[sslh] Restrictive squid proxy

[Nicolai Ehemann]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

first of all: no offense intended. I think it's quite cumbersome to
configure many services on one port, while I think it's easier and
more secure to use ssh portforwardings if only you use them. But
that's up to you.

> I like WEB interfaces, of course and usually I use them.
With port forwarding, you can still use them, but they are no longer
exposed to the outside. While ssh is quite thoroughly audited and
tested security-wise, web interfaces tend to expose security problems.
You can greatly reduce your signature by not exposing them (the
OpenWRT web interface probably is much better than those shipped by
the router vendors).

> If you have got simplier or nicer solution for my task I'd like to
> know that! ;-) I know about SSH port forwarding but I like good
> ideas.
I don't know how you connect to ssh; but you can simply set up the ssh
connection once (by an alias, a script, a putty configuration or
whatever). Afterwards, it's simply opening the ssh connection, and all
your services from router and nas are directly accessible on different
ports on the local host. No problems with the squid proxy at all, plus
your ports are not exposed to the public, plus all traffic (also on
http) is securely tunneled and encrypted via ssh. I think that's
simple and nice, that's why I do it like this :-).

> SSH port forwarding problem: change sshd port to 443 because I
> don't want to see many intruders in my router's log if sshd is
> listening to default port 22.
That's of course a sensible application of sslh.

Yours, Nico
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAlICBhwACgkQYm+MkvsfJ5/uNACfUwd5d5NdcTHw51/8wsTjaA/e
PogAnRzP71YV5WAQk0VJQgX8Jo5tr2y6
=5mZI
-----END PGP SIGNATURE-----