Saturday, April 19, 2008

A better way to proxy

Following on from the post My little Proxy a few years ago there is now a much easier way to do this.

So the problem that I want to access on line journals and databases like MathSciNet that we have a subscription for at work, but despite the wonders of Athens, Shibboleth and other "single login" methods to access on line resources there are still some things that stubbornly insist checking your ip address.

Running squid on my desktop machine worked up to a point but I found there were some sites I needed that for some reason did not work with that.

The "Official" solution was to use the University's proprietary and highly flaky VPN service. As well as being unreliable the damn thing also disables access to the local network (on both adapters). This obviously a complete load of pants if you want to download a paper then print it out on your printer on your home network. Oh dear don't let me get started on another rant about "worst practice" software procurement!

Anyway a nice chap from information systems gave me a "completely unsupported" (nudge nudge wink wink) work around: ssh -D.

Here is how it is meant to work. Choose a typical proxy port like 8080, and a sever you can ssh in to on campus (preferably your own of course, but it works with our departmental linux cluster. Lets call the machine fred.fun.ac.uk (its not his real name). My username on fred is assumed to be me.

Now form a terminal run ssh -D 8080 me@fred.fun.ac.uk

This now means that on your local machine (my laptop s running Mandriva 2006, but expect the same works for other proper operating systems) it looks like there is a socks 5 proxy running on port 8080.

Now I configured a proxy in Firefix Edit> Preferences>Advanced>Network Connection Settings.
I chose localhost and 8080. Now that did not work. In the terminal where ssh is running I get the error message

channel 3: open failed: administratively prohibited: open failed

Not sure exactly what is going on here, but it seems necessary in firefox at least to use the ip address 127.0.0.1 instead of localhost for your own computer (could be something in etc/hosts?) and you need to click the SOCKS 5 radio button (my depend how new your ssh is I suppose?)

Finally switching the proxy on and off is a bit of a pain without a nice Firefox add on called FoxyProxy. This makes it easy to for example switch the proxy on and off by clicking on the status bar or only using the proxy for certain websites.

On some of our machines we set the sshd to listen on a port other than 22. This can be helpful for example when you are using a public wireless connection in a cafe or one of the University's cobbled wireless access points that blocks port 22. Just change the line in /etc/ssh/sshd_config.

One thing I would like now is a script that reconnects the ssh -D when the connection drops, eg using wireless.


Some links


  • This
    arstechnica discussion also diagnosed my problem.
  • SOCKS on Wikipedia in case you wondered what it was.
  • OpenSsh manual page for ssh
  • Another blog doing this on Mac OSX
  • FoxyProxy
  • Check the ip address you are browsing from here for example.
  • Apparently it can be done on Microsoft Windows to here
    using PuTty. (duh I like that, windows, putty, get it?)
  • You probably want to set it up so you don't need to type a password when you log in to ssh. Here is how to do it
  • 1 Comments:

    Blogger Billlion said...

    autossh makes this even better as it restarts the ssh tunnel if the connection is dropped.

    My command is autossh -M 29001 -f -ND 8080 bill@workcomputer

    TODO: make this start in an rc.d script when I switch profile to "home"

    4:08 AM  

    Post a Comment

    << Home