Monday, November 12, 2007

Your Traffic Chopper Just Crashed

I happen to have a home Internet(s) connection with a static IP address, and I prefer to keep nosy sysadmins from seeing what websites I visit. I have squid setup to proxy all of my HTTP and HTTPS traffic in my web browsers through home.

First, we tell our local machine to listen on a particular port, and forward any requests it gets to our machine at home:

ssh -L 9000: -p 22

If you're on Windows, this can also be done with PuTTY.

Squid has to be setup on the box at home and setup to forward requests out to the Internet(s).

Then we setup our browser to use the proxy:

And voila! I mean unless, like me, you've been doing this for 5 years.

I started a new job today, and when I sent out an IM, I got this reply inside their IM window:

IM Administrator: You are required to register your IM screen names at [URL]. For questions call the Help Desk at 800-555-1212

Crappy Crapperton! I guess this means we should change our squid.conf to allow popular IM clients.

Add port 1863 to SSL list:
acl SSL_ports port 443 563 1863

Then add the following:
# Permit AOL Instant Messenger to connect to
acl AIM_ports port 5190 9898
acl AIM_domains dstdomain
acl AIM_domains dstdomain
acl AIM_hosts dstdomain
acl AIM_nets dst
acl AIM_methods method CONNECT
http_access allow AIM_methods AIM_ports AIM_nets
http_access allow AIM_methods AIM_ports AIM_hosts
http_access allow AIM_methods AIM_ports AIM_domains

# Permit Yahoo Messenger
acl YIM_ports port 5050
acl YIM_domains dstdomain
acl YIM_hosts dstdomain
acl YIM_methods method CONNECT
http_access allow YIM_methods YIM_ports YIM_hosts
http_access allow YIM_methods YIM_ports YIM_domains

# Permit Google Talk
acl GTALK_ports port 5222
acl GTALK_domains dstdomain
acl GTALK_hosts dstdomain
acl GTALK_methods method CONNECT
http_access allow GTALK_methods GTALK_ports GTALK_hosts
http_access allow GTALK_methods GTALK_ports GTALK_domains

# Permit MSN
acl MSN_ports port 1863 443 1503
acl MSN_domains dstdomain
acl MSN_hosts dstdomain
acl MSN_nets dst
acl MSN_methods method CONNECT
http_access allow MSN_methods MSN_ports MSN_hosts
http_access allow MSN_methods MSN_ports MSN_domains
http_access allow MSN_methods MSN_ports MSN_nets

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports !AIM_ports !YIM_ports !GTALK_ports !MSN_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

and then change our IM client settings to proxy through our machine at home:


No comments: