but worst comes to worst you can use port 80 or 443, which most admins don’t block (unless they just don’t want you using the web of course.)

    Trillian (at least version 3) has an option to forward all of it’s name requests through the proxy, so they can’t tell you are using it unless they see it on a local machine. Firefox (as of yet) doesn’t support forwarding it’s DNS through the proxy, even though the SOCKS protocol (v5) supports it. Supposedly, the Deer Park builds have an option to enable DNS lookups through the proxy (and future public full releases probably will too) but from what I can tell 1.06 does not. I searched to see if someone had written an extension that would tell Firefox to use DNS through a proxy, but I haven’t found one yet and I’m not sure if it’s technically possible.

  9. 10: you’re slightly misinterpreting the howto. privoxy is run on the SSH server (ie the machine at the user’s home) which presumably the user has admin rights to. You don’t need to install privoxy locally on the client machine — all you need is PuTTY and a web browser.

    SOCKS4 proxies (and firefox using SOCKS5, assuming you’re correct) leak DNS requests. But HTTP proxies don’t. I’ve just fired up ethereal and double checked this. Web requests from IE generate DNS requests (light blue by ethereal default). Web requests from firefox, which is currently using privoxy across the SSH tunnel, don’t leak any DNS info. So I believe users should feel secure in their web browsing. I’m no ethereal expert, though, so if someone can confirm it might be a good idea.

    Finally, someone in comments at my site suggested using 443, which is usually open and typically used for encrypted SSL traffic. It’s also less likely to attract the attention of script kiddies or your ISP. It’s still pretty easy to tell SSH traffic apart from SSL traffic, but it at least won’t stick out quite as obviously.

  10. Hey tom, I just posted this on your site as well, but I used the instructions at: http://bmonday.com/articles/653.aspx for using public/private keys with Putty and OpenSSH.

    I use a nonstandard port because I was getting hit by Chinese hacker-idiots whether I ran the server on port 22. I didn’t think to use 443, but for now the port I’m using isn’t blocked at our corporate firewall.

    I’m sorry I misunderstood the Privoxy comment…I had been running Privoxy in combination with the Tor network when I surf from hotspots and had it in my head you were using it on the local machine. Running Privoxy locally doesn’t leak DNS, as far as I’m aware, and I’m not totally sure what the benefits are of running it on the server side?

  11. bleh…ignore my comments about why you’re running privoxy on the local machine. I totally get it now. for some reason when i was reading your howto i missed that part…i was also incorrect about the socks dns forwarding…i had always used socks5 because i was under the impression it was capable of forwarding dns requests through the proxy while 4 was not.

  12. You’re right about socks5 — it IS capable of forwarding DNS requests, based on what I’ve read. It’s just that very few apps use it properly, and instead do their DNS resolution, then pass the resolved IP to the socks5 proxy. This is why the Tor howto has you use privoxy in between your browser (which leaks DNS requests when using a socks server) and Tor (which is a socks server). Privoxy is smart enough not to leak its DNS resolution requests, and uses socks5 properly.

    As you said, socks4 can only handle IP addresses, so it always leaks… however, socks4a (which is what privoxy technically is, I believe) uses domain names in the requests, so when using one of them you never leak (I think).

    Anyway, the punchline is the same: this particular setup doesn’t leak DNS info.

    And yeah, I see where you’re coming from on the Tor thing — I’ve used that setup before, too. It’s a good one, although there are more and more sites that block traffic from Tor nodes cause of all the abuse that comes from them. It sucks to get random permission denied messages, depending on what node your request is going through. Also, having google assume you’re in germany (because that’s where your exit node is located) can be confusing. This setup doesn’t provide anonymity from anyone but your school/boss, but it avoids many of the headaches of Tor.

  13. A better solution I have found is to use Hamachi (www.hamachi.cc) to tunnel. Its incredibly easy to setup. Requires almost no
    configuration. It just friggin works.

    Setup a socks proxy server at home and use Proxycap (http://proxylabs.netwu.com/) on the client computer to route all applications (or selected ones) through the proxy server.

    Hamachi + Proxy + Proxycap = WoW at Work

  14. I opens SAM but I cant find the heading names Users and groups or anything simmialr to it, I vaquely recall a run command that would open teh window… ANy one know any otherways to acces the USers and Groups options?

  15. I have a pretty important question- I go to a university with a pretty sweet internet connection- I’ve got a couple programs I use (i2hub, etc) that run over internet2- you can’t log on from anywhere except university connections. I want to set up a proxy so I can go on @ home thru my dorm connection- is this possible?

  16. My school blocks everything except port 80. My ISP restricts inbound requests on port 80. How can I get through to my home computer? If no one else, I hope the Hack a Day crowd can help. Any comments are appreciated.

  17. No 19 – yours suggestions are pretty good if you have control over a machine…in my situation we aren’t able to install anything, and Putty will run from the executable, off of a thumbdrive.

  18. Or instead of SSH you could use OpenVPN which will tunnel over 443 SSL even through your company’s or college’s proxy server. Most companies don’t let you have a direct connection to the internet, just give you a proxy connection.

  19. Dear Sir,
    I will be glad if lessons can be given to me on how to hack..since ma interest lies in doing somthing spontaneous.Thank you and hope to read from you soon.
    Regards,
    Immanuel

  20. as mentioned, socks proxies usually leak dns requests. your messages will be secure, but snoopers are able to identify their destination.

    also, the other tutorial just assumed you had access to a socks proxy. okay, so tor is there for you to use, but otherwise that’s not necessarily a good assumption. your home connection’s availability and bandwidth can be controlled by you. it’s also clearly legal to use, unlike the unsecured proxies that you’d probably end up using with the other tutorial.

