How to setup an HTTP proxy with privoxy and an SSH tunnel

21 December 2007

Introduction

After the last post, John Reese wrote in with a number of suggestions. I'll deal with one in this post and later we can iterate around again as we try out his other idea.

Firstly, I was forwarding the packets over plain HTTP, but John's idea is to run the whole thing via an SSH tunnel so it would be encrypted over the wire.

Although this might have a small speed implication, this is certainly a good idea, especially if anything sensitive is going across. If in doubt encrypt everything that moves.

So let's go through it again and add in John's suggestion.

Server Side

Start by installing the package privoxy on the server using your package manager.

On Gentoo Linux:

sudo emerge privoxy

On Ubuntu/Debian, it would be:

sudo apt-get install privoxy

So far it is the same. However, this time we will not edit the configuration file, but leave it with the default "listen-address 127.0.0.1:8118" so the proxy server will only listen to the localhost.

We start the proxy server as before:

sudo /etc/init.d/privoxy start

Client Side

Now we set up the tunnel, where 83.63.211.84 is our imaginary remote server.

ssh -L 8118:localhost:8118 username@83.63.211.84

Now we configure the web browser on the client. On a GNOME based Firefox, we can go: Edit > Preferences > Network > Settings

Then we get a connections setup box, so we add in localhost and the port number, as in the following screenshot.

Seems to work great so far, props to John.

1 Paul says...

Why do all that when you could just use:

ssh -D 8118 user@host

Then setup Firefox to use localhost:8118 as a SOCKS proxy? No need to install any extra software on the server or client.

Posted at 3:02 p.m. on December 23, 2007

2 John Reese says...

@Paul - That works for simple web browser traffic, but there are a lot of apps that don't like to work over SOCKS proxies, and/or only have full functionality through an actual HTTP proxy. These apps include email clients and browsers (when using SSL), XChat, and more.

A generic SOCKS proxy like you suggest will also prevent you from using special ports for your outbound protocols (like web traffic to something other than port 80). This is because SOCKS/ssh inspects the client's packets to determine their TCP type (http/pop3/imap/etc), and then automatically determines which port to forward them to at the other end. For this type of usage, an HTTP proxy is king because the client application can tell the ploxy exactly what it needs to do with every connection or packet.

Posted at 3:36 p.m. on December 23, 2007

3 Paul says...

Fair enough, I didn't realise that there was anything fancy which SOCKS didn't provide for (I use it to appear that I'm coming from a university IP address for accessing journal articles, rather than firing up a whole VPN client).

Posted at 5:34 p.m. on December 23, 2007

What do you have to say?

Show Editing Help

About

Hello, my name is Zeth, I'll be your host here.

Command Line Warriors is about taking control of your own technology, it looks at our experiences of computing; especially using GNU/Linux, the Python programming language, the command-line and issues such as techno-ethics, best practices and whatever is cool now. If you take control of your technology then you are a Warrior too!

This site is your site too which means that you can contribute and get involved. You can leave comments using the facility provided. For me, the comments and discussions are by far the best part of the site. So please do have your say!

Latest Discussions

Omar Zabaneh

July 25, 2008
Zeth, Thank you for this post, very helpful. I used it as a basis for my own email validation function that i wish to share with you, in a selfish ...
→ Email Syntax Check in Python

Double Booting Bastard

July 24, 2008
I agree with Nui, Linux is great for many things but not everything. A lot of, less mainstream, hardware is a time consuming and often fruitless task to install and ...
→ Give Linux a chance

John

July 23, 2008
Duncan, sadly the permissions are stored with the data (inode), not with the directory entries (hard-links). Zeth needs ACLs -- no way to do this with basic unix permissions.
→ Advanced Unix Groups

Garrick

July 21, 2008
I do love my iPhone. That being said, I would trade it in a heartbeat for a STABLE Openmoko FreeRunner.
→ This week - iPhone vs a can of compressed air, and Django NewFormsAdmin

Daniel Davies

July 21, 2008
With regards to your last paragraph, you are certainly correct. Right now Django is a nightmare to use across multiple sites... we have some sites running the newformsadmin branch, others ...
→ This week - iPhone vs a can of compressed air, and Django NewFormsAdmin

Nui

July 18, 2008
Hmm, this would be more persuasive as an argument with some evidence. I am a happy admin of Windows and a novice user of Linux, so I have taken the ...
→ Give Linux a chance

Paddy3118

July 18, 2008
Hi, I too work with Electronic Design Automation tools, where Tcl is used extensively. I tend to only occasionally have to write in Tcl and so find the TclTutor utility: ...
→ Python and TCL

Cliff Wells

July 17, 2008
I personally cannot live without the Web Developer extension or Firebug. Unfortunately these are probably both among the more difficult to port extensions. Given how poorly Firefox functions on Linux ...
→ Will Epiphany be able to compete with Firefox's extensions?

Åke Forslund

July 13, 2008
I'm pretty much a novice in both of these languages but I find them both easy to use and preform the tasks I give them. However I rarely use them ...
→ Python and TCL

Christopher Thoday

July 12, 2008
A single test is not sufficient to give you confidence that the algorithm is working. You should make 'number' an argument of 'main' so that you can test some boundary ...
→ Python and TCL

paul21

July 10, 2008
Shame on Mozilla. They should make developers specify the extension license before hosting it. They should show the license next to download button as well.
→ Are your Firefox extensions proprietary software?

Tris

July 8, 2008
Justin - You say they had not heard of Linux? That doesn't sound very professional to me!
→ Give Linux a chance

michael

July 8, 2008
what about Galeon? in Gnome i use Galeon mostly. it is fast and stable and has a nice portal with search masks for Debian, FSF, Freshmeat and so on. wtf ...
→ Will Epiphany be able to compete with Firefox's extensions?

vermin

July 7, 2008
> Eventually, after a bit of digging and Googling, I found their Toolbar-License... You simply found the license of the StumbleUpon Toolbar for Internet Explorer. This is another product, much ...
→ Are your Firefox extensions proprietary software?

Andrew West

July 6, 2008
Both the Python and the Tcl example could do with error checking. While at first this may not seem on topic with the post I think it better shows the ...
→ Python and TCL

COMMAND LINE WARRIORS

Taking Control of your Own Technology