| Setting Up A Home Web Proxy |
These instructions cover how to setup an HTTP proxy server which can be used to access any HTTP content (web sites) via non-standards ports. This is useful if you have a device or an Internet connection where TCP port 80 is blocked.
Because you will be offering services to the public Internet there are some important security considerations you should be aware of. Please see the section below labeled Security and make sure you understand that there are risks to installing this software.
Proxy Definition:
HTTP proxy servers are used on many multi-user networks to
control access to the Internet. They add capabilities such
as:
-- Content filtering
-- Malware checking (viruses and trojans)
-- Site restrictions to keep students or employees from going
places they shouldn't
-- Caching of frequently visited sites to conserve bandwidth
A proxy is not a router, the proxy receives the HTTP request from the client (browser) and then sends another request to the web server. The web server then replies to the proxy which in turn sends the response back to the client. Because of this, non-HTTP traffic which might use the same ports will not traverse the proxy server. It is an application level device (refer to the OSI model for more info) which means it has to know about the application protocol (HTTP in this case) you are using to function.
Ok, enough of the background information. Here are the requirements to set this up:
Prerequisites:
1. Always-on Internet connection
(xDSL, cable modem, corporate network, etc.)
2. Static IP address (or at least one that doesn't change
very often)
3. Windows PC (if you
have a Linux machine you should know enough to do this already)
4. The knowledge to configure your Internet router/firewall
5. Proxy server software
Overview:
The setup process includes
-- Configuring your router/firewall to forward traffic to
your Windows PC
-- Installing the proxy software
-- Configuring the proxy software on your non-standard port
-- Configuring proxy settings on your remote client
-- Testing and troubleshooting
Terms:
Windows PC - the PC at your home
or always-on connection which will serve as the proxy
Remote client - the client/device you want to access the
web from (cell phone, remote computer, etc.)
Proxy software - the application installed on your Windows
PC which does the proxying
Non-standard port - a TCP port other than port 80
Router/firewall - the device that connects your Windows PC
to the Internet
Step 1 - Router/firewall Configuration
The typical firewall, whether it's at home or at a corporate office, will block all incoming network traffic unless it is specifically allowed. This keeps the "bad" traffic out. Network connections which are initiated from inside will operate but no connections can be initiated from the public Internet. To offer a service like an HTTP proxy you have to open up a "hole" in the firewall to allow certain traffic in. Be aware that you can potentially allow undesirable traffic through this hole that can expose your internal network. There is a certain amount of risk in any firewall hole, you are accepting that risk by creating the hole. The hope is that the benefits outweigh the risks.
I can't give you specific instructions
because these are highly dependent on the brand and model of
firewall or router you are using. I will show the procedure
for a Cisco 678 DSL router.
- First, pick the non-standard port you will be using. For
this example I will use port 25 which is normally used for SMTP
mail servers. The assumption is that whatever port you use
is not blocked on your remote client (cell phone).
- Next, forward that port to your Windows PC. The effect is
that any inbound traffic coming to your router on port 25 will be
forwarded to your Windows PC. You normally have the option
to forward the traffic on the same port or on a different
port. For this example we're not changing the ports.
Traffic comes in on port 25 and is forwarded on to the Windows PC
on port 25. This is called NAT (Network Address
Translation) or more accurately PAT (Port Address
Translation). You are "translating" the port
coming into your router to the IP address of your Windows PC.
Here is what the commands look like for a Cisco 678 DSL
router. In this example the Windows PC's IP address is
10.0.0.5 and the router's external interface IP is 150.10.10.201.
set nat entry add 10.0.0.5 25 150.10.10.201 25 tcp
This translates to: "take port 25 tcp traffic arriving at 150.10.10.201 and send it to 10.0.0.5 on port 25 tcp"
Your mileage may vary, but you need to forward the traffic in like manner on your own router/firewall.
Step 2 - Install Proxy Software
Next you need to download and install an HTTP proxy on your PC. All I will address here is Windows compatible software but the settings and principles hold for any operating system. I haven't tried a lot of proxies but the one I use is from Handcrafted Software and is aptly named "FreeProxy." Get it at www.handcraftedsoftware.org. You can use this or any other decent HTTP proxy.
After the software is installed you'll need to follow the instructions to start an HTTP proxy listening on the port you forwarded to your PC in step 1. In this case, you need to configure it to listen on port 25. It will then send requests out on port 80 (or 443 for secure sites).
I would recommend turning logging up to debug levels so you can test your initial installation and to aid in troubleshooting. Don't forget to turn this off later as it can consume disk space and cause your computer to expend CPU cycles needlessly writing logs.
Step 3 - Configure Remote Client
This step is performed on your remote client, cell phone, etc. You need to configure the HTTP browser software to go to your proxy. Proxy settings are application specific but at a minimum they will allow you to enter the address and port number of the proxy. For the proxy address enter your external interface IP from step 1, in this case 150.10.10.201, enter 25 for the port number.
Step 4 - Test
Now for the moment of truth. Fire up the browser on your remote client and see if you can load a web page. If you've done everything right you should now be browsing. Check the debug logs on your Windows PC and look at the requests coming in. If it's working well then turn down the logging level.
| Security |
| Note, you have now configured an
"open proxy." This means that anyone on
the Internet can connect to port 25 on your computer and
browse the Internet. This will use up your
bandwidth and will make the originating IP address YOUR
COMPUTER. In addition, any vulnerabilities in the
operating system or proxy software you run can now be
exploited remotely. This also means that if the FBI
comes looking for a web site hacker who uses your proxy
they will come to your door. I highly
recommend you take whatever measures you can to lock down
your proxy implementation. Here are some things you
can do. These are not mutually exclusive and the more of
these you can implement the more secure your proxy will
be. 1. Require
authentication - most proxies have an option to
require users to authenticate before they can be
used. Some browsers include this authentication in
the proxy configuration. Use this if at all
possible, it is probably the most secure method. |
Troubleshooting
The debug logs on your proxy server are
the best place to look to see if your browser traffic is getting
through. Also, if you can turn debugging on your
firewall/router you can check for the traffic there. Make
sure your IP addresses are correct. Make sure nothing else
is using your non-standard port, i.e. if you selected port 25 but
you also are hosting SMTP mail then you'll have a problem as both
use the same TCP port.
If you found this useful, please shoot me a quick email and let
me know. If you found anything incorrect or have any suggestions
I'd appreciate any feedback.
Thanks,
Alex
alext@pobox.com