2

I have two remote machines, remote1 and remote2. remote2 is only running sshd, and I can't run anything else on it. remote1 is a full-fledged server to which I have complete access. I can run a SOCKS proxy on remote2 via ssh -f -N -D *:8080 me@remote2 which lets me expose a SOCKS proxy on port 8080 on remote1. I'd like to authenticate this so that the proxy isn't sitting open. How can I do this?

It seems like I should be able to use delegate, but I can't even seem to get its HTTP proxy functionality working. When I run delegated -r -P8081 SERVER=http PERMIT="*:*:*" REMITTABLE="*" I can't even get it to work on port 8081.

Anyway, I was hoping someone could point me in the right direction to let me authenticate access to the SOCKS proxy connection? That is, I want to be able to point my browser's proxy at remote1 and browse the internet through the SSH SOCKS proxy/tunnel to remote2.

squid doesn't support a SOCKS parent =(

Thanks!

aresnick
  • 151
  • 1
  • 5

2 Answers2

2

nylon supports SOCKS mirroring with ACL's

http://monkey.org/~marius/pages/?page=nylon

Ash Palmer
  • 357
  • 1
  • 8
0

If you want remote1:8080 to be accessible only from some local network, change from "-D *:8080" to "-D $IP:8080", where $IP is local network address of remote1.

If you want you <-(ssh)-> remote1 <-(ssh/socks)-> remote2 <-> internet, you may do:

  1. Change from "-D *:8080" to "-D 127.0.0.1:8080".
  2. Always ssh from "you" to "remote1" with option "-L 127.0.0.1:8080:127.0.0.1:8080" and use 127.0.0.1:8080 as SOCKS proxy. It will be mapped to remote1:8080, then to remote2 and finally to internet.

You can also set up a pair of stunnels or socats that will protect your connection with SSL certificates.

Vi.
  • 841
  • 11
  • 19
  • I want `me <-(http/SOCKS proxy)-> remote1 <- (ssh/SOCKS) -> remote2 <-> internet` -- that is, I _only_ want to set up a proxy on my local machine (not have to `ssh`). I was thinking I could maybe put the proxy behind some sort of http authentication? I'm not familiar with stunnels or socats--can they do what I'm looking for? – aresnick Mar 15 '10 at 13:07
  • I don't understand what do you want to do. Provide a list of limitations for hosts "remote2", "remote1" and "you". Why can't you just ssh to "remote2" with "-D" option? What can you run on "you"? (ssh client? only browser? Third-party tools like socat/stunnel?) What can you run on "remote1"? Describe what is "you", "remote1" and "remote2". – Vi. Mar 15 '10 at 15:06
  • I actually ended up getting this to work with [polipo](http://www.pps.jussieu.fr/~jch/software/polipo/). I can only run a browser (with a proxy extension of some sort) on `you`. I can run anything I want on `remote1` and I can only run `sshd` on remote2. I was trying to set up an ad hoc proxy which lets me expose a network I only have ssh access to, but I didn't want to open up a totally unprotected proxy. – aresnick Mar 17 '10 at 03:17
  • OK, with these limitations `polipo` should be right solution. – Vi. Mar 18 '10 at 18:43