Secure HTTP over SSH proxy with Linux

In an previous post I made I detailed how to create a secure your browser's HTTP communications by tunneling the HTTP session over an SSH proxy using Putty.

Putty is what you would use if you use a Windows desktop. If you're on a Linux Desktop you do not need Putty since you should have OpenSSH with the distribution you use.

Doing a man ssh on your Linux Desktop should give you the manual on how to use your SSH client:

SSH(1)                                                         BSD General Commands Manual                                                         SSH(1)

NAME
     ssh - OpenSSH SSH client (remote login program)

SYNOPSIS
     ssh [-1246AaCfgKkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] [-D  [bind_address:]port] [-e escape_char] [-F configfile] [-i identity_file] [-L
         [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-R  [bind_address:]port:host:hostport]
         [-S ctl_path] [-w local_tun[:remote_tun]] [user@]hostname [command]

... etc ...

The synopsis gives you the format of the command and the options that can be used with the ssh command. Of interest is the -D option. This allows you to bind the SSH session to a local address and port. Below is the part of the manual explaining the D option:

     -D [bind_address:]port
             Specifies a local “dynamic” application-level port forwarding.  This works by allocating a socket to listen to port on the local side,
             optionally bound to the specified bind_address.  Whenever a connection is made to this port, the connection is forwarded over the secure
             channel, and the application protocol is then used to determine where to connect to from the remote machine.  Currently the SOCKS4 and
             SOCKS5 protocols are supported, and ssh will act as a SOCKS server.  Only root can forward privileged ports.  Dynamic port forwardings can
             also be specified in the configuration file.

             IPv6 addresses can be specified with an alternative syntax: [bind_address/]port or by enclosing the address in square brackets.  Only the
             superuser can forward privileged ports.  By default, the local port is bound in accordance with the GatewayPorts setting.  However, an
             explicit bind_address may be used to bind the connection to a specific address.  The bind_address of “localhost” indicates that the listen‐
             ing port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces.

Basically it means that you can start an SSH session using the OpenSSH client with a command such as:

ssh -D localhost:8000 user@example.com

and it will create a SOCKS proxy on port 8000 that will tunnel your HTTP connection over SSH to the server at example.com under the username user.

Now you can configure your applications that access the internet to use the secure HTTP tunnel you've created to your remote SSH server. The applications are not limited to web browsers, you can configure your Instant Messenger, Skype, Games etc. to use the socks proxy, as long at the communication protocol is supported.

Configuring Firefox to use the Socks Proxy

• Tools -> Options -> Advanced -> Network
• Under Connection click on the Settings button
• Choose Manual Proxy configuration, and SOCKS v5
• Fill in localhost for the host, and 8000 (or the port number you used) for the port
• Click OK and reload the page

Now what you can do is have the the ssh session start up when you start your desktop. Thats if you want to use your secure tunnel every time you use Firefox or whatever program you have configured to use it. On Ubuntu (Debian) you'd add a shell script to your home directory.
Example:

#!/bin/sh
ssh -D localhost:8000 user@example.com

That should start up the ssh connection and create the socks proxy when you log in. The other alternative is to create a launcher and use ssh -D localhost:8000 user@example.com as the command, allowing you to launch the proxy whenever you need.

You can also set up an ssh key for authentication instead of having to log in. This is detailed in other posts: http://pkeck.myweb.uga.edu/ssh/ and http://sial.org/howto/openssh/publickey-auth/. This allows you to use the proxy transparently in the background without having to start it and log in.

For Firefox you can switch between proxy and direct connection using the switchproxy extension.

Disclaimer: Please note that it is your responsibility to use the information in this article within the legal laws of your country. Some countries do not allow encryption of internet traffic, therefore you SHOULD NOT use this resource if you live in such a country. I provide this information without warranty and free of charge and will not be held accountable for any damages lost due to its use.. etc etc.

Secure HTTP over SSH proxy with Putty

This articles explains how to set up your own SSH proxy for browsing the internet. It will allow you to encrypt your browser session, as well as hide your local IP from outsiders, which is more secure.

Please note that it is your responsibility to use the information in this article within the legal laws of your country. Some countries do not allow encryption of internet traffic, therefore you SHOULD NOT use this resource if you live in such a country. I live in Fiji and not one of those countries, therefore, I provide this information openly for those living in such countries.

Benefits of an HTTP over SSH Proxy

Once you've set up your proxy, all HTTP Requests from your country, to your remote server will be encrypted over SSH.

Your IP address as seen from the remote HTTP server you are connecting to (remote website) will be that of your remote SSH server, not your local computer. So to the remote site, it looks like you're in the country of your remote SSH server.

What would I use this for?

I use it every time I need pass over any sensitive information over an unsecured network, such wireless network, or internet cafe.

How Do I set up an HTTP over SSH Proxy

You will require a remote SSH server. If you purchase web hosting online, normally it will come with SSH access. If you purchase a shared hosting account, then you may have to ask for SSH access. Having a dedicated or VPS server will definitely come with SSH access.

You will also require an SSH client on your local computer. The one I use is Putty.

Setting up Putty to create an SSH tunnel

Once you have Putty installed, open it and under the session category, type in the IP address or Domain name of your remote server into the "Host Name" field.

In the Category open up the Connection Tree. Connection -> SSH -> Tunnels. Under Tunnels you will have "Add new forward port". For source port, type in a free port number. eg: 3000.

Choose the dynamic option under Destination, and click the Add button. You should have D3000 listed under the Forwarded ports list.

Now go back to the Session category and click the open button to start the SSH session. You should now have port 3000 on your local machine bound to the putty session. It will listen for any incoming traffic and forward it on.

Setting up your browser to use the SSH tunnel as its proxy

I use Firefox, but this could easily be done with IE6 or IE7 also. In Firefox click on the Tools Tab.

• Tools -> Options -> Advanced -> Network
• Under Connection click on the Settings button
• Choose Manual Proxy configuration, and SOCKS v5
• Fill in localhost for the host, and 3000 for the port
• Click OK and reload the page

Now you should be browsing the internet through your SSH proxy. To confirm this you can visit http://whatismyip.com/ and view your IP. It should change when you switch between using the Socks Proxy and using a direct connection to the internet.

You can also type 'whois IP', into your SSH console to view the details for your IP. Where IP is your IP seen by whatismyip.com.

Now you can worry a bit less about your online privacy.