    28: you can run ssh tunnels over a proxy, if your company makes you use one. check the settings in PuTTY; it’s pretty straightforward.

  21. it’s not rocket science, simon, but it’s a useful thing that a lot of people don’t know how to do. And considering that it took me 2600 (hah!) words to explain it, I’m not sure how straightforward it really is.

  22. I have long used SSH to tunnel out over port 443 and access my home linux server. I can then tunnel all types of other services (e.g., vnc, mail, nntp, etc) over the SSH link. I use 443 since it is almost always open.

    However, recently a lot of places seem to be implementing SPI firewalls which block ssh traffic on port 443.

    There seem to be several workarounds mentioned here and elsewhere that allow you to set up an ssl tunnel instead, including stunnel, openvpn, and corkscrew (all mentioned above).

    I am looking for the easiest way of setting up an underlying ssl tunnel over which I can then run my usual ssh tunnel. I want this to be as transparent as possible so that when there is no spi firewall I can just run ssh and when there is one I can set up an ssl layer underneath.

    What is the best program to use to do this?

    Thanks

  23. i dont know if i ask a question here about others stuff, but i take my chance. In my university the internet have “web sense”, i dont know if you know anything about how take down that filter. Because that filter piss me off. Tk for all

  24. I just wanted to add in my findings-

    Firefox Deer Park (1.5 Beta1) does have the setting to allow dns requests to be forwarded to socks proxy. Type about:config, then type proxy into the filter. The setting to change is: network.proxy.socks_remote_dns

    I have found that using that or privoxy, both still leak some dns requests. I haven’t been able to figure out the ryhm or reason behind why or what causes it to happen. I Noticed it while testing my config at work using ethereal.
    If anyone can shed some light on that, I would be most grateful.

    I also wanted to mention that I find tor a bad choice to use at work because of all the connections it opens (run netstat while tor is running). This is a quick tipoff to admins that you are using anonymizing software, unlike using ssh on port 443 which is better blended with normal traffic.

  25. IRT # 38 – this is the still the weak link in the whole proxying issue. Running SSH over 443 will still alert (I am a network security engineer at an enterprise facility). All of this will beat WebSense, but leaking DNS queries and running unexpected proxies will eventually be found.

    The real key to being truly hidden is to make a true SSL connection then tunneling the requests through that…not just porting SSH over 443. Almost as good would be to just do http through http tunneling over port 80…so long as there are no DNS leaks. The true destination of your surfing is present inside the tunneled packets, but WebSense/Cisco/etc will not pick it up, and there is too much port 80 traffic on the network to try to look over it all.

    One last thing….if your network guys are really savvy, they can set up alerts for port 22/80/443/* connects that don’t have an associated DNS query to go with. To beat this, you might want to have your proxy have a legitimate URL. At my job, if I see any TCP connects going out without an attached DNS query, I get a little suspicious and usually look into it.

  26. apologies if i miss the specifics, i am not as technical as you guys.

    i work for off-site a company but own my own computer (mac OS X). I am on the road a lot (not in one fixed place). they use a cisco vpn and all my traffic has to go thru it. of course they only like IMAP and 8080 or 443. I have proxies set up in all my apps for when I’m on the VPN, but I have to hop off to do all kinds of things, so I am on and off all day, setting and unsetting http proxies. Not even to mention it’s irritating that to be ‘private’ i have to disconnect. What’s the best solution: Ideally, I could just have an app that would tell mail and one browser to go over the VPN, and everything else can go out directly…I’m not sure if that is possible with a cisco VPN (I get the impression that VPNs take over all you network connection?), but that would be ideal!! I’m not trying to get out of a firewall, rather I am trying to only connect thru the VPN for 2 apps, and concurrently do my internet and computing normally/open….sorry for the long post.

  27. Our office use a proxy server that is opened port 80. I do not even know which proxy they are using. We have firewalls also. Of course,they log and analyze the traffic.

    We are using IE. Is there a way that I can encrypt all my http/ftp requests so that the logs/firewalls can’t see which sites I visit. I need a detailed reply – if possible; step-by-step.

    Thanks.

  28. Mindterm is a fully featured java based SSH client complete with working tunnels. It does however create a config directory but this can be easily deleted after. I use it from time to time to set up tunnels to my router WRT54G running dd-wrt v23. I can SSH to it then set up tunnels to the router admin page or even the VNC service running on my machine inside the LAN. Perfect for sorting out problems when my wife is working on my PC.

  29. qwerty90: On most VPN connections it’s possible to tell it to NOT use the vpn connection as a default gateway. That way the vpn connection will only be used if you need something within the ip-range you’re connecting to.. For all other things it just uses your normal connection.
    I could tell you where it is in Windows but I can’t help you with your Mac.

    One more thing.. if you just want to chat or do other non-bandwidth-jerking things you could try httptunnel. It’s a small application that works as a proxy but connects to their own servers. IF you pay you can have a fast connection but it’s possible to use a free but slow connection. I can use SSH through that to work on my FreeBSD machine at home and run msn and jabber through it. It is offcourse less secure since you have to rely on their servers, but you don’t have to install stuff at home for this. And the client can be installed as a normal user without admin rights and is easily removed afterwards. Check it out: http://www.http-tunnel.com

  30. Hello there, We have just finished making our new site that aims to help you guys access myspace and other blocked material from school, college or even work. Take a look you wont be disssapointed!

    Go to Access it ( http://www.accessit.v33.org) and find out more. Tell all your friends and become an expert in beating the block. Tell me what you think.

Leave a Reply to anono mouseCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.