How to setup an HTTP proxy with privoxy

21 December 2007

Introduction

Lets say, theoretically speaking, that a person wanted to access a service that is IP restricted to their home country, but they were currently abroad.

For example, a UK licence-fee payer might want to access the BBC iPlayer service to watch a UK Christmas special. There are many ways to do this. Perhaps the best way would be to ignore the iPlayer and use a digital video recorder such as MythTV to tape normal digital TV at high quality.

However, let's imagine that the person has not set that up and is already abroad, so he/she is left with the iPlayer.

No problem. He/she can just set up an HTTP proxy on a UK based machine. So the foreign client computer accesses the web via that UK based machine. So the machine in the UK is the 'server', while the foreign machine is the 'client'.

The client can be any type of computer. For the purposes of this post, and to keep things simple, we will assume it has the Firefox or Ice Weasel web browser.

The server can be anything too. However, for the purposes of this post, i.e. to keep things simple, we are going to assume it is a Linux/Unix/BSD system with a package manager such as Gentoo Linux, Ubuntu Linux or Debian Linux.

Server Side

Start by installing the package privoxy on the server using your package manager.

On Gentoo Linux:

sudo emerge privoxy

On Ubuntu/Debian, it would be:

sudo apt-get install privoxy

Next he/she needs to edit the config file with their favourite editor:

sudo emacs /etc/privoxy/config

It is there on Gentoo and Ubuntu. Different operating systems might put the privoxy config file somewhere slightly different within /etc. It won't be that hard to find.

In that file, the following default line restricts the proxy to the local host, normally a good idea but not useful here:

listen-address 127.0.0.1:8118

So he/she needs to change it to the public IP of the server:

listen-address 83.63.211.84:8118

If he stopped here then anyone could access his proxy, not a good plan. Instead he wants to restrict it to wherever he is now, so he adds the following line with the IP address of his client:

permit-access 90.49.66.77/26

Save the file. Then he needs to start the proxy server:

sudo /etc/init.d/privoxy start

Client Side

Now he needs to configure the web browser on the client. On a GNOME based Firefox, we can go: Edit > Preferences > Network > Settings

Then he would get a connections setup box, add the IP address and port of the proxy server, as in the following screenshot.

He presses okay and he is done. Completely in theory of course...

More thoughts

The question with this setup will be the latency, whether it will be fast enough to comfortably watch streaming video will depend on the bandwidth at each end and many other factors.

The setup should in theory be secure enough, but it is always a good idea to turn off services when you are not using them.

By the way, IP restriction is a really lazy way to provide authentication. Not least because IP addresses were not designed to be used this way. It is not the business of the Internet Protocol to care about packets, just to pass them on to the next machine in the chain. It is a spoke to hub setup, and thus can never provide end-to-end security.

The BBC would have been better off printing unique usernames and passwords on the back of the licence certificate as Jono Bacon suggested once before (6:55).

Discuss this post - leave a comment

1 John Reese says...

Firstly, I run my own proxy server (Squid) at home so that I can browse securely and unrestricted at the office, where clever co-workers and sysadmins snooping on my packets is on my mind, an to get past the overly restrictive firewall.

A question and a comment:

What made you choose to use a proxy server like Privoxy over something (IMO) more stable/secure/popular like Squid? Is it easier to set up, or are there any other reasons that you used to make the decision?

Also, I think it would be a better, and most certainly more secure, option to not have the proxy server listen on an external port. Rather, the preferred option that should be shown is to have the proxy server only listen on internal ports, and then utilize an ssh-tunnel from the foreign client to the local server to connect to the proxy server. Then only privileged clients can access the proxy, and the client can go anywhere, and change it's IP at will (a good idea for those traveling from wifi hotspot to hotspot).

Therefore, the server should only have the "listen-address 127.0.0.1:8118" line listed, and then the user would connect via ssh using the command "ssh -L 8118:localhost:8118 username@83.63.211.84", and then point their browser to the http proxy located at "localhost" on port 8118.

This is how I set up my proxy server at home, only a different port, and I only allow key-based authentication over ssh. But this way, my laptop (or workstation) can connect from any remote location/IP, which is especially useful on campus where I get a different "roamer" IP address everytime I connect, and for heading across town to wifi hotspots at restaurants, etc. And no one on the wifi can snoop my packets either, as ssh provides a secure tunnel for data.

Posted at 4:29 p.m. on December 21, 2007

2 andylockran says...

I want to +1 the ssh tunnel idea.

It's loads more secure, and I reckon in 99% of cases you won't be aware of what your IP address is going to be before you get to the 'remote' PC.

Good Call!

