Home / server / Questions / 594827
Accepted
fastfinge
Asked: 2014-05-14 07:48:44 +0800 CST

Accessing internal network addresses remotely through squid proxy on debian

  • 772

My objective is to allow clients over the internet to connect to a squid proxy server, provide a username and password, and then access several http servers on the internal network that the server is part of, by using IP addresses like 192.168.11.152. Currently, access to these servers is handled via a mess of NAT port forwards from internal port 80 at some IP, to a nonstandard external port. This requires people to remember that the device with IP 192.168.11.152 is accessed via http://example.com:8936, and is not ideal. Also, many of the devices do not support usernames and passwords, so I am depending on security through obscurity. I do not want to use a VPN, because the only traffic I want to allow into the network from outside is HTTP and HTTPS traffic. I cannot modify the HTTP servers on any of my devices, as they are all embedded systems (power switches, security cameras, signalling devices, etc). I have searched for guides on setting up squid proxy servers on debian, but they are all about setting up anonymous proxies, do not support usernames and passwords, and allow proxy connections to external resources. Once connected to the proxy, the only traffic that it should forward is traffic to 192.168.11.xxx addresses. So, my questions:

  1. Is this even possible? Based on my Google searches, nobody is doing this, and maybe that's because it can't be done?
  2. Is this a good idea? If not, are there any better ones that are more secure and still meet my requirements?
  3. Where do I start? All of the online guides just give cut and paste config files, without explaining anything, so I can't really modify them to my purposes. The man pages are obscure enough that I would already need to know what I want before finding information about it. Is there a good book/set of tutorials somewhere I missed?

I realize that a complete answer to this question would take more time than anyone who isn't me can spend on this. I'll accept an answer that briefly discusses the above 3 points and comes with detailed references.

debian

1 Answers

  1. Best Answer

    There is an excellent alternative if your users have SSH access to the network.

    Using e.g.

    ssh -D9090

    they open a SOCKS proxy port on their respective local machine. They can then proceed to access any destination on the local net of the SSH server via this SOCKS proxy.

    This can be made especially handy using Firefox with an extension such as Foxy Proxy, in which you can define a whitelist (e.g. http://192.168.11.*/ plus https) so that the respective IPs (and only those) are visited via the proxy.

    • 2