Encrypted connection proxy wise?

Post by **ayu** » 04 Sep 2008, 15:40

Well, I use the wireless at my University. And seeing that it's a Technology uni with both Programming and IT-security as a speciality, I don't think I want to use an unencrypted connection ^^

So I was thinking that I could setup a proxy at home and connect all my stuff through it, and have the connection encrypted from my lappy to the proxy.

Does anyone have a tip on how I could accomplish this? I looked around some in the Debian repositories and on google, read some blogs and so on. But I can't decide what I should use. I read some about tunneling the data through an SSH tunnel which sounds like a good idea. But I also thought about using a regular proxy with an SSL connection but I couldn't find anything.

Does anyone have an idea? =)

Post by **bad_brain** » 05 Sep 2008, 05:37

hm, I am not 100% sure if a proxy will work together with SSL, but it's worth a try.
the package for apache is libapache2-mod-proxy-html.
to enable SSL you have to create the keys first (SSL is already implemented into apache2):
http://www.apache-ssl.org/
scroll down to "Now I've got my server installed, how do I create a test certificate?".
the tricky part will be to set up the virtual host for SSL and the proxy....here's an example of a virtual host for the proxy:
http://confluence.atlassian.com/display ... +mod_proxy
you will have to customize it to use SSL....

Post by **ayu** » 05 Sep 2008, 06:29

Hmmm interesting. But even if it does work, how can I be sure that it actually establishes an encrypted connection between proxy and program? For example, if I setup Xchat to use socks5/proxy and then use my own proxy which is located at home. Will it create a SSL encrypted link? or will it fail because it doesn't understand wtf the proxy is on about?

Post by **bad_brain** » 05 Sep 2008, 08:56

hm, what I wrote above will only work for http traffic (IF it works).
to use encryption for a SOCKS proxy connection you will have to use SSH tunneling... because when the connection is made via the SSH tunnel encryption MUST be in use, else the connection would not be established at all. in this case you can skip the SSL setup on Apache because the SSH tunnel is doing the encryption....might be the best way...

Post by **ayu** » 21 Sep 2008, 04:14

hmm, in all applications where you can use a proxy, there is a login function. I mean there has to be some sort of proxy out there that can handle SSL and authentication =/

I found a proxy with SSL support, but it only seems to be able to simply redirect one connection on a TCP port to another remote port, and not per request from a client =/

Post by **bad_brain** » 28 Sep 2008, 03:44

ok, what about using a regular proxy together with stunnel:

Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code.

at least in theory this should make it much easier..

http://www.stunnel.org/

Post by **ayu** » 28 Sep 2008, 03:49

bad_brain wrote: at least in theory this should make it much easier..

http://www.stunnel.org/

hmm, that sounds very interesting Oo I will have a look at that, thanks!

Post by **ayu** » 30 Sep 2008, 02:24

Ok, that looks promising....

But if I was to use this, the proxy would be wide open for others to use. Is there maybe a HTTP proxy or something, that uses authentication?

Post by **bad_brain** » 30 Sep 2008, 04:26

hmmm....I am thinking about a "different" way....what about this:
the proxy is closed to everyone until you contact port 1, 288, 34000 and 345 in exactly this sequence (just an example)....then the proxy is available and can be used, when done you run another sequence and the proxy is shut down again.
wouldn't this be a really stealth way? I mean, nobody could see any kind of login....

if you like this idea check knockd:
http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki

Post by **ayu** » 30 Sep 2008, 05:07

hmmm, well during that time, wouldn't the proxy be open for others as well? I mean what if a scanner passes by my IP at that specific moment when I am using the proxy?

Post by **bad_brain** » 30 Sep 2008, 07:38

yeah, but that's very unlikely....and you can still limit the IPs allowed to connect via iptables.

but of course the usual apache authentication syntax with .htaccess and .htpasswd can also be used in the <proxy></proxy> block...
so mod proxy together with stunnel should be the easiest way.

Post by **ayu** » 30 Sep 2008, 09:04

bad_brain wrote:yeah, but that's very unlikely....and you can still limit the IPs allowed to connect via iptables.

but of course the usual apache authentication syntax with .htaccess and .htpasswd can also be used in the <proxy></proxy> block...
so mod proxy together with stunnel should be the easiest way.

Now that sounds more like a solution fit for my schedule xD ... Thing is that I'm a bit short on time these days because of Uni, so don't have time for any big projects ^^

Still_Learning · Post by **Still_Learning** » 30 Sep 2008, 11:55

Cats,

If you did that then it would not be anonymous proxy though right? The only thing it would do is change your IP to your home PC's IP, correct?

Or do you have some kind of program on the home computer that you connect to and shows on everyone elses PC as a random IP? or say you connect to your home PC useing TOR so it automates a difrent IP address every 10 seconds or whatever?

Post by **ayu** » 30 Sep 2008, 12:00

itzm3 wrote:Cats,

If you did that then it would not be anonymous proxy though right? The only thing it would do is change your IP to your home PC's IP, correct?

Or do you have some kind of program on the home computer that you connect to and shows on everyone elses PC as a random IP? or say you connect to your home PC useing TOR so it automates a difrent IP address every 10 seconds or whatever?

Well the purpose isn't to be anonymous, it's just to encrypt the data between school and home server so that people wont sniff the traffic. And using TOR, is everything else but secure.

Still_Learning · Post by **Still_Learning** » 30 Sep 2008, 12:02

cats wrote:
itzm3 wrote:Cats,

If you did that then it would not be anonymous proxy though right? The only thing it would do is change your IP to your home PC's IP, correct?

Or do you have some kind of program on the home computer that you connect to and shows on everyone elses PC as a random IP? or say you connect to your home PC useing TOR so it automates a difrent IP address every 10 seconds or whatever?

Well the purpose isn't to be anonymous, it's just to encrypt the data between school and home server so that people wont sniff the traffic. And using TOR, is everything else but secure.

What is not secure about useing TOR?