<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px"><div id="yui_3_16_0_ym19_1_1493835252799_10881" dir="ltr"><span id="yui_3_16_0_ym19_1_1493835252799_10951">In any case, I'm finding SSH through proxy is undesirable or not possible. I'm thinking shellinabox, which is insecure but run over a secure proxy link, is my best bet.</span></div><div class="qtdSeparateBR" id="yui_3_16_0_ym19_1_1493835252799_10900"><br><br></div><div class="yahoo_quoted" id="yui_3_16_0_ym19_1_1493835252799_10904" style="display: block;"> <div style="font-family: Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 13px;" id="yui_3_16_0_ym19_1_1493835252799_10903"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_ym19_1_1493835252799_10902"> <div dir="ltr" id="yui_3_16_0_ym19_1_1493835252799_10901"> <font size="2" face="Arial" id="yui_3_16_0_ym19_1_1493835252799_10952"> <hr size="1" id="yui_3_16_0_ym19_1_1493835252799_11002"> <b><span style="font-weight:bold;">From:</span></b> Alex Rousskov <rousskov@measurement-factory.com><br> <b><span style="font-weight: bold;">To:</span></b> j m <acctforjunk@yahoo.com>; "squid-users@lists.squid-cache.org" <squid-users@lists.squid-cache.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Wednesday, May 3, 2017 1:19 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [squid-users] HTTPS support<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_ym19_1_1493835252799_10906"><br><div dir="ltr" id="yui_3_16_0_ym19_1_1493835252799_10905">On 05/03/2017 11:37 AM, j m wrote:<br clear="none">> the plan was to use SSH through the proxy.<br clear="none"><br clear="none">If your SSH clients support SSH through an HTTP proxy, then do not<br clear="none">authenticate them in Squid. Just do not let them go anywhere but the SSH<br clear="none">server. It would be like running an exposed-to-the-world SSH server, no<br clear="none">worse. Squid will still know nothing about SSH. Squid will just tunnel<br clear="none">opaque bytes from your SSH clients to your SSH server. You will use an<br clear="none">HTTP (not HTTPS) Squid port for this traffic because your SSH clients<br clear="none">are unlikely to support HTTPS to the proxy.<br clear="none"><br clear="none">Your browsers will still use HTTPS to the proxy (and get authenticated).<br clear="none">Thus, you will have two different http_ports, one for HTTP<br clear="none">(unauthenticated SSH clients) and one for HTTPS (authenticated browsers).<br clear="none"><br clear="none">If SSH blocking is not based on _protocol_ but on port, then follow<br clear="none">Antony Stone advice and change the SSH server port instead of<br clear="none">HTTP-proxying SSH connections.<br clear="none"><br clear="none">Alex.<div class="yqt3111027133" id="yqtfd64275"><br clear="none"><br clear="none"><br clear="none"><br clear="none">> ------------------------------------------------------------------------<br clear="none">> *From:* Alex Rousskov <<a shape="rect" ymailto="mailto:rousskov@measurement-factory.com" href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>><br clear="none">> *To:* "<a shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>"<br clear="none">> <<a shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" href="mailto:squid-users@lists.squid-cache.org" id="yui_3_16_0_ym19_1_1493835252799_11003">squid-users@lists.squid-cache.org</a>><br clear="none">> *Cc:* j m <<a shape="rect" ymailto="mailto:acctforjunk@yahoo.com" href="mailto:acctforjunk@yahoo.com">acctforjunk@yahoo.com</a>><br clear="none">> *Sent:* Wednesday, May 3, 2017 12:22 PM<br clear="none">> *Subject:* Re: [squid-users] HTTPS support<br clear="none">> <br clear="none">> On 05/03/2017 10:57 AM, j m wrote:<br clear="none">>> I wanted to set up a proxy on my home server for use from remote<br clear="none">>> locations to use as a web proxy (of course) and also to run SSH over.<br clear="none">> <br clear="none">> The "ssh" part is unrelated to Squid. Secure ssh separately from Squid.<br clear="none">> <br clear="none">> <br clear="none">>> This means that basic auth is undesirable due to the login being sent<br clear="none">>> in clear text. So, someone suggested digest auth, and I was happy.<br clear="none">>> But, now I'm finding that PuTTY and WinSCP do not support digest auth.<br clear="none">>> And consequently, I haven't found any other SSH clients that support<br clear="none">>> digest. (sigh)<br clear="none">> <br clear="none">> These problems will go away if you stop mixing Squid and ssh. Squid is<br clear="none">> HTTP while PuTTY/WinSCP is SSH. You gain very little by trying to use<br clear="none">> the same authentication mechanism for both protocols in your use case.<br clear="none">> <br clear="none">> <br clear="none">>> So, I'm back to plan b, and that is to have a secure proxy connection so<br clear="none">>> all browser-to-server communication is encrypted.<br clear="none">> <br clear="none">> That is a good idea if all of your browsers support it. Popular browsers<br clear="none">> support HTTPS-to-proxy on desktop, but I am not sure about their mobile<br clear="none">> versions. You may have to jump through some hoops.<br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">>> So the question is, does<br clear="none">>> anyone know if squid 3.5 on Ubuntu 16.04 supports secure connections?<br clear="none">> <br clear="none">> <br clear="none">> Squid v3.5 supports secure connections to the proxy. See "TLS / SSL<br clear="none">> Options" for the http_port directive (not the https_port directive!).<br clear="none">> <br clear="none">> You can install Squid v3.5 on Ubuntu. I do not know whether the official<br clear="none">> Ubuntu Squid package is built with the required support.<br clear="none">> <br clear="none">> <br clear="none">> HTH,<br clear="none">> <br clear="none">> Alex.<br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none"><br clear="none"></div></div><br><br></div> </div> </div> </div></div></body></html>