tips for server-side browser-based web proxy software

mr.MikyMaus · 2013-07-22 08:31:12

Hi,

What I'm looking for is basically a browser in a browser. I need to circumvent any possible leaks from and restrictions of a potentially compromised network while being free to browse the entire WWW. The only connections a client would do are http/s connections to a specific server running the proxy while the actual browsing would be on the server-side. The server would do all the "dirty" work on behalf of the client, i.e. downloading other sites and displaying them, handling cookies, cache, etc. Client requirements should only be a standards-aware web browser and unrestricted http(s) connection (either direct or through a proxy). No additional settings should be required on the client side.

So far I failed to formulate a google/ddg query that would point me the right direction. Any help appreciated

-miky

fukawi2 · 2013-07-22 09:26:39

This:

mr.MikyMaus wrote:

I need to circumvent any possible leaks from and restrictions of a potentially compromised network

And this:

mr.MikyMaus wrote:

Client requirements should only be a standards-aware web browser and unrestricted http(s) connection

Are mutually exclusive requirements.

mr.MikyMaus · 2013-07-22 09:39:16

fukawi2 wrote:

This:
mr.MikyMaus wrote:
I need to circumvent any possible leaks from and restrictions of a potentially compromised network
And this:
mr.MikyMaus wrote:
Client requirements should only be a standards-aware web browser and unrestricted http(s) connection
Are mutually exclusive requirements.

I dare to disagree. Provided that client system/browser is not compromised the only leak, when using ssl, is the server ip address, and possibly it's reverse DNS record with related whois. MITM is ruled out when using https as long as the server is under my control - I can check the certificate by other means, like having it's hash written on piece of paper.

Let me stress that I trust the client computer. Only the transit network is potentially compromised.

The entire idea of this is that the network will only know one thing - the IP address (and related info) of the one server the software runs on.

-m.

jakobcreutzfeldt · 2013-07-22 09:57:20

I'm not really a sysadmin expert but I think that a combination of Privoxy (for stripping away any identifying information) and Polipo (for fast caching) should work for what you want. You can set them up to be shared between multiple computers on a network. Be sure to put Polipo after Privoxy in the chain (that is, the users should connect to Privoxy, and Privoxy connects through Polipo). I use this personally and it works great. I have it set up on a server on my home network for all other computers on the network to browse through and everything seems to work fine.

Last edited by jakobcreutzfeldt (2013-07-22 09:57:56)

mr.MikyMaus · 2013-07-22 10:29:19

jakobcreutzfeldt wrote:

... a combination of Privoxy ... and Polipo ... should work for what you want ...

Thanks Jakob but this isn't what I want. In order to use this kind of proxy you must be able to set up your browser which is not possible in my scenario - no configuration whatsoever shoud be needed. I require the "proxy" to be able to run and act like a webpage, not as a network service.

-m.

jakobcreutzfeldt · 2013-07-22 10:34:14

I'm not sure if what you're asking for exists. Maybe write some basic web application to do it for you.

Can you just set up an SSH tunnel to the server and route all traffic on port 80 through it?

mr.MikyMaus · 2013-07-22 10:42:05

jakobcreutzfeldt wrote:

I'm not sure if what you're asking for exists.

That's why I'm asking I haven't found anything yet..

jakobcreutzfeldt wrote:

Can you just set up an SSH tunnel to the server and route all traffic on port 80 through it?

No, the client is absolutely unconfigurable. Imagine it's a kiosk system with only browser running and it is behind an already pre-configured http proxy which would only let http-ish traffic out.

-m.

chord · 2013-07-22 10:46:46

jakobcreutzfeldt wrote:

I have it set up on a server on my home network for all other computers on the network to browse through and everything seems to work fine.

In my opinion, this scheme just hides which of your computers made a particular http request. Any case the requests coming from your home network IP. So it does not make sence to use this scheme in terms of hide where the requests coming from. All the requests associated with your IP, so Big Brother knows where to look for the person who sent the request.
This software should be installed at the remote server that can't be associated neither with your IP nor your person.

Last edited by chord (2013-07-22 10:49:25)

chord · 2013-07-22 10:53:16

mr.MikyMaus wrote:

I haven't found anything yet..

I would like to have a such server too.

jakobcreutzfeldt · 2013-07-22 10:56:09

chord wrote:

jakobcreutzfeldt wrote:
I have it set up on a server on my home network for all other computers on the network to browse through and everything seems to work fine.
In my opinion, this scheme just hides which of your computers made a particular http request. Any case the requests coming from your home network IP. So it does not make sence to use this scheme in terms of hide where the requests coming from. All the requests associated with your IP, so Big Brother knows where to look for the person who sent the request.
This software should be installed at the remote server that can't be associated neither with your IP nor your person.

That's not the point. If I really wanted to obfuscate the origin of my requests, I would use something like Tor, not Privoxy. I use privoxy to strip out all private information from the HTTP request headers and such. And there's nothing stopping me from running Privoxy on some external server (obviously some access control would have to be in place, but that's beside the point). In the scheme that the OP described, only the IP address of the server should be known to any of the external sites; that's exactly what Privoxy (or really, any proxy server) would do. Privoxy would add the extra benefit of stripping away any additional private information from the requests, like user agents and referral sources, etc.. The only reason it doesn't work for what he wants to do is that he cannot set up his local browser to route traffic through an external proxy.

