I have a shell account on various friends servers all over the internet. Thanks to ssh, I can create a SOCKS proxy and tunnel traffic through ssh out the internet through any of these shell boxes. However, for various reasons (usually DNS related) SOCKS isn’t always good enough. I like to have an HTTP proxy as well.
Enabling mod_proxy in apache is pretty darn easy any any linux distro… if you have root to make changes to the apache configuration and to restart apache. I have friends nice enough to give me shell, but they don’t give me root. (I don’t blame them.) It turns out that running your own apache, without compiling it, is very easy with a little know how on most modern linux distributions.
First, copy the apache configuration which came with the system (hopefully apache is installed. If it is not, these instructions are not for you).
$ mkdir etc ; cp -a /etc/apache2 etc
Next, make directories for apache runtime information and logs.
$ mkdir -p var/log/apache2 var/lock/apache2 var/run
Now edit etc/apache2.conf and change… well… a lot of things. Just apply this patch instead. It is easy to read and see what is changed.
--- /etc/apache2/apache2.conf 2006-01-07 05:51:10.000000000 -0800 +++ etc/apache2/apache2.conf 2006-10-05 11:39:11.000000000 -0700 @@ -10,7 +10,7 @@ # (available at); # you will save yourself a lot of trouble. -ServerRoot "/etc/apache2" +ServerRoot "/home/jrwren/etc/apache2" # The LockFile directive sets the path to the lockfile used when Apache # is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or @@ -20,12 +20,12 @@ # DISK. The PID of the main server process is automatically appended to # the filename. -LockFile /var/lock/apache2/accept.lock +LockFile var/lock/apache2/accept.lock # PidFile: The file in which the server should record its process # identification number when it starts. -PidFile /var/run/apache2.pid +PidFile var/run/apache2.pid # Timeout: The number of seconds before receives and sends time out. @@ -98,8 +98,8 @@ AcceptMutex fcntl -User www-data -Group www-data +User jrwren +Group jrwren # The following directives define some format nicknames for use with # a CustomLog directive (see below). @@ -110,20 +110,20 @@ # Global error log. -ErrorLog /var/log/apache2/error.log +ErrorLog var/log/apache2/error.log # Include module configuration: -Include /etc/apache2/mods-enabled/*.load -Include /etc/apache2/mods-enabled/*.conf +Include mods-enabled/*.load +Include mods-enabled/*.conf # Include all the user configurations: -Include /etc/apache2/httpd.conf +Include httpd.conf # Include ports listing -Include /etc/apache2/ports.conf +Include ports.conf # Include generic snippets of statements -Include /etc/apache2/conf.d/[^.#]* +Include conf.d/[^.#]* #Let's have some Icons, shall we? Alias /icons/ "/usr/share/apache2/icons/" @@ -390,4 +390,4 @@ # # Include the virtual host configurations: -Include /etc/apache2/sites-enabled/[^.#]* +Include sites-enabled/[^.#]* diff -ru /etc/apache2/mods-available/proxy.conf etc/apache2/mods-available/proxy.conf --- /etc/apache2/mods-available/proxy.conf 2006-01-07 05:51:10.000000000 -0800 +++ etc/apache2/mods-available/proxy.conf 2006-10-05 08:00:33.000000000 -0700 @@ -3,12 +3,13 @@ #turning ProxyRequests on and allowing proxying from all may allow #spammers to use your proxy to send email. - ProxyRequests Off + ProxyRequests On Order deny,allow Deny from all #Allow from .your_domain.com + Allow from 127.0.0.1 # Enable/disable the handling of HTTP/1.1 "Via:" headers. diff -ru /etc/apache2/ports.conf etc/apache2/ports.conf --- /etc/apache2/ports.conf 2006-07-26 12:15:44.000000000 -0700 +++ etc/apache2/ports.conf 2006-10-05 06:47:47.000000000 -0700 @@ -1,2 +1 @@ -Listen 80 -Listen 3080 +Listen 1080 diff -ru /etc/apache2/sites-available/default etc/apache2/sites-available/default --- /etc/apache2/sites-available/default 2006-07-26 11:01:53.000000000 -0700 +++ etc/apache2/sites-available/default 2006-10-05 07:01:11.000000000 -0700 @@ -25,13 +25,13 @@ Allow from all - ErrorLog /var/log/apache2/error.log + ErrorLog var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn - CustomLog /var/log/apache2/access.log combined + CustomLog var/log/apache2/access.log combined ServerSignature On Alias /doc/ "/usr/share/doc/"
Beware that the cp command from before copies the symlinks and they still point to /etc, so you may need to recreate some symlinks in etc/apache/mods-enabled.
Now you should be able to just start apache.
$ apache2 -d etc/apache2 -f apache2.conf
The patch configured apache to run on port 1080, so now use ssh with -L 1080:localhost:1080 and point your http proxy to localhost:1080 and you can browse the web via the ssh connection, also utilizing the remote hosts DNS.
That public wifi point won’t see any of your web traffic, just the ssh connection.
I read “Your Own Apache Proxy Without Root”
http://jrwren.wrenfam.com/blog/2007/01/04/your-own-apache-proxy-without-root/
and I see that you change group and user to jrwren. Does that change the ownership of the Apache process? If you don’t change these entries and leave them as www-data and www-data, would you lose ownership of the Apache process, and thereby not be able to “kill” it if need be.
Greg,
Well, NO. As a regular non-root user, you CAN’T start processes as another user. It just isn’t allowed. Do you have some other solution in mind?
I have a proxy (tinyproxy) running that appears to start an apache process with ownership www-data. When tinyproxy stops, it appears to be leaving that process hanging. I was wondering if that was because the proxy starts it running as nobody in nogroup. I guess what I am asking is the purpose of the change you made from www-data to jrwren?
Regards.
Greg:
your tinyproxy, or SOMETHING is allowing a regular user to change users, this might be done using SUID bit.
I’m assuming that you have no permission on a server to run anything as root and that there are no suid helper programs.
JFYI as a note to others and myself.
to proxy IM and other protocols, you must enable mod_proxy_connect
and use the AllowCONNECT directive
For ssl, y!im, aim, msn, and google, use this line:
AllowCONNECT 443 5050 5190 1863 5222