Date: Fri, 08 Dec 2006 06:53:44 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: =?ISO-8859-15?Q?=3F=3F=3F?= <weiwu@sdf.lonestar.org> Cc: freebsd-questions@freebsd.org Subject: Re: access wikipedia (walk through the great firewall of China) Message-ID: <45790BF8.9050102@infracaninophile.co.uk> In-Reply-To: <1165559159.8140.5.camel@joe.realss.com> References: <1165559159.8140.5.camel@joe.realss.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigC471B67C35E56A845D073D01
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable
??? wrote:
> Hello. My office use this method to access wikipedia behind the great
> firewall of China:
>=20
> 1) we have a server in europ, let's call it server;
> 2) I run this command on my desktop:
> $ ssh -L 80:en.wikipedia.org:80 server;
> 3) everybody in the office edit /etc/hosts, add this line:
> [my_ip_addr] en.wikipedia.org
>=20
> So my computer become a 'proxy'.
>=20
> The trouble is I have to keep the ssh running there. The 'proxy' will
> not automatically set up next time I reboot my computer.
>=20
> Is it possible to install some software to run as a daemon and do this
> proxy?
>=20
> I think of stunnel, but I have too few knowledge to know if stunnel can=
> do this.
There are two general possibilities here:
a) A Web cache/proxy -- squid is the canonical example, but you can
do this sort of stuff in apache very readily. I think apache=20
would be a good place for you to start, as most sysadmins have
at least a passing acquaintance with its configuration.
You'ld need set up a proxy on your European server to redirect
any web traffic to en.wikipedia.org -- your users would use the
service exactly as they do at the moment, but they'd put the
IP of the European server into their hosts file, rather than
your desktop. If that is a problem, then you can chain together
a series of proxies starting with your desktop machine, then
the European server -- but performance may be a tad slow.
b) IPsec or other VPN tunnel between your server in Europe and a
local firewall -- preferably your local firewall should be on
the egress path from your LAN. Then you can arrange routing
so that packets to destinations in Europe pass through the=20
tunnel and use your European server as the gateway to the
internet. In this case, there shouldn't be any need for your
users to have to spoof the address of en.wikipedia.org in=20
their hosts files. IPSec comes standard with FreeBSD, but
you'ld probably want to combine it with pf(4) or other firewall
software which you can use to control redirecting appropriate
packets through your tunnel. If IPSec is too mind-mangling
for you, OpenVPN (in ports) is a pretty good alternative.
You'll almost definitely want to configure a NAT gateway on
the European server.
=20
Either of these solutions will run automatically on system startup, if
so configured. Option (a) will send your web traffic across the net
in clear-text unless you can chain two proxies together and get creative
about using HTTPS. Or you can combine both approaches: use a local HTTP
proxy with a VPN tunnel to your European server.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enigC471B67C35E56A845D073D01
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFeQv/8Mjk52CukIwRCNbUAJ0ftWUXdMg65ueMQa/kFoBbtCjs4wCfQGIp
REF2MrKM8tuThg7yuyTgt1I=
=tY6J
-----END PGP SIGNATURE-----
--------------enigC471B67C35E56A845D073D01--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45790BF8.9050102>