Little-known features of ssh and web browsers (Firefox at least) makes it fairly simple to use the web browser to get to web pages that are hidden behind firewalls (such as the Fermilab Time & Effort reporting system when you're off-site). Ssh has a 'DynamicForward' feature which provides a SOCKS service that can make any TCP connection from the server on behalf of the client. Web browsers support "proxy auto-configuration" files that contain a small programming language that among other things enables automatically selecting the SOCKS service for selected web sites. It can even be set up to behave differently based on the IP address of a laptop so it only takes effect when it is outside of Fermilab. For those of us who are accustomed to using ssh, this is more convenient than a VPN and much better-performing than running a separate web browser inside the firewall over an X connection or VNC or even nomachine.
This is what I put in my ~/.ssh/config, using fnalu as an example although it can be any ssh server inside the firewall and any port available on your desktop/laptop:
Host fnalu-first
Hostname fnalu.fnal.gov
DynamicForward 1078
A similar dynamic forward can be set up for Windows users in PuTTY under
the "SSH" "Tunnels" option page.
Then I create a .pac file with this for accessing restricted Fermilab websites:
function FindProxyForURL(url, host) {
// internal-only FNAL sites
if (shExpMatch(url,"*bss*.fnal.gov*")
|| shExpMatch(url,"*/time*.fnal.gov*")
|| shExpMatch(url,"*/finance.fnal.gov*")
|| shExpMatch(url,"*/fin-hrweb.fnal.gov*")
) {
// go direct if inside the FNAL firewall
if (isInNet(myIpAddress(),"131.225.0.0","255.255.0.0")) {
return "DIRECT";
}
return "SOCKS5 127.0.0.1:1078";
}
// All other requests go directly to the WWW:
return "DIRECT";
}
You can put that file either on your local disk or on a web site (or
use mine), and then at least in Firefox 3 you go to
"Preferences" "Advanced" "Network" "Settings" and fill in an Automatic
proxy configuration URL and click OK. If you change the contents of the
file and want to use it without restarting Firefox, go to the same place
and click Reload. A URL for a file on the local disk is "file://" plus
the complete path (which itself begins with a slash for a total of 3
slashes).
Then whenever I am outside the firewall and need to access a restricted site I just need to do 'ssh fnalu-first' in one xterm window first. If I forget to connect I get an error saying the proxy refused to make the connection.