Last edited by jakobcreutzfeldt (2013-07-22 10:56:46)

Lone_Wolf · 2013-07-22 11:01:25

I think you should look at rdp / vnc based solutions for this.

basically this is how it would work :

Serverside
- a VM is configured with all the security measures you desire
- you setup a vnc/rdp server with a webinterface that allows you to control the VM over https

Client
- browser connects to the VM on the server

The main problem with this will likely be to find a suitable vnc/rdp server, check out gotomypc.com for an example of such a setup.

Last edited by Lone_Wolf (2013-07-22 11:02:51)

mr.MikyMaus · 2013-07-22 11:03:11

jakobcreutzfeldt wrote:

... In the scheme that the OP described, only the IP address of the server should be known to any of the external sites...

I see, there's been a misunderstanding. Although the scheme I described probably would result in such situtation, my primary concern is the ISP's network (or better, the network in which the client computer resides) doesn't get to know what sites have been visited. I don't really care about sites. For that, indeed, the abovementioned Privoxy scheme would work well enough.

-m.

jakobcreutzfeldt · 2013-07-22 11:05:08

mr.MikyMaus wrote:

jakobcreutzfeldt wrote:
... In the scheme that the OP described, only the IP address of the server should be known to any of the external sites...
I see, there's been a misunderstanding. Although the scheme I described probably would result in such situtation, my primary concern is the ISP's network (or better, the network in which the client computer resides) doesn't get to know what sites have been visited. I don't really care about sites. For that, indeed, the abovementioned Privoxy scheme would work well enough.
-m.

Ah I see, yes I misunderstood. Sorry for the noise!

chord · 2013-07-22 11:09:15

If so, mayby browser addon like proxy switcher can help.
I thought OP need to hide all the information about requester, including where all the traffic went from initially.

mr.MikyMaus · 2013-07-22 11:10:49

Lone_Wolf wrote:

I think you should look at rdp / vnc based solutions for this.

That was one of the first ideas I got. Though I'd still need a web-tech based VNC/RDP client that would run inside a browser and be able to tunnel it's traffic through (or mask as) https.

I abandoned this idea for now, mostly due to its bloaty nature and because I'd have to sacrifise the 443 port on the server just for the VNC service. It's still on the list though.

-m.

mr.MikyMaus · 2013-07-22 11:15:52

chord wrote:

If so, mayby browser addon like proxy switcher can help.

Not really, the solution must not require any special settings on the client site - it must be purely web-tech based and available only on L7.

chord wrote:

I thought OP need to hide all the information about requester, including where all the traffic went from initially.

Yes and no. I need to hide as much information as possible from the ISP, not from sites.

Guess I'm sorry for the confusion

-m.

fukawi2 · 2013-07-22 23:12:55

mr.MikyMaus wrote:

Let me stress that I trust the client computer. Only the transit network is potentially compromised.

You didn't make that clear; I thought you meant the client was compromised.

Sounds like you want a server that presents a VNC session, and a Java VNC client so you can open the server's "site" on the client, which will run the Java VNC client, connect to the server's VNC server and then run your browser of choice on the server.

I'm not aware of any turnkey solutions to this scenario.

danger89 · 2018-02-16 15:48:18

I know it's an old topic. But the answers give no solution at all..

Look at Glype Proxy:
https://sourceforge.net/projects/glypeproxy/

Or:
https://github.com/danger89/glype

V1del · 2018-02-16 16:01:19

Thanks for sharing, however it is doubtful that the OP still has the same requirement after 5 years.

Please don't necrobump

Closing.

Reopened on appeal.

Last edited by V1del (2018-02-16 19:36:11)

Arch Linux

#1 2013-07-22 08:31:12

tips for server-side browser-based web proxy software

#2 2013-07-22 09:26:39

Re: tips for server-side browser-based web proxy software

#3 2013-07-22 09:39:16

Re: tips for server-side browser-based web proxy software

#4 2013-07-22 09:57:20

Re: tips for server-side browser-based web proxy software

#5 2013-07-22 10:29:19

Re: tips for server-side browser-based web proxy software

#6 2013-07-22 10:34:14

Re: tips for server-side browser-based web proxy software

#7 2013-07-22 10:42:05

Re: tips for server-side browser-based web proxy software

#8 2013-07-22 10:46:46

Re: tips for server-side browser-based web proxy software

#9 2013-07-22 10:53:16

Re: tips for server-side browser-based web proxy software

#10 2013-07-22 10:56:09

Re: tips for server-side browser-based web proxy software

#11 2013-07-22 11:01:25

Re: tips for server-side browser-based web proxy software

#12 2013-07-22 11:03:11

Re: tips for server-side browser-based web proxy software

#13 2013-07-22 11:05:08

Re: tips for server-side browser-based web proxy software

#14 2013-07-22 11:09:15

Re: tips for server-side browser-based web proxy software

#15 2013-07-22 11:10:49

Re: tips for server-side browser-based web proxy software

#16 2013-07-22 11:15:52

Re: tips for server-side browser-based web proxy software

#17 2013-07-22 23:12:55

Re: tips for server-side browser-based web proxy software

#18 2018-02-16 15:48:18

Re: tips for server-side browser-based web proxy software

#19 2018-02-16 16:01:19

Re: tips for server-side browser-based web proxy software

Board footer