Simple Intranet Proxy

A simple guide to setting up your home server as a transparent internet proxy.
Using Debian Lenny, Apache 2.2 and mod_proxy_http and ftp

Back to TECH menu


Why would I want to use my home server as a proxy?

The simplest reason is to hide your internal network IP address. Other reasons include enabling server disk caching for retrieved web content which is an especially nice way to reduce overall network traffic if you have sevral computers in the house. Note that this setup does not disable regular internet access, it just adds a VirtualHost under Apache that responds to the proxy port so you can decide how to access the internet. Some incorrectly configured servers deny access to broswers claiming to be from reserved addresses like 192.xxx, 10.xxx, 124.xxx, 240.xxx etc. and this proxy will access them correctly by presenting the server IP rather than the NAT IP.

What is the downside of using Apache 2.2 as a proxy?

The most notable downside is overhead. Using Apache to "stand between" your private network and the internet has a disadvantage of requiring additional network traffic, both on the browser box side as well as the internet side. It increases the size of the request header and can generate additional connections as well. It can also interfere with the normal forwarding of ports for programs like uTorrent, Bittorrent or eMule if you configure them to use the proxy. If, for example, you have a Windows machine with a port forwarded (DNAT through IP Tables) for uTorrent or Bittorrent and you enable the HTTP proxy in that program, incoming connection attempts on that port will connect to your forwarded NAT IP on the specified port. I'm not guru enough to understand such things yet so the result is undefined. In any case it's best to avoid the proxy for file downloads or torrent retrievals. I noted a significant (10%+) increase in overhead using the proxy in uTorrent. As an example using a direct internet connection with a few hundred connections under uTorrent you may see little overhead, typically .1% (point one) or so. However, forwarding all traffic through apache produces as much as 1% overhead. In a typical situation seeding two torrents I see download activity of about 3K per second. Switching to direct connection reduces that to .1-.3 K per second. But, for those times when you want or need to hide your NAT IP address it's the BOMB! I admit more reseach is necessary on my end to figure out how to properly forward a port through the proxy server. It may not even work using Apache 2.2 as a forward proxy. But since I'm mostly interested in caching or hiding my internal IP, it's a moot point for me. I suspect it would require a Reverse proxy to work properly, but it makes no sense.

First off, this configuration adds an additional proxy path between your internal network and the internet so you can still use your NAT configuration. There are two basic types of Proxy servers called Forward and Reverse. Large sites like Google or Yahoo would use a reverse proxy in combination with mod_proxy_balancer to distrubute requests on a single IP to a plethora of servers. Since we are talking about a home server it's unlikely you'll need more than this. But, if you have a hosted site in addition to your home server you can use a reverse proxy to retrieve pages or other content seamlessly.

We will set up a simple Forward proxy. The configuration is rather simple, as I've discovered. If your server is also serving pages to the internet as is usually the case with a home server, the easiest and most sane way to do this is to use a Virtual Host definition. This VirtualHost will answer ONLY on your intranet NIC and only on the specified port. There are two places in your Apache 2.2 configuration that need changing. You'll need to allow Apache to listen on the internal NIC IP address and the specific proxy port.

First, open /etc/apache2/ports.conf and add the line "Listen 'your intranet IP':8080".
See RED below for an example. This configuration is from Debian Lenny so it may look different than early Lenny, Etch or older Debian version. The IP address in the third Listen line is the address of my internet gateway, the adapter that connects to my internal network. Specifying the IP here prevents Apache from using port 8080 on any other adapter which is important for security. Allowing the internet at large to use your proxy is a serious security breach for both you and the internet at large. See the official Apache documentation for more information.

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
#NameVirtualHost *:80
Listen *:80
Listen *:443
Listen 192.168.1.110:8080
<IfModule mod_ssl.c>
# SSL name based virtual hosts are not yet supported, therefore no
# NameVirtualHost statement here
</IfModule>

Now create and edit /etc/apache2/sites-available/proxy.conf using the following exmaple. Items in RED will probably need to be changed, unless your gateway IP is 192.168.1.110. Pay special attention to the "Allow from xxx.xxx.xxx" line, noting it does not use the standard netbits address. Entering only the first three IP descriptors here tells Apache you want to allow addresses that begin with 192.168.1 so all address within that block will be allowed. The equivalent netbit ip is 192.168.1.0/8 . The server admin is the email address displayed when a proxy request fails or is denied.

# if you want to proxy for a LAN, if this machine is a gateway/firewall
<VirtualHost 192.168.1.110:8080>
ServerAdmin webmaster@trbailey.net
<IfModule mod_proxy.c>
ProxyVia on
# don't proxy for LAN addresses
NoProxy 127.0.0.1 192.168.1.110
ProxyBadHeader Ignore
ProxyStatus On
ProxyPreserveHost on
<IfModule mod_proxy_disk.c>
CacheEnable disk /
CacheRoot /var/cache/apache2/mod_disk_cache
</IfModule>
<Proxy *>
Order Deny,Allow
Deny from all
Allow from 192.168.1
</Proxy>
ProxyRequests on
</IfModule>
</VirtualHost>

Save the above file, enable the proxy virtual host and check that apache will reload correctly with:
ln -s /etc/apache2/sites-enabled/proxy.conf /etc/apache2/sites-available/proxy.conf
/etc/init.d/apache2 force-reload
The first line creates a symlink from the available proxy.conf to the enabled proxy.conf.
The second line reloads the apache configuration without restarting.

Now enable mod proxy for http and ftp and disk cache using the following command:
a2enmod proxy proxy_http proxy_ftp cache disk_cache

You'll see the a2enmod script adding symlinks for the appropriate module config and telling you you'll need to restart apache to enable them.
/etc/init.d/apache2 restart

You need to restart apache rather than just graceful restart to force creation of the cache directories and start the cachecontrol daemon. If all went well you can now go to your browser and change the internet connection to use the proxy. In Firefox it's under Tools>Options>Advanced>Network. Under IE7 Tools>Internet Options>Connections>Lan Settings tick the "proxy" box, enter the gateway IP and port 8080. You can also tick the "bypass proxy for local addresses" if you run any local software that has an intergral web server, like uTorrent, Bittorrent, Emule etc.

Set the proxy to Manual using the virtualhost IP address and port 8080. You'll know from the first attempt to load a page if it's working or not. If you get an access denied error it's likely your "Allow from" is incorrect or you have a firewall enabled between your browser box and the server. If you have a working server firewall, which is probably the case if you use NAT, you can safely disable the windows or linux desktop firewall.

In the proxy setup for either your browser or other program it may allow you to specify IP or hostnames not to proxy. I add my server "trbailey.net", localhost, 127.0.0.1 and my server IP. Sometimes I use uTorrent or emule web access so I don't want localhost requests going to the proxy.

NOTE: You may need to open port 8080 if you stubbornly run the firewall on your desktop box in addition to your server iptables firewall. Note that it's unnecessary to do so if your server firewall is correctly configured.

Now browse to Browser header Check and note the browser header now contains your server IP rather than your local network IP. You'll also notice it shows " Via: 1.1 gate:8080" which indicates the request came from a proxy server.

To use this setup with uTorrent or Emule you can change the proxy settings in that program as well.

Comments or corrections: siggma@trbailey.net