Note: I’m using this on XS 0.6, but this should work for any Linux server.
Why would you need to do this? Well, say you’re at a Starbucks or other open wifi and would like to securely browse the internet, particularly Facebook. If you’ve heard of Firesheep, that’s a Firefox plugin that sniffs your Facebook and Twitter sessions – a huge security issue. If you browse over an ssh connection, you’re as safe as if you were at home.
Also, some connections might block certain content. Get your mind out of the gutter, I’m talking about, for example, the connections at the elementary schools that go through the XS. Per the instructions I got, I set the OpenDNS settings to the highest filtering level. Unfortunately this blocks Gmail, so if I’m onsite and need to send an email, I have to jump through hoops in order to do so. TinyHTTPProxy.py makes this a lot easier.
Anyway, that warning aside, in order to use this, you will need ssh access to a remote server. The python script on this page needs to be in your path:
http://www.oki-osk.jp/esc/python/proxy/
Simply copy and paste the code on that page into TinyHTTPProxy.py into somewhere in your path on the remote server. The server admin can put TinyHTTPProxy.py into /usr/local/bin, so it’ll work for everyone with an ssh account. Of course, given the warning I just mentioned, this is a good idea only for small servers with only a few users.
On your local machine, open a terminal and type this, all in one line:
ssh -p PORT
Go to Edit -> Preferences -> Advanced -> Network -> Settings
Click the Manual proxy configuration tick box and enter localhost for the HTTP Proxy and Port 8000. Click OK.
Now you can browse safely without fear of Firesheep. If the server you’re proxied into has Apache running, you can enter in localhost in the address bar to get to that content. Or go to http://localhost:631 to remotely configure CUPS or what have you. Or even an IP address on your home LAN, such as your DSL modem.
While you’re browsing, you can see the URLs scroll by in the terminal session and the idle time increment.
When you’re done, go back to the Connection Settings box and click the tick box for No Proxy. Close the ssh session. It might take a minute once you try to kill the session for it to finally close.
So you don’t have to remember that long ssh command, you can put it in your .bashrc (all in one line):
alias safebrowse=’ssh -p PORT
Now all you have to do is type safebrowse at the terminal and change your Firefox settings to use the proxy.
If a non-standard ssh port is blocked, as happens sometimes when you use non-standard ports, and nothing’s going on with your server as far as https, you can run ssh on port 443 in addition to your usual port. Simply enter in it your /etc/ssh/sshd_config alongside your “usual” ssh port.
Chatting when you’re not supposed to
Port 443 is for https traffic and thus you should be allowed to have traffic via that port, even if the sysadmin at the remote location is blocking everything else but http and https.
Say you’re at a location where ports 5222 and 5223 (Jabber ports) are blocked for some reason (probably because chatting is considered a waste of time) and your ssh port is blocked, you can do this to join the chat on your server, given you’ve configured ssh to listen on port 443 and also have ejabberd and MUCkl set up.
ssh -p 443 -L localhost:8000:localhost:8000 -t user
Set up the Firefox proxy settings, go to http://localhost in your browser and then browse to the MUCkl page to enter the chatroom. Of course, since MUCkl runs on port 80 as far as the end user can see anyway, this isn’t terribly vital, but the ssh proxy should keep your chat server off the radar as far as the remote sysadmin is concerned.
Jabber under MUCkl needs to say “Hi” every two minutes, so here’s something to change in /usr/local/bin/TinyHTTPProxy.py so it doesn’t reset the connection:
From this:
def _read_write(self, soc, max_idling=20):
To this:
def _read_write(self, soc, max_idling=99):
Increasing the max_idling time means that Jabber chat under MUCkl doesn’t time out after one minute, which can get annoying. Setting the proxy idle to slightly above two minutes keeps the MUCkl room connection alive indefinitely. Actually, 41 would do, but I set mine to 99 just in case. For every 20 of idle, that’s one minute, so 99 gives you just shy of five minutes.
Here’s what it looks like in Terminal when the Jabber on my XS says “Hi” while I’ve got MUCkl open under TinyHTTPProxy:
idle 38
idle 39
idle 40
bye
connect to localhost:80
schoolserver.@@BASEDNSNAME@@ – – [02/Jan/2011 21:02:00] “POST http://localhost/http-bind/ HTTP/1.1” – –
idle 1
idle 2
References:
http://nakedsecurity.sophos.com/2010/11/15/extinguishing-firesheep-for-safe-wifi-browsing/
http://www.theinquirer.net/inquirer/news/1897961/sophos-bypasses-firesheep