![[Otterhole]](/img/otterhole.gif)
2010013 Initial document
Introduction
If you have access to an SSH service some place you may be able to use that service to proxy your web traffic. The reasons for doing so may include:
- Accessing services which are disallowed from your assigned IP address, but which may be accessed by the server's IP address. This could mean that while you travel to specific countries you can continue to access YouTube, or access to your bank without a barrage of authentication questions.
- Accessing services which are restricted from your local network by a firewall or similar, but which can be accessed by your server.
- Encrypting your web traffic as it passes through your local network, if you do not trust your local network infrastructure or administrators.
First, there must be an accessible account on the server. This could be a regular user account, or it could be an account specifically setup to use for proxy services. Ask your administrator, or read the following section regarding Server Setup
Second, you need an SSH client on your local computer. For Windows based PCs, the common choice is Putty, which is described here.
The SSH client needs to be setup to do 'dynamic' forwarding. This can be setup before connecting to a server, or it can be done using the "change settings" feature of an existing SSH session.
- Connections->SSH->Tunnels
- Choose a "Source port", perhaps 8083
- Choose the radio button "Dynamic"
- Press the "Add" button
At this point you should see "D8083" in the box above the line "Add new forwarded port:"
At this point, you may choose to save these settings, by going back to "Session" adding the server name or address, adding a session name, and entering "save session".
You must login to your server account using SSH and keep the session up while using your web browser. This may also require one to access an authentication web page, if the adminstrator uses PageKnock to protect access to the SSH interface.
You must also configure the web browser to use the Socks protocol. For Internet Explorer, this might be as follows:
- Tools->Internet Options->Connections->Local Area Network(LAN) Settings
- Choose: Proxy server -> Use a proxy server
- Choose: Advanced -> Socks -> add: 127.0.0.1 and 8083 (or what ever "Source port" was entered in the first step)
You may also choose other SSH client settings, including:
- Connection->Data->Login_Details: Auto-login username <proxy>
Sets the username to be filled in automatically (<proxy> in this case) - Connection->TTY: click: "Don't allocate a pseudo-terminal"
When the account used is not allowed to login, but the administrator has allowed the account to be used for proxies - Connection Sending_of_null_packets_to_keep_session_active=60
Help prevent the session from dropping, or being dropped by a firewall
The server needs to be setup with specific settings. Using OpenSSH, these settings include the default settings
- AllowTcpForwarding yes
- all the other settings which allow the user to login
- To add an account specifically for the proxy, for example, "proxy"
- Set the proxy account to disallow logins
What this configuration does is redirect the flow of data across the network.
Usually, the web client tries to access the web server directly. What this will do is redirect the web client to a proxy service setup on the same computer as the web client. This proxy service, using the protocol called "Socks", is built into Putty and configured using the "Dynamic" tunnel feature. This proxy service will forward all network connections to the SSH server in an encrypted fashion. Once at the server, the SSH session will be decrypted, and the tunnel content will be sent out over the Internet to the desired web server. The web server will see the network traffic comming from IP address of the SSH server.
Copyright Otterhole 2007-2010 last updated: 2010/01/13 11:09 .