Squid + SSH HTTP Tunnel HELP!

drmike

100% Tier-1 Gogent
Trying to revise my bubblegummed setup here for sanity sake.

Shoved Squid back in the middle as cache layer and general Ginsu knife set for slicing and dicing things (yeah I hate Squid, but it's hard to argue about what it can do when you perfect it).

Latest snafu is getting Squid to front end a SSH HTTP Tunnel:

Computer ---> Squid:3128 ---> SSH HTTP Tunnel:9999  (over internet to remote VPS) --> out to world

Anyone perfected such a configuration?
 
Last edited by a moderator:

scv

Massive Nerd
Verified Provider
Is there any particular reason you try the SSH tunnel after squid? I'm sure it'd be less complex if you reversed Squid and SSH in this case.
 

drmike

100% Tier-1 Gogent
Is there any particular reason you try the SSH tunnel after squid? I'm sure it'd be less complex if you reversed Squid and SSH in this case.
Good question.

Squid is on LAN, the SSH tunnel is crypted tunnel to net via remote VPS/server.
 
Last edited by a moderator:

scv

Massive Nerd
Verified Provider
Can you elaborate on how the tunnel is setup? I think you're referring to an SSH SOCKS tunnel but not 100% sure.
 

drmike

100% Tier-1 Gogent
Yes sir, SSH SOCKS tunnel:


ssh -D 192.168.1.10:9999 -NfC2 [email protected]
I read somewhere in researching that Squid didn't support SOCK5.  Unsure if they've added that feature and if so in version currently running.
 

scv

Massive Nerd
Verified Provider
Squid doesn't natively support SOCKS but you could use a wrapper such as proxychains or tsocks to provide that functionality.

The only thing I'm missing here is the relevance of the local Squid server. Why can't you just use the remote SOCKS directly? It won't be any more secure going through an HTTP proxy on your LAN.
 

drmike

100% Tier-1 Gogent
The only thing I'm missing here is the relevance of the local Squid server. Why can't you just use the remote SOCKS directly? It won't be any more secure going through an HTTP proxy on your LAN.
Squid locally is to serve files up fast.   Connection to net is severely impaired/slow/limited.  Behind the cache locally are multiple users.   Not everything is cache enabled.   So refetching does happen.  Better to go from there to LAN storage than there to remote server over saturated/congested line.
 

scv

Massive Nerd
Verified Provider
You'd be better off using something other than SSH. SSH tunnels don't handle concurrent connections well at all, and your slow connection will be worse than usual. Would OpenVPN to the remote site be an option?
 

drmike

100% Tier-1 Gogent
OpenVPN could be an option.  Haven't monkeyed with it to date.

I roll SSH tunnels out routinely for all sorts of stuff.  So still relying on it perhaps in sub optimal environment.

proxychains  - Second time I've seen you mention that.  Their site and info is mighty sparse.   Are you a heavy user of it?   Care to point out use examples or good howto/FAQ style example site for proxychains?
 

scv

Massive Nerd
Verified Provider
I personally don't use it regularly but it's a very handy tool. For your case you'd be better off with tsocks which is easier to configure.

tsocks is old and unmaintained but it does its job well. Here's an example config you could use:


# Define subnets that can be directly accessed
local = 192.168.1.0/255.255.255.0
# local = 8.8.8.8/255.255.255.255

server = 192.168.1.10
server_type = 5
server_port = 9999

As you can see, very simple. Next you'd want to start Squid via tsocks, either by setting LD_PRELOAD=/path/to/tsocks.so in Squid's environment or launching Squid with the tsocks wrapper program.
 

drmike

100% Tier-1 Gogent
Thanks @scv, always good to see what folks are using and how working through stuff like this.

I am still tinkering for an optimal/acceptable performance level.   

This project is to stuff these functions inside a Raspberry Pi and perform caching and sanitation functions regardless of what the actual bandwidth is (which later will be grafted into the Pi). 

Found Squid as-is current config is abusive to the puny disk IO and creates basically an outage when it goes to writing in mass.  So have that offline and eliminated for the time being.

Privoxy and Polipo are both on the testing bench now. Looking for something with caching and magic to glue together while not performing horribly/slow perception on load.
 
Last edited by a moderator:
Top