Posted at 5:28 p.m. on December 21, 2007

3 David Goodwin says...

I'll ditto the ssh tunnel'led approach. I use this when I'm working offsite - companies nearly always block random sites via port 80, but very rarely block port 443.

Therefore; run 'ssh' on port 443 on $your_server, and do something like :

ssh -L 3128:localhost:3128 you@yourbox

And tell the web browser to use localhost:3128 as it's proxy.

As others have said, the above article is of little use - as most companies will block any non-port 80 traffic, and selectively filter port 80 based on content that passes through it. Obviously they can't filter the content of traffic over port 443, as it would be encrypted; so as long as they don't block your IP address....

Posted at 12:31 p.m. on December 23, 2007

4 David Holm says...

Why not just do ssh -D 5000 you@yourhost

Then use 127.0.0.1:5000 as a socks 4 or 5 proxy... Works like a charm and only needs ssh access...

Posted at 6:34 a.m. on June 17, 2008

What do you have to say?

Show Editing Help

About

Hello, my name is Zeth, I'll be your host here.

Command Line Warriors is about taking control of your own technology, it looks at our experiences of computing; especially using GNU/Linux, the Python programming language, the command-line and issues such as techno-ethics, best practices and whatever is cool now. If you take control of your technology then you are a Warrior too!

This site is your site too which means that you can contribute and get involved. You can leave comments using the facility provided. For me, the comments and discussions are by far the best part of the site. So please do have your say!

Latest Discussions

Omar Zabaneh

July 25, 2008
Zeth, Thank you for this post, very helpful. I used it as a basis for my own email validation function that i wish to share with you, in a selfish ...
→ Email Syntax Check in Python

Double Booting Bastard

July 24, 2008
I agree with Nui, Linux is great for many things but not everything. A lot of, less mainstream, hardware is a time consuming and often fruitless task to install and ...
→ Give Linux a chance

John

July 23, 2008
Duncan, sadly the permissions are stored with the data (inode), not with the directory entries (hard-links). Zeth needs ACLs -- no way to do this with basic unix permissions.
→ Advanced Unix Groups

Garrick

July 21, 2008
I do love my iPhone. That being said, I would trade it in a heartbeat for a STABLE Openmoko FreeRunner.
→ This week - iPhone vs a can of compressed air, and Django NewFormsAdmin

Daniel Davies

July 21, 2008
With regards to your last paragraph, you are certainly correct. Right now Django is a nightmare to use across multiple sites... we have some sites running the newformsadmin branch, others ...
→ This week - iPhone vs a can of compressed air, and Django NewFormsAdmin

Nui

July 18, 2008
Hmm, this would be more persuasive as an argument with some evidence. I am a happy admin of Windows and a novice user of Linux, so I have taken the ...
→ Give Linux a chance

Paddy3118

July 18, 2008
Hi, I too work with Electronic Design Automation tools, where Tcl is used extensively. I tend to only occasionally have to write in Tcl and so find the TclTutor utility: ...
→ Python and TCL

Cliff Wells

July 17, 2008
I personally cannot live without the Web Developer extension or Firebug. Unfortunately these are probably both among the more difficult to port extensions. Given how poorly Firefox functions on Linux ...
→ Will Epiphany be able to compete with Firefox's extensions?

Åke Forslund

July 13, 2008
I'm pretty much a novice in both of these languages but I find them both easy to use and preform the tasks I give them. However I rarely use them ...
→ Python and TCL

Christopher Thoday

July 12, 2008
A single test is not sufficient to give you confidence that the algorithm is working. You should make 'number' an argument of 'main' so that you can test some boundary ...
→ Python and TCL

paul21

July 10, 2008
Shame on Mozilla. They should make developers specify the extension license before hosting it. They should show the license next to download button as well.
→ Are your Firefox extensions proprietary software?

Tris

July 8, 2008
Justin - You say they had not heard of Linux? That doesn't sound very professional to me!
→ Give Linux a chance

michael

July 8, 2008
what about Galeon? in Gnome i use Galeon mostly. it is fast and stable and has a nice portal with search masks for Debian, FSF, Freshmeat and so on. wtf ...
→ Will Epiphany be able to compete with Firefox's extensions?

vermin

July 7, 2008
> Eventually, after a bit of digging and Googling, I found their Toolbar-License... You simply found the license of the StumbleUpon Toolbar for Internet Explorer. This is another product, much ...
→ Are your Firefox extensions proprietary software?

Andrew West

July 6, 2008
Both the Python and the Tcl example could do with error checking. While at first this may not seem on topic with the post I think it better shows the ...
→ Python and TCL

COMMAND LINE WARRIORS

Taking Control of your Own Technology