Home > General > Setting up an apache2 proxy server

Setting up an apache2 proxy server

January 15th, 2008 Leave a comment Go to comments

note: I found out that you can also use the ssh -D option to have ssh function as a SOCKS server to get similar behaviour without the hassle of configuring apache.

Are you at work behind a big bad evil proxy? Afraid of your privacy? Set up a proxy on your local home server so you can browse safely.

What are we going to use:

  • Putty
  • Apache 2

Is that all we need? Yes that’s all. 😉

Ok let’s set up our apache 2 proxy first. It is a good idea to add some security to your proxy server so not everyone can reach it. You might want to restrict it to the localhost only. This tutorial is based on debian install of apache 2. So hang on and let’s go.

First change the ports apache2 is listening in to. Edit /etc/apache2/ports.conf for this purpose and add the line:

Listen 8080

This will make the apache2 server listen to port 8080. If there is a line that makes apache2 listen on port 443 (https) you might want to disable it. We are going to use putty to connect to this port.

You might need to download mod_proxy for apache2 to be able to use proxying. If it is not already enabled use:

a2enmod proxy
a2enmod proxy_connect
a2enmod proxy_html
a2enmod proxy_ftp

This will enable it. If mod proxy is not yet installed at all use an apt-cache search mod proxy to locate and install it through apt.
the mod proxy_connect is required to be able to handle SSL calls through your proxy.

Create a new entry in /etc/apache/sites-available and name it ‘proxy’ for example. Insert something like the following:

<virtualhost *:8080>
        ServerAdmin webmaster@localhost
 
        ProxyRequests On
        ProxyVia On
 
        #Add ports you want to be able to connect to through your proxy here
        AllowCONNECT 443 563 1863
        #443   = SSL
        #563   = TLS
        #1863  = MSN Messenger
 
        DocumentRoot /var/www/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
 
        ErrorLog /var/log/apache2/proxy-error.log
        TransferLog /var/log/apache2/proxy-transfer.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel notice
</virtualhost>

Enable this new site by typing:

a2ensite proxy

It would be really wise to limit the access to your forward proxy.
edit the proxy.conf file in /mods-available/proxy.conf.
Add something like this to allow only connections from localhost:

<proxy *:80>
    Order Deny,Allow
    Deny from all
</proxy>
<proxy *:8080>
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
</proxy>

reload the webserver after this by running:

/etc/init.d/apache2 reload

Add 443 to your ssh listen ports by opening /etc/ssh/sshd_config.
Edit it so it reads:

# What ports, IPs and protocols we listen for
Port 22
Port 443

Restart the ssh daemon by calling:

/etc/init.d/ssh restart

Now you are ready to go. You can try your proxy now by using putty to connect to your server and tunnel port 8080 to another port on your local machine. It might also be a good idea to enable zip compression on your connection (Putty:Connection->SSH->Enable Compression) to speed things up a bit.
Now you can use firefox or another app and connect on localhost:[bound putty port] to connect to your proxy.

If you want firefox to do the dns lookups on the remote end you should open your about:config page by typing this in the address bar. Lookup the value:

network.proxy.socks_remote_dns

Set the value to true to do remote dns lookups.

  1. Reynaldo
    July 17th, 2008 at 00:21 | #1

    Hi,
    I’m new to proxy setups and was hoping to find out if this setup is advisable on a single desktop.
    Also, for programs that use multiple ports and random ports, would it simply be a matter of configuration in the connecting program ?

    thanks for the post, i was just looking at apache2 in in synaptic and wondering..

  2. Wytze
    July 17th, 2008 at 09:27 | #2

    What do you mean exactly with a ‘single desktop’? I use my home proxy to be able to browse privately at my work or visit the webpages at my home server.

    Configuring the ports needs to be done from the client program connecting to the proxy. The AllowCONNECT statement in the apache configuration will allow you to control which ports an application can connect to through your proxy.

    For example: I use MSN Messenger and configure it to use my proxy. Because Messenger wants to connect to port 1863 through the proxy I would need to add this port to the AllowCONNECT statement. This way MSN Messenger can connect to that port through the proxy server.

    As far as I know AllowCONNECT does not support enabling all ports. So if this is the case you might want to look at another proxy server.

  3. Reynaldo
    July 18th, 2008 at 20:32 | #3

    basically i have one machine, In this setup are you talking about another physical machine as the server ?

    Thanks…

  4. Ad
    January 21st, 2009 at 18:25 | #4

    I can get this only so far… firefox brings back a blank webpage for any website I try to browse when the putty ssh tunnel is up.

    I’m using D8080 for the port forward is that correct?

  5. Wytze
    May 12th, 2009 at 08:17 | #5

    You have to forward a local port to port 8080 on the server. I use port 1234 for example on the local end to be forwarded to 8080 on the server. If this is still a problem you could try to check out the logs to see what is going wrong.

  1. February 12th, 2010 at 14:58 | #1

Time limit is exhausted. Please reload CAPTCHA.