Re: [SQU] Tunneling proxy?

From: Gary E Bickford <>
Date: Fri, 19 Jan 2001 10:47:52 -0800

I do have permission to set this up, with the proper precautions. I
presently spend several hours each day connected to various machines
behind the firewall using SSH tunnels through a set of ports that are
kept open for this.

I'm at a loss to figure out how to set up two squids and a tunnel in
such a way that when my browser requests ""
squid will grab that request, pump it through the tunnel to the other
end, where the 'parent' squid will make the actual request and forward
it back through the tunnel, and everything will work.

If I understand Squid properly, isn't this all I need to do (I'm not
sure of the port nos. on the Squid-Squid connection?

   1. Configure my local Squid to send all requests to * to
      its 'parent' at some local port - say port 3122 for purposes of
      discussion, So the remote Squid would appear to be at
      'localhost:3122' or ''
   2. Set up an SSH tunnel, forwarding port 3122 to port 3128 (3130?) on
      the other end.
   3. Configure the remote Squid to accept requests from a child Squid
      coming in on 3128, as per normal.
I have a doubt in the back of my mind that there will be issues with the
client hostname on requests through the tunnel. The remote squid will
see those as coming either from localhost or from the local IP address,
but the hostname in the request will have my computer's hostname. Also,
do I need to forward more than just 3128?

This method is pretty secure, if it's possible. I have Apache running
on the other end as well as on my workstation, so I can do rewrites and
redirects, but I've been very unsuccessful in getting anything useful
set up. I can even build a special instance of Apache that does nothing
but redirects if need be. And I have a second computer on the remote
end that is not presently being used for much, so I can even use it as
an intermediary host to assist in fixing up addressing.

I believe my alternative solution is to use SSH and PPP to set up a
complete virtual private network. This would essentially put my machine
behind the firewall for all practical purposes. Getting my local
routing set up would be a bit of a challenge, to allow access to other
parts of the net at the same time.


Henrik Nordstrom wrote:

> Erhm.. there are many ways to tunnel traffic thru a firewall if you have
> access to both sides, but are you allowed to do this?
> My recommendation is to use SSH port forwarding if anything. But FIRST
> ask the client if this is OK, as it might expose their systems.
> I do not recommend to install proxy at the client. Instead set up a SSH
> port forward per server you need access to.
> You can use a Squid with a redirector (and redirec_rewrits_host_header
> off) or another proxy with URL rewriting capabilities locally to forward
> the requests to the correct forwarded port.
> --
> Henrik Nordstrom
> Squid hacker
> Gary E Bickford wrote:
>> Folks,
>> I've looked at the howto's and some other things. I seem to have missed
>> any link to the mail list archive - can someone send that to me or post it?
>> My particular problem is somewhat complicated. I don't know enough
>> about Squid to know if this is a hard thing or a soft thing :O) Please
>> excuse me if this question is handled in the howto somewhere, perhaps I
>> misunderstood what I'm doing and didn't see the solution in front of me.
>> I am working on several web servers that live behind a firewall at a
>> client company. I normally get to the machines via SSH on any of a
>> number of specially assigned set of ports for this purpose. Some of
>> these sites are composites of my work and other machines that I don't
>> have access to, and vary. I can't see these other sites directly. I
>> guess we could say I'm on the 'wrong side' of the firewall.
>> I need to set up a proxy server on one of my client machines inside the
>> firewall, that my local Squid can get to either on a high port or via an
>> SSH tunnel, that would allow me to get to these machines with their real
>> domain names - a transparent proxy going the wrong way? I'm running
>> Squid on my local machine already. Can I set up a parent proxy on a
>> high port such that my local Squid will know to send requests through
>> this other proxy for all machines in, e.g., '' but will not
>> send them through the other machine for all other domains/address blocks?
>> Do I need to use SSH? I generally don't have a need to use encryption,
>> but compression is nice. Although I could use SSL occasionally it's not
>> essential.
>> The client company has several different address blocks.
>> --
>> Diplomacy is the art of saying "nice doggy" until you can find a rock.
>> ---
>> Gary E Bickford,,, tel 541-383-2749
>> FXT Corporate Websystems, content & asset management, extranet applications:
>> PHP, XML, Apache, Tomcat, SQL, JSP
>> --
>> To unsubscribe, see

Diplomacy is the art of saying "nice doggy" until you can find a rock.
Gary E Bickford,,, tel 541-383-2749
FXT Corporate Websystems, content & asset management, extranet applications:
PHP, XML, Apache, Tomcat, SQL, JSP
To unsubscribe, see
Received on Fri Jan 19 2001 - 11:45:35 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:57:30 MST