Sometimes you can’t connect to an SSH server from your current location. Other times, you may want to add an extra layer of security to your SSH connection. In these cases connecting to another SSH server via a proxy server is one way to get through.
Squid is a full-featured proxy server application that provides caching and proxy services. It’s normally used to help improve response times and reduce network bandwidth by reusing and caching previously requested web pages during browsing.
However for this setup you’ll configure Squid to be used as an SSH proxy server since it’s a robust trusted proxy server that is easy to configure.
Installation and configuration
Install the squid package using sudo:
$ sudo dnf install squid -y
The squid configuration file is quite extensive but there are only a few things we need to configure. Squid uses access control lists to manage connections.
Edit the /etc/squid/squid.conf file to make sure you have the two lines explained below.
First, specify your local IP network. The default configuration file already has a list of the most common ones but you will need to add yours if it’s not there. For example, if your local IP network range is 192.168.1.X, this is how the line would look:
acl localnet src 192.168.1.0/24
Next, add the SSH port as a safe port by adding the following line:
acl Safe_ports port 22
Save that file. Now enable and restart the squid proxy service:
$ sudo systemctl enable squid $ sudo systemctl restart squid
4.) By default squid proxy listens on port 3128. Configure firewalld to allow for this:
$ sudo firewall-cmd --add-service=squid --perm $ sudo firewall-cmd --reload
Testing the ssh proxy connection
To connect to a server via ssh through a proxy server we’ll be using netcat.
Install nmap-ncat if it’s not already installed:
$ sudo dnf install nmap-ncat -y
Here is an example of a standard ssh connection:
$ ssh firstname.lastname@example.org
Here is how you would connect to that same server using the squid proxy server as a gateway.
This example assumes the squid proxy server’s IP address is 192.168.1.63. You can also use the host-name or the FQDN of the squid proxy server:
$ ssh email@example.com -o "ProxyCommand nc --proxy 192.168.1.63:3128 %h %p"
Here are the meanings of the options:
- ProxyCommand – Tells ssh a proxy command is going to be used.
- nc – The command used to establish the connection to the proxy server. This is the netcat command.
- %h – The placeholder for the proxy server’s host-name or IP address.
- %p – The placeholder for the proxy server’s port number.
There are many ways to configure an SSH proxy server but this is a simple way to get started.