My former colleague is working at a very hostile environment both virtual and geographically and he asked me to setup a system to surf freely and use im, skype, etc. without censorship and eavesdropping.
So I install squid to my web hosting vps and configure it using username authentication.
And an extra step, some of them using ssh tunnels to the vps and they are very happy using uncensored internet.
They are using windows 7 computers and their system proxy settings changed to use my service too.

But my concern is :
How can I improve this service for my friend's security.
Is this a best environment for my friend's concerns? or
Should I use a vpn connection? They want their connection is encrypted and they want to use all other programs like skype msn aim like this.

For example:
He is using mail providers such as GMAIL and hotmail with ssl but I am wondering my proxy server really supply a secure connection without ssh tunneling?

What are the security concerns about these shell accesses.
I jailed them in their home directory but is it enough?

I don't have anyone to ask these questions so I asked in here.
Sorry if it looks like a lazy man's research but I am reading materials, documentations, articles about squid on internet for about two weeks and I can honestly say that I am overwhelmed and frustrated about separating all the info from junk.

Can someone show me about security related articles or howtos about squid or share his/her experience?
Thanks in advance

There are two things your have to separate. One is the proxy server (Squid) running on your VPS and the trustworthyness of your VPS. The other is securing the access to your (trustworthy) VPS. Of course you have to harden your server so that it remains a trusted host for your friends, and every access to the host must be encrypted.

For your friend no connection without either SSH or VPN is safe.

One of the advantages of SSH is its ability to be configured quite easily to accept only encrypted connections. You have to set up ssh keys (RSA) for your friend in his home directory and configure the server NOT to accept password authentication.

Another very interesting approach is to use STUNNEL to enable dump (not-SSL) software to use proper SSL certificates, that you can generate for your friend yourself, to access your VPS over a secure SSL connection. I have used it to secure the sending of emails via my VPS by email software that was not able to use TLS.

There is a blog post here:going-ssl-with-evolution.html

I hope that helps.

1 members found this post helpful.