Archive

Posts Tagged ‘ssh proxy firewall apache2’

Setting up an apache2 proxy server

January 15th, 2008 5 comments

note: I found out that you can also use the ssh -D option to have ssh function as a SOCKS server to get similar behaviour without the hassle of configuring apache.

Are you at work behind a big bad evil proxy? Afraid of your privacy? Set up a proxy on your local home server so you can browse safely.

What are we going to use:

  • Putty
  • Apache 2

Is that all we need? Yes that’s all. 😉

Ok let’s set up our apache 2 proxy first. It is a good idea to add some security to your proxy server so not everyone can reach it. You might want to restrict it to the localhost only. This tutorial is based on debian install of apache 2. So hang on and let’s go.

First change the ports apache2 is listening in to. Edit /etc/apache2/ports.conf for this purpose and add the line:

Listen 8080

This will make the apache2 server listen to port 8080. If there is a line that makes apache2 listen on port 443 (https) you might want to disable it. We are going to use putty to connect to this port.

You might need to download mod_proxy for apache2 to be able to use proxying. If it is not already enabled use:

a2enmod proxy
a2enmod proxy_connect
a2enmod proxy_html
a2enmod proxy_ftp

This will enable it. If mod proxy is not yet installed at all use an apt-cache search mod proxy to locate and install it through apt.
the mod proxy_connect is required to be able to handle SSL calls through your proxy.

Create a new entry in /etc/apache/sites-available and name it ‘proxy’ for example. Insert something like the following:

<virtualhost *:8080>
        ServerAdmin webmaster@localhost
 
        ProxyRequests On
        ProxyVia On
 
        #Add ports you want to be able to connect to through your proxy here
        AllowCONNECT 443 563 1863
        #443   = SSL
        #563   = TLS
        #1863  = MSN Messenger
 
        DocumentRoot /var/www/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
 
        ErrorLog /var/log/apache2/proxy-error.log
        TransferLog /var/log/apache2/proxy-transfer.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel notice
</virtualhost>

Enable this new site by typing:

a2ensite proxy

It would be really wise to limit the access to your forward proxy.
edit the proxy.conf file in /mods-available/proxy.conf.
Add something like this to allow only connections from localhost:

<proxy *:80>
    Order Deny,Allow
    Deny from all
</proxy>
<proxy *:8080>
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
</proxy>

reload the webserver after this by running:

/etc/init.d/apache2 reload

Add 443 to your ssh listen ports by opening /etc/ssh/sshd_config.
Edit it so it reads:

# What ports, IPs and protocols we listen for
Port 22
Port 443

Restart the ssh daemon by calling:

/etc/init.d/ssh restart

Now you are ready to go. You can try your proxy now by using putty to connect to your server and tunnel port 8080 to another port on your local machine. It might also be a good idea to enable zip compression on your connection (Putty:Connection->SSH->Enable Compression) to speed things up a bit.
Now you can use firefox or another app and connect on localhost:[bound putty port] to connect to your proxy.

If you want firefox to do the dns lookups on the remote end you should open your about:config page by typing this in the address bar. Lookup the value:

network.proxy.socks_remote_dns

Set the value to true to do remote dns lookups.