Web filters are retarded. The only times I ever butt against a company’s web filter seem to be when in search of legitimate, non-offensive information. I’m not into breaking the law. I’m not into downloading porn at work. Why penalize me when I try and look up some technical information because an application like SmartFilter or SonicWall considers some geek’s tutorial on getting an Open Source application up and running, “Free Software/Downloads—Forbidden”, even though no actual software or source code is stored on the site? Or blocking a website as pornography because the author of the page has the unfortunate last name of “Dyke”. SmartFilter kind of seems like one big oxymoron. Perhaps StupidFilter is more appropriate. I could give a rat’s ass whether it kept kids away from pornography, all I know is that it often keeps me from accessing harmless, legal and innoffensive information—usually technical in nature. Fuck that.

Sick of being hamstrung by obtuse internet filters I set up a proxy on my server using squid that I tunnel to via SSH. Once connected, I bypass all web filtering wherever I am and as a bonus, all information sent to and from my browser and my server is encrypted and therefore private to anyone snooping on the local network. Here’s how.

Setting up a web proxy with SSH and Squid

First you’ll need a Linux server to be able to connect to. I got one cheap for thirty a month with Ubuntu installed on it and it seems to work fine. If you don’t want to pay to rent a server, you could proxy off a computer at home, but you’ll need to do a few more things (see below).

Open an ssh session with your remote server and install squid. If you’ve got the benefit of apt-get like I do with Ubuntu, that would be ‘apt-get install squid’. Once installed, type ’squid’ to start it up.

Open a new ssh session like this:

ssh -L 3128:127.0.0.1:3128 user@remote.server

Replace ‘user’ and ‘remote.server’ with your desired user account and ip address or domain name of your remote server. You’ll be prompted for your user password and after entering it, you’ll end up with a normal command prompt. Go ahead and minimize or otherwise hide that window so you won’t accidentally close the connection. We need to leave that session open.

Next, go to your browser’s connection options. I use Firefox with an extension called SwitchProxy that makes it easier for me to jump around between my preconfigured proxies, but basically you need to find the section in your options where you can set proxy information. Set everything to ‘localhost’ using port 3128. There should be no proxy set for ‘localhost, 127.0.0.1′. Here’s what mine looks like:

After all that’s entered, hit okay and browse to a page. If the page comes up, good. Now, go to a site like ipchicken.com and check your ip address. If your ip address is different from your current location and matches your server instead, congratulations. You are now using a ssh tunnel proxy and web filters can kiss your ass.

SSH tunnelling is also a good idea when using open wifi spots such as coffee houses where you can’t expect any of the data you receive or transmit to be secure against anyone in that area who’s curious.

Running the proxy from a home PC

If you’re going to use a Linux box at home as your server, make sure that along with squid, you install the ssh-server package. if you have a firewall or router, make sure that port 22 and 3128 are both open. If you have a dynamic ip, go to no-ip.com and set up an account, then install their client (the package is included in the Ubuntu repositories as ‘noip’ or you can just get it from them directly) and run it. This will ping no-ip.com periodically with your dynamic ip allowing them to route traffic aimed at the address you are given with your no-ip account to your computer at home. Then, when establishing your ssh session substitute your home ip with your no-ip address.

This entry was posted on Wednesday, May 17th, 2006 at 6:06 pm. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.