Monday, May 17, 2010

Secure, Anonymous Browsing With Your Own EC2 Proxy Server

One of the things that has blown up in the past few years is Cloud computing, and specifically Amazon Web Services. One of the other things that has blown up has been the invasion of privacy, particularly with regards to the Internet. So here's how you can send a big "fuck you" to any peeping tom governments, corporations, or individuals.

The post will take you through the process of setting up a stateless proxy server on Amazon's Elastic Compute Cloud (EC2) and show you how to tunnel into it via SSH from your home PC. All in 6 easy steps.

1. Setup an Amazon Web Services account
There are a zillion tutorials on the net about to get up and running with Amazon Web Services (AWS), so go put Google to use if you don't have an AWS account already and come back here when you're done.

2. Launch an Ubuntu 10.04 EC2 Instance
Welcome back. So now you have your AWS account setup, we can launch an EC2 instance which we'll turn into a proxy server. I'll walk through some basics for the first timers.

You should now be logged into the EC2 Management Console, which looks like:


Before we launch an instance, we need to modify the firewall that wraps all EC2 instances, and setup a key pair to use with SSH. So click on the Security Groups link over on the left hand side. In the Security Groups section, select the 'default' group and add a new rule to allow SSH connections, as follows:


Click Save, and you're done. The EC2 firewall lives completely outside of the instance and is ingress only, so you don't need to worry about setting any outbound rules.

Now click on the Key Pairs option over on the left hand side. It should be immediately obvious how to create a new key pair, and the name you give it is purely for use within the EC2 management console so you can call it something simple and friendly like "proxy". The critical thing is that doing so will prompt you to download a .pem file which is the private key. Remember where you save this file to, as you will need it later to connect to the instance. You can always create a new key pair if you lose it though, so don't stress.

Now we are ready to launch an instance, so go back to the EC2 Dashboard page. In this case, we'll use one of alestic's excellent AMI's and run it up in the US-EAST-1 zone. The ID of the AMI we'll use is ami-2d4aa444 (a 32-bit Ubuntu 10.04 server), which I got from the alestic website.

Click on the Launch Instance button. Click on the Community AMIs tab, paste the AMI ID into the search box, and hit Enter:


Click on the select button, which will bring us to the next screen, Instance Details. Just leave the defaults, which should be 1 instance of type Small. We don't care about the availability zone. Click Continue.

Here we have the option to use an existing Key Pair, or creating a new one. The choice is yours, but since we did the legwork already we might as well use our existing Key Pair (unless you have already lost the private key file!). Click Continue.

Once again, since we already setup the default security with everything we need, might as well use that. Click Continue.

Finally, we come to the order review screen. It should look something like:


Make sure everything is in order, because when you click Launch you'll start getting billed... at the whopping rate of $0.085 USD per hour (plus per-month bandwidth charges, which are also fuck all and the first gig is free).

Once your instance has a status of "running", note down the Public DNS name - you'll need it in order to connect to the instance.

3. Connect via SSH
If on Windows, first install a proper SSH client. Not that fucking piece of shite PuTTY - use a cygwin based one. If you use PuTTY, not only would you have to mess around with key conversions, you'll also have to mess around in the UI to setup a tunnel. If you _really_ have to use PuTTY, here's what the tunnel configuration looks like - enter the following in the 'Tunnels' section and click the 'Add' button:


I like to use CopSSH, a well maintained package for Windows (unlike the poser who runs the sshwindows sourceforge project) from ITeFix that you can download from here. Note that you only need the client binaries, so if you're freaking out at CopSSH installing a Windows service you can just go and disable it after the installation is complete.

Fire up a command window, change into the directory where you installed SSH, and connect to your new EC2 instance with a command that looks something like:

ssh ubuntu@ec2-XXX-XXX-XXX-XXX.compute-1.amazonaws.com -i \path\to\proxy.pem

Obviously I've changed a few things there to protect the innocent. The main thing to note is that the username is 'ubuntu' (not 'root'), and by default you can only authenticate using keys. If everything has worked, you should see something like this appear:

Linux domU-XX-XX-XX-XX-XX-XX 2.6.32-305-ec2 #9-Ubuntu SMP Thu Apr 15 04:14:01 UTC 2010 i686 GNU/Linux
Ubuntu 10.04 LTS

Welcome to Ubuntu!

