Problem: Network-based access control

If you're at Cambridge University, you've probably noticed that some Web resources (internal websites, anti-virus software, etc.) are only available inside Cambridge. To stop the general public accessing these resources, they're set up so only computers inside the Cambridge network can get to them. That's great if you're on the network (for instance, if you have a network port in your room), but not so good if you need to connect in from the outside. For instance, if you're at home for the holiday, or if you're in a house with a commercial ISP connection (like Emmanuel College's houses in Warkworth Street, some of which have NTL cable modems), you're out of luck.

Solution: use an intermediary

You can get round this, by connecting to a “proxy” inside Cambridge which is willing to forward your network connections (you connect to the proxy, it connects to the web server, the web server sees a connection from the proxy and is willing to serve Cambridge-only files, the proxy sends the files back to you). Of course, the proxy needs to confirm that you're really a Cambridge student in the first place, so you need to open some sort of secure connection to it.

The Student-Run Computing Facility is a Linux server in the CUSU office, on which any Cambridge student can ask for a free account. Once you have an account on it (which also gives you 100MB of webspace and access to a Linux shell, both of which are useful in their own right) you can use it as your intermediary; you log in from “outside” via the Secure Shell (ssh), and tell your web browser to forward requests through it.

In fact, that's not quite enough: the other end of the connection needs to be a full HTTP proxy server, which is able to detect which computer you want to connect to, and connect there itself. The university web cache (wwwcache.cam.ac.uk, the same proxy server you should be using during term) will do nicely for this.

The connection looks like this:

Your computer connects to the Internet via your ISP, and opens a Secure Shell connection across the Internet to the SRCF; the SRCF connects to wwwcache, which connects to a private web server and a private FTP server.

How to do that

The Secure Shell server offered by the SRCF has built-in features for this sort of thing; in this case, we want local port forwarding. In local port forwarding, the SSH client on your computer opens a server port on your computer; when your web browser connects to that port, the SSH client forwards the connection through its encrypted connection to the SRCF. At the other end, the SRCF's SSH server responds by opening a connection to whatever port you like, on whatever computer you like, and sending your data into that; the reply will come back to the SRCF, go through the encrypted connection to your home computer, and be sent to your web browser.

The settings needed for this are: local port forwarding, local port set to whatever you like (any unused port between 1024 and 65535), remote host set to the remote server you want to connect to, and remote port set to the port you want on that server. In our case, the remote server is wwwcache.cam.ac.uk and the remote port is 8080 (the standard port for HTTP proxy servers).

If you're using a Unix-ish operating system like Linux, Mac OS X or BSD, you probably already have a copy of OpenSSH. If so, the command to use is ‘ssh -L 1234:wwwcache.cam.ac.uk:8080 spqr1@kern.srcf.ucam.org’, replacing 1234 with the local port you want and spqr1 with your Cambridge username.

If you're using PuTTY on Windows, connect to kern.srcf.ucam.org with your usual username; before connecting, under the Connection/SSH/Tunnels category in the configuration dialog, add a forwarded local port, with source port 1234 (or whatever) and destination ‘wwwcache.cam.ac.uk:8080’.

Once the connection is open, configure your browser's proxy server (for both HTTP and FTP) to be localhost (a reserved name which means whichever computer you're currently using); the port number is whichever local port you chose (e.g. 1234). In some browsers you'd write that as localhost:1234 or http://localhost:1234.

When you've finished downloading, close your connection to the SRCF and set your browser's proxy server back to the way it used to be.

Configuration examples for specific browsers

MS Internet Explorer 6

If you're on a LAN connection (including cable, DSL, Internet Connection Sharing, etc.), go into Tools/Internet Options. On the Connections tab, choose LAN Settings. Untick Automatically detect settings and Use automatic configuration script, tick Use a proxy server for your LAN, and click Advanced. Under Servers, fill in localhost port 1234 (or whatever) for both HTTP and FTP.

Connections tab LAN Settings Advanced

Sorry, I haven't used dialup for a while, so I don't know how to set up proxies for that.

Netscape Navigator 7

[TODO]

Mozilla Firebird 0.6

In the Connection section of Options, choose ‘Manual proxy configuration’ and fill in localhost port 1234 (or whichever port you chose) for both FTP and HTTP.

(image showing correct settings)

Konqueror 3

In the Proxy section of Konqueror preferences, choose ‘Manually specified settings’, then set the HTTP and FTP proxy servers to localhost port 1234 (or whichever port you chose).

(image showing correct settings) (image showing correct settings)