I like concealing what and where I browse from eavesdroppers and web trackers respectively. To that end, I’ve been using OpenVPN and I have 2 minor issues with it:
Firstly, an eavesdropper can see that the VPN connection is obviously not regular, ubiquitous HTTPS traffic, even when my server runs on port 443/tcp.
outdated stable kernel of my OpenVZ VPS can’t do IPv6 NAT and so can’t give IPv6 connectivity to my VPN clients.
These considerations had me wondering, if I would be better served by an encrypted proxy, ideally one that would both accept proxy requests as well as serve websites on the same port. At first I tried Nginx with a module that lets it process
CONNECT requests, which seemed promising, but turned out to be incompatible with authentication. Then I tried Squid. Then a Combination of Nginx, Squid and stunnel. None of the setups worked quite to my liking and I was starting to get frustrated, but then I remembered my neglected old friend Apache.
Apache does everything I want out of a proxy with no recompilation necessary.
Setting up Apache
Just install and enable the requisite mods.
Create a file to authenticate users against.
Add a virtual host config. Or expand an existing one. Proxying doesn’t interfere with serving a website on the same virtual host. Clients will only be asked to authenticate, when issuing proxy requests.
Finally, don’t forget to restart Apache for the config changes to take effect.
Accessing proxies securely appears to be an uncommon practice. Firefox has an ‘SSL proxy’ configuration entry and the Linux Mint network settings editor has an ‘HTTPS proxy’ entry in its GUI. But all they let you do is specify hosts to which you’ll be sending your
CONNECT requests in plaintext. Prepending “https://” host names in those fields causes the browser to try to resolve the whole string as a host name and, predictably, fail. But while it’s not simple, it’s not impossible either, it just takes jumping through one more hoop.
Saving this somewhere on your computer and then entering its URL as
file:///wherever/you/saved/it.pac in your proxy settings, will let you access your proxy through HTTPS.
Pictures, conclusions, disclaimers
Here’s what OpenVPN running on port 443/tcp looks like to an eavesdropper.
curling the index of a Wordpress site through my proxy.
And here’s me doing the same without a proxy
Sure, the last 2 captures don’t look identical. Someone paying attention to patterns in the traffic would still be able to detect proxy use, but it’s not as obviously dissimilar as OpenVPN and it gives me my IPv6 connectivity without NAT on the server.
And this concludes our presentation. If you have a question, a correction or a bit of useful knowledge on the subject you’d like to share, please mail it to ‘comments’ at this domain.