Posts Tagged ‘Proxy’

Secure your wifi connection using SSL + mod_proxy

Monday, October 5th, 2009

Being ultra paranoid about using other peoples Wifi connections I’ve come up with a solution to make things a little safer. Its by no means new having been around for quite a while but it works well. Ive setup Apache on my web server to act as a proxy server for connections originating from 127.0.0.1. I then create a secure tunnel from my local machine using SSL and direct my web browser to connect using my new secure Proxy. This is great for extra security when browsing the internet and checking emails on insecure wifi networks.

If you want to setup your own Proxy you’ll need Apache installed with mod_proxy, mod_proxy_http and mod_proxy_ftp, you’ll also need ssh access to a server thats secure. Once Apache and mod_proxy are installed you need to add the following lines to your Apache config file.

ProxyRequests Off

Listen 127.0.0.1:80

<VirtualHost 127.0.0.1>
        ProxyRequests On
        ProxyPreserveHost On

        LogFormat "%h %l %u %t \"%r\" %>s %b" common
        CustomLog /tmp/proxy_log common
</VirtualHost>

The proxy requests off line is very important as you dont want anyone else who cant connect to 127.0.0.1 from using your proxy server.

Once you’ve done that you just need to setup your SSH tunnel

ssh -p 22 user@yourserver.com -N -f -L 127.0.0.1/4444/127.0.0.1/80

This will connect from your computer to the sshd server on port 22, listen on the local port 4444 and connect to your proxy running on port 80 on 127.0.0.1 on your server. Once that has been done just change your Browser Proxy Settings to connect to 127.0.0.1:4444

Your setup will go from looking like this where your data is being sent over an insecure wifi connection

A normal browsing using a WiFi enabled laptop

A normal browsing using a WiFi enabled laptop

To this setup where your data is encrypted via a tunnel and passed to a server that is connected to the internet.

Browsing using an SSH tunnel and Proxy server via WiFi

Browsing using an SSH tunnel and Proxy server via WiFi

Now your crummy wifi connection is a little bit more secure (for all requests over the proxy at least)…

Tags: , , , ,
Posted in Linux, Security | No Comments »

Defeating open proxy servers

Thursday, August 20th, 2009

I’ve recently been in a situation where lots of users were abusing a website using a series of open proxies. They were using these open proxies to commit large volumes of fraud. A static list of known proxies can help to combat this issue but you end up fighting a loosing battle trying to keep the list up to date.

I’m fighting back – new users of the service who want to buy items get their computer port scanned as part of the payment process. I only check the ports that proxies are known to run on, 8080, 3128, 1080, 3124, 3127 and 3128. If any of these ports are open the server adds a note to their payment and a human reviews the purchase before the payment is taken.

Its not been running long and I’m not exactly sure if its legal (the T.O.S. have had to be updated) – either way it’ll be interesting to see how effective it is in combating abuse from open proxy servers. I think it could, and probably will end up as an arms race between me and the fraudsters. I’ll keep people posted and let you know if it works out.

Tags: , ,
Posted in Linux, PHP, Security | No Comments »

Apache 2.2 proxy and LightTPD

Monday, August 17th, 2009

The server has just undergone some modifications – previously I was using Lighttpd to serve all of the content, I liked the traffic shaping features and low memory footprint that it had. But I also sorely missed the mod_rewrite functionality and mod_php that was provided by Apache.

The solution was simple. Apache 2.2.13 to serve the Dynamic PHP files and Lighttpd to serve the static files via the Apache Proxy plugin. This results in gaining all the features of Apache but only when I need them; using Lighttpd to serve static content.

The basic setup is simple. Lighttpd runs on port 81, 127.0.0.1 and Apache runs on port 80 of idontplaydarts.com, both point to the same root directory and when Apache sees a request for a file located in either wp-content or wp-includes it instructs lighttpd to handle it. My config file looks something like this.

ProxyPass /wp-content http://127.0.0.1:81/wp-content
ProxyPassReverse /wp-content http://127.0.0.1:81/wp-content

ProxyPass /wp-includes http://127.0.0.1:81/wp-includes
ProxyPassReverse /wp-includes http://127.0.0.1:81/wp-includes

The only issue at the moment is that the latest version of Apache doesn’t yet support the ProxyPassMatch directive. This would let me specify a regular expression such as *.txt to tell Apache to pass all the requests for text files to Lighttpd.

ProxyPassMatch ^(/.*\.txt)$ http://idontplaydarts.com/$1

PassProxyMatch is due to be introduced in Apache 2.2.5, we’re only Apache 2.1.3 at the moment so there is going to be a bit of a wait before I can change my configuration files and allow support for regular expressions with PassProxy.

Its worth mentioning that you can do the proxy the other way round, lighttpd front passing it to Apache but there is not much benefit and you dont get to take advantage of the nice Apache rewrite rules

Tags: , , ,
Posted in HTML, Linux, PHP | 2 Comments »