# Squid + SSH HTTP Tunnel HELP!



## drmike (Nov 21, 2013)

Trying to revise my bubblegummed setup here for sanity sake.

Shoved Squid back in the middle as cache layer and general Ginsu knife set for slicing and dicing things (yeah I hate Squid, but it's hard to argue about what it can do when you perfect it).

Latest snafu is getting Squid to front end a SSH HTTP Tunnel:

Computer ---> Squid:3128 ---> SSH HTTP Tunnel:9999  (over internet to remote VPS) --> out to world

Anyone perfected such a configuration?


----------



## scv (Nov 21, 2013)

Is there any particular reason you try the SSH tunnel after squid? I'm sure it'd be less complex if you reversed Squid and SSH in this case.


----------



## drmike (Nov 21, 2013)

scv said:


> Is there any particular reason you try the SSH tunnel after squid? I'm sure it'd be less complex if you reversed Squid and SSH in this case.


Good question.

Squid is on LAN, the SSH tunnel is crypted tunnel to net via remote VPS/server.


----------



## scv (Nov 21, 2013)

Can you elaborate on how the tunnel is setup? I think you're referring to an SSH SOCKS tunnel but not 100% sure.


----------



## drmike (Nov 21, 2013)

Yes sir, SSH SOCKS tunnel:


ssh -D 192.168.1.10:9999 -NfC2 [email protected]
I read somewhere in researching that Squid didn't support SOCK5.  Unsure if they've added that feature and if so in version currently running.


----------



## scv (Nov 21, 2013)

Squid doesn't natively support SOCKS but you could use a wrapper such as proxychains or tsocks to provide that functionality.

The only thing I'm missing here is the relevance of the local Squid server. Why can't you just use the remote SOCKS directly? It won't be any more secure going through an HTTP proxy on your LAN.


----------



## drmike (Nov 21, 2013)

scv said:


> The only thing I'm missing here is the relevance of the local Squid server. Why can't you just use the remote SOCKS directly? It won't be any more secure going through an HTTP proxy on your LAN.


Squid locally is to serve files up fast.   Connection to net is severely impaired/slow/limited.  Behind the cache locally are multiple users.   Not everything is cache enabled.   So refetching does happen.  Better to go from there to LAN storage than there to remote server over saturated/congested line.


----------



## scv (Nov 21, 2013)

You'd be better off using something other than SSH. SSH tunnels don't handle concurrent connections well at all, and your slow connection will be worse than usual. Would OpenVPN to the remote site be an option?


----------



## drmike (Nov 21, 2013)

OpenVPN could be an option.  Haven't monkeyed with it to date.

I roll SSH tunnels out routinely for all sorts of stuff.  So still relying on it perhaps in sub optimal environment.

*proxychains  - *Second time I've seen you mention that.  Their site and info is mighty sparse.   Are you a heavy user of it?   Care to point out use examples or good howto/FAQ style example site for proxychains?


----------



## scv (Nov 21, 2013)

I personally don't use it regularly but it's a very handy tool. For your case you'd be better off with tsocks which is easier to configure.

tsocks is old and unmaintained but it does its job well. Here's an example config you could use:


# Define subnets that can be directly accessed
local = 192.168.1.0/255.255.255.0
# local = 8.8.8.8/255.255.255.255

server = 192.168.1.10
server_type = 5
server_port = 9999

As you can see, very simple. Next you'd want to start Squid via tsocks, either by setting LD_PRELOAD=/path/to/tsocks.so in Squid's environment or launching Squid with the tsocks wrapper program.


----------



## drmike (Nov 21, 2013)

Thanks @scv, always good to see what folks are using and how working through stuff like this.

I am still tinkering for an optimal/acceptable performance level.   

This project is to stuff these functions inside a Raspberry Pi and perform caching and sanitation functions regardless of what the actual bandwidth is (which later will be grafted into the Pi). 

Found Squid as-is current config is abusive to the puny disk IO and creates basically an outage when it goes to writing in mass.  So have that offline and eliminated for the time being.

Privoxy and Polipo are both on the testing bench now. Looking for something with caching and magic to glue together while not performing horribly/slow perception on load.


----------