...

ubuntu@domU-XX-XX-XX-XX-XX-XX:~$


Good job - now we can install Tinyproxy.

4. Install Tinyproxy
In your SSH session, issue 'sudo apt-get install tinyproxy' and exit the SSH session when you're done.

ubuntu@domU-XX-XX-XX-XX-XX-XX:~$ sudo apt-get install tinyproxy

...

Setting up tinyproxy (1.8.1-3) ...
Starting tinyproxy: tinyproxy.

ubuntu@domU-XX-XX-XX-XX-XX-XX:~$ exit
logout
Connection to ec2-XXX-XXX-XXX-XXX.compute-1.amazonaws.com closed.


By default, Tinyproxy listens on port 8888 and only accepts local connections. Which is fine for us, because we won't be connecting remotely to Tinyproxy - we'll be tunneling in via SSH!

5. Setup an SSH tunnel to your Tinyproxy box
Setting up the tunnel is dead easy, simply issue the following command:

ssh ubuntu@ec2-XXX-XXX-XXX-XXX.compute-1.amazonaws.com -i \path\to\proxy.pem -L 667:localhost:8888 -N

I'll explain what's going on there. The '-L' argument tells the SSH client to setup port forwarding. The structure of the parameter is local_port:destination:destination_port. Now the important thing to note here is that the "destination" is relative to the server you are connecting to - not the machine you are executing this command on. Finally, the '-N' argument tells the SSH client not to execute any commands once it has established a connection to the remote server.

So in the example above, we are setting up a tunnel from port 667 on our local machine, and telling the remote SSH server to forward everything to port 8888 on itself.

Now does it make sense as to why we left the Tinyproxy defaults in place? We do not connect directly to the Tinyproxy daemon, we connect from port 667 of our local machine to the SSH daemon running on the server we installed Tinyproxy on, and then tell that SSH daemon to route all incoming traffic to local port 8888, which Tinyproxy is of course listening on.

6. Configure your browser
I'll repeat what I said in that last step... we do _not_ connect directly to the Tinyproxy daemon - even if we tried, it wouldn't work because Tinyproxy rejects all remote connections by default. So how do we configure the proxy settings in our browser? We point it to our local machine of course, specifically at the local port that we are using to forward everything via SSH which in this example is port 667 (neighbour of the beast). Here is what it would look like in Firefox (surely you are not using any other browser):


Et voila! You're good to go. Now I can watch stuff in the US that I wouldn't be able to otherwise, like episodes of The Daily Show that I've missed.


Happy days!

10 comments:

Anonymous said...

Nice one

Anonymous said...

awesome! hulu doesnt work though. apparently they detect that you are in the ec2 cloud.

any automated scripts yet?

Anonymous said...

Thanks for the info. It seems I had this working for a day. Now I've tried the exact same directions again and again starting over and I can't connect to the proxy! Frustrating. Is there a way to test the server/client sides to make sure they are doing what they are supposed to?

Anonymous said...

I'm just now realizing this is your only serious technical post in 5 years and it's a year old. Stuck in BF BC2?

Justin Paine said...

Privoxy -- http://www.privoxy.org/ -- works in a similar way also (as another option). Any pros/cons between Privoxy and TinyProxy?

Anonymous said...

why use tinyproxy when in putty you can use the dynamic port forward option: http://thestateofme.files.wordpress.com/2010/10/puttytunnel.jpg

Kane William said...

I use Hotspot Shield Free VPN instead of unreliable proxy sites. It completely bypass information from our ISP and provides secure browsing. ( www.hotspotshield.com/secure-browsing )

GamerGeek said...

Thanks heaps man, you got me over the final hurdle

best dry shampoos said...

This stuff is down t earth, hats off buds out there. anonymous browsing

Julia David said...

Thanks for giving me information about my problem. I was searching the NET and here I found. Also if you want more work just click
access Mp3Raid in UK