orsic wrote:
Code:
putty -D 8080 -P 22 -ssh username@servername
I live in Thailand and we also have a country-wide firewall system here. It blocks dangerous sites like EFF (tor.eff.org) and political speech. Also it blocks the more popular adult sites. (I guess they want you to go outside and support the local economy!) Anyway, my main use of the proxy is because my ISP's transparent HTTP proxies foul up apt, yum, gem, etc. very badly. So this isn't only a "free speech" issue.
First, if you do a lot of proxying, I highly recommend the SwitchProxy extension for Firefox. You can switch from normal viewing to your local proxy just by right-clicking your mouse. Browsing through a SSH tunnel can be a bit slow, so it's best used only when necessary.
I have used orsic's method before with OpenSSH. The -D switch to SSH sets up a SOCKS5 proxy, and anything that comes in your ssh goes out the remote sshd. It is nice, however I found the performance to be poor for web browsing, and sometimes it just froze on me, forcing me to kill ssh and reconnect.
The solution I now use is to run a lightweight HTTP proxy on my server, and then use SSH to tunnel myself to the server, like so:
Code:
ssh -L 8765:localhost:8765 username@linode-system
I use micro-proxy for the proxy. It's available in Debian Etch and it is indeed very small and simple. You just put it in inetd.conf and you're done. Not only is the performance better than "ssh -D", but micro_proxy conveniently logs my activity, so I can see my browsing history later.
Warning!
Running an HTTP proxy carries its own risks.
Make sure it is not accessible from the Internet. I recommend you set your hosts.{allow,deny} files for localhost only
and make sure the port is firewalled too, for defense in depth. While the performance is better, this proxy solution led to my leaving my old VPS provider. On my former VPS, I made three mistakes that caused a very serious problem.
- Ran the proxy on common port 8888
- Only blocked port 8888 with iptables, not hosts.{allow,deny}
- No automatic loading the firewall rules during boot
One day, my system randomly rebooted due to God-knows-what at my hosting site. Now the firewall was down and the proxy was exposed on a common port number. In short time, a scan found the proxy and immediately used it to send a lot of spam. Within a couple of hours, I discovered the problem, corrected it, and also took myself off half a dozen spam blacklists.
One month later, my VPS provider (an awful company -- feel free to send me a PM and I will happily disparage their name in private) took my system down due to detecting the spam. The only way they would bring it back up was by re-installing the original OS (Debian Sarge!), a procedure not stated in their TOS at all. They held my system hostage. I requested just a few minutes to log in and make final backups but they refused. So besides the downtime, I lost some data that was not yet backed up in my weeklies, which cost me financially (a mistake I will not make again).
Now, today is my first day with Linode and, honestly, their operation is like a dream come true. However, I see that their TOS stipulates a $500 penalty if your IP is blacklisted, plus $250 per hour for their trouble to fix it. Now, I have no argument with this policy. In fact, I support tough action against spammers! However, I urge you to take care not to become a victim of spammers because you will be the one who suffers.
(Finally, the spammer problem is not limited to HTTP proxies, although that is a major avenue of attack. Many common PHP apps have vulnerabilities that allow local code execution. You don't need to be root to send spam. I recommend that you use iptables or other software to rate limit your outgoing port 25, port 80, and port 8888 traffic and alert you if the limit is hit. You do not want to get on a spam blacklist!)
FAQ
Search
Members
Register
Login [ Anonymous ]
