In this arrangement, stunnel acts as a TLS/SSL wrapper while 3proxy acts as a proxy server.
For security, a valid (sub)domain and a valid SSL certificate for it are needed.
- 3proxy part:
- Install via repo or build from source;
- Configure a proxy server listening on only 127.0.0.1 but with auth, the example 3proxy.cfg as follows:
12345daemonusers user:CL:passwordauth strongallow userproxy -p8080 -n -a -i127.0.0.1
- Start it.
- stunnel part:
- Install via repo or build from source, just remembering to enable it in /etc/default/stunnel*;
- Configure a hardened tunnel, the example tunnel.conf as follows:
1234567891011121314options = NO_SSLv2options = NO_SSLv3options = SINGLE_ECDH_USEoptions = SINGLE_DH_USEciphers= EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDHchroot = /var/lib/stunnel4/setuid = stunnel4setgid = stunnel4pid = /stunnel4.pidcert = /root/stunnel.pem[https]accept = 443connect = 8080TIMEOUTclose = 0
- Start it.
- iptables part:
In order to prevent local loop, reject some connections as follows:
12iptables -A INPUT -s serverpublicip -p tcp -m tcp --dport 443 -j REJECT --reject-with tcp-resetiptables -A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 443 -j REJECT --reject-with tcp-reset
- browser part:
Just refer to this link from Chromium,
Or, a chrome extension named SwitchyOmega helps. When adding a server, always input the valid (sub)domain other than the server IP.
- A valid SSL certificate means no hiccup in the browser and all traffic passing through are encrypted.
- This arrangement requires pretty low privilege at the client side, and all is done in the browser without installing or running other thingy.
- A hardened tunnel consumes more resource on either side. As a result, there may be sort of speed degradation.
- A valid (sub)domain should be owned and also a valid SSL certificate should be paid.