Today I cannot access my blog site from my home because of the [bad behavior] module that block malicious request. It is blocked because my home IP (dynamically determined) is listed in CBL(Composite Blocking List) because someone who used this IP a week ago seems to have lots of trojan and spam bot installed in his/her machine.
My solution is that I need another proxy and the best one out there is my own. I Installed squid in my server. However, I don't want to share this proxy with anyone else. So, this are what I have to do.
- setup a secure channel from my home to my server
- setup squid to accept only the connection from my server (itself).
The first task can be done very easily by my good old tools, OpenVPN.
Install openvpn on the server and the client
Setup the config file for the server, modifying the following value
port [put port number here] ca easy-rsa/keys/ca.crt cert easy-rsa/keys/server.crt key easy-rsa/keys/server.key dh easy-rsa/keys/dh1024.pem
run the following command in the server (in directory /etc/openvpn/easy-rsa).
. ./vars ./clean-all ./build-ca ./build-key-server server
The final step will build the certificate key for openvpn. It will request some information where default value would do nicely. When the script asks for a passphrase, I simply use blank. The Yes/No questions are positive. After that, I have to build a certificate for the client by
With the same information used in the server. Finally, build the Diffie-Hellman parameters.
After that, I take the following files to my home PC.
ca.crt client1.crt client1.key
Set up the config file for the client (home PC), modifying the following values
remote [my.server.ip.address] [my port]
Now, the next step is to config the squid, setting up the acl (access control list) of the squid as follows.
acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 10.8.0.0/255.255.255.0 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 1025-65535 280 488 591 777 acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all
These acl simply allow only http access from the localhost (which include openvpn server at 10.8.0.1) and deny the rest.