[squid-users] General security and usage questions
j m
acctforjunk at yahoo.com
Fri Apr 7 13:01:15 UTC 2017
I have a Ubuntu server set up that does various things in addition to being a web proxy (squid 3.3.8) to use remotely over the internet. This allows me to directly access internal devices with a web page on my LAN since my employer, like most, blocks VPN connections. My intention is to have the squid service running at all times, with a login, so I can use it any time. However, there's a few things I have not been able to answer/resolve through my own research:
1. I am not able to SSH into my server from my employer. It's rare I'd need to do this, but ethical considerations aside, could this work with PuTTY over the squid proxy? I'm confused over how or if this would work using the Connection -> Proxy config in PuTTY. I can successfully use my proxy from a web browser, but have had no luck with SSH despite entering the proxy info into PuTTY. Supposedly the proxy needs to support the CONNECT method, but I'm unclear what this is or how to enable this. As an aside, I have experimented with shellinabox, but abandoned it when I learned it's not encrypted by default.
2. How good is squid's security as far as leaving its port open to the Internet, which I obviously have to do in my case? I found it interesting that if I enter http://myip:myport from over the Internet, it responds with a "The requested URL could not be retrieved" page, along with information that identifies it as squid, along with the version number and server name, without asking for a login. Being unfamiliar with web proxies, this might be the norm for all I know. If I set up a browser to use it as a proxy, it does ask for a login. It appears the error pages are in /usr/share/squid/errors, but is there a way for it to be more discrete, preferably to not respond at all or ask for a login?
Below is my squid.conf. I removed all the commented lines, and pieced one together from information online. My goal is to have it proxy basically anything thrown at it if authenticated, be as secure as reasonably possible, absolutely no caching, and enable SSH connections through it, if possible.
Thanks in advance.
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwordsauth_param basic realm proxyacl authenticated proxy_auth REQUIREDhttp_access allow authenticated
# Choose the port you want. Below we set it to default 3128.http_port 8092cache deny allaccess_log none
acl CONNECT method CONNECT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170407/60cc9430/attachment.html>
More information about the squid-users
mailing list