The simplest possible reverse proxy
Found http://mitmproxy.org/ !
My use case is covered by:
mitmproxy -p 8080 -P https://remote.site.example.com/
But there's more. It also offers an ncurses UI for showing all requests done, and allows you to inspect them. This makes WireShark unnecessary.
Install with your distro package installer or with easy_install as shown in the question:
virtualenv mitmproxy; cd mitmproxy
bin/easy_install mitmproxy
bin/mitmproxy -p 8080 -P https://remote.site.example.com/
Edit:
For mitmproxy version 3, the arguments would be:
mitmproxy -p 8080 --mode reverse:https://remote.site.example.com/
Explain Reverse Proxy
A reverse proxy is used to add features to a web server like load balancing, security, and caching.
For a hacker to take advantage of this they would need to trick the user into going to a different address from your real one (phishing) and then using the reverse proxy to make it look like they hit the real site.
With a locally installed application or virus it's possible to change the hosts file or intercept dns requests to redirect traffic to the real address, but that is far rarer than phishing.
http://en.wikipedia.org/wiki/Reverse_proxy
A reverse proxy is a proxy server that is installed on a server network or on network equipment. Typically, reverse proxies are used in front of Web servers. All connections coming from the Internet addressed to one of the Web servers are routed through the proxy server, which may either deal with the request itself or pass the request wholly or partially to the main web servers.
A reverse proxy dispatches in-bound network traffic to a set of servers, presenting a single interface to the caller. For example, a reverse proxy could be used for load balancing a cluster of web servers. In contrast, a forward proxy acts as a proxy for out-bound traffic. For example, an ISP may use a proxy to forward HTTP traffic from its clients to external web servers on the Internet; it may also cache the results to improve performance.
Building a reverse proxy
Personally I'd try out this guy first.
Just to expound a bit, people who said "try node.js or Scala" are slightly misguided in that Scala—like Java—is just a programming language, whereas node.js is most of a platform. Apart from its general advantages, the main things Scala brings to the table for this kind of project are:
A juicy bit of syntax that makes it easier to write actor systems as libraries, namely PartialFunction "literals":
trait NeedsAPF {
def pf: PartialFunction[Any,Unit]
}
object PFHaver extends NeedsAPF {
def pf = {
case i: Int => println("I got an int and it was " + i)
}
}When you're ready for it, a continuations plugin, which lets you write code that looks synchronous, but can be asynchronous under the covers.
How might one set up a reverse proxy that cannot decrypt traffic?
From your question, I got that you want to listen to requests from your VPC server and pass the request to your other server which has to remain unexposed.
This can be configured with the web server which you are using for proxy ( considering AWS allows port forwarding from a VPN server to non-VPN server ).
I prefer doing this with Nginx as it is easy, open-source with less code and more functionality.
There is a concept of load balancing which does the same as you mentioned above.
steps :
Install Nginx and keep it active.
Create a new configuration file in /etc/nginx/sites-enabled
write the below code with modifications:
http {
upstream myapp1 {
server srv1.example.com;
server srv2.example.com;
server srv3.example.com;
}server {
listen 80;location / {
proxy_pass http://myapp1;
}}
}
and at the place of srv1.example.com
and srv2.example.com
add the domain to which you want to redirect requests
- Save the file and restart the Nginx
- Boom!! it should redirect all incoming requests to your application.
Access Website With Reverse Proxy
Yes it's possible, you can install on their intranet a simple proxy script for example
https://github.com/Athlon1600/php-proxy-app
and modify the index.php and allow from there only a single host to your website.
I don't know what technology you can use on their Intranet network but virtually for every web language, such software is available.
Easy reverse proxy for serving images over ssl
I would suggest the same thing as Tudor: a proxy written in node.
However, I would advise using a more broadly used and tested library such as node-http-proxy. It is really simple to setup, and will achieve what you need in less than 20 lines of code.
var httpProxy = require('http-proxy')
httpProxy.createServer({
target: {
host: 'stuff.com',
port: 80
},
ssl: {
key: fs.readFileSync('./ssl-key.pem', 'utf8'),
cert: fs.readFileSync('./ssl-cert.pem', 'utf8')
}
}).listen(443);
If a client then accesses https://reverseproxy.com/image.png, the process would go as follows
I have assumed in this schema that the reverse proxy runs on a different server as the webserver serving the images, but this does not have to be the case. If they both run on the same server, just use host: 'localhost'
in the target
section.
--
Just in case you are not familiar with Node, here's what you need to do in order to quickly run this setup.
- Install Node
- Create a new file containing the code in yourprojectpath/index.js
- Generate a package.json file by running
npm init
in your project's directory - Run
npm install --save http-proxy
to install thehttp-proxy
library and be able to use it in the code
You should now be able to run the reverse proxy by running
node index.js
If you are planning on using this in production, I highly recommend you take a look at PM2. It is a process manager for node which basically ensures that your application is always running, no matter what. In particular, it will restart it if any kind of exception is thrown from the application and would have caused it to terminate.
Installation:
npm install -g pm2
Usage:
pm2 start index.js
A few more notes:
- make sure that your
.pem
files have appropriate permissions and owner.chmod 400
is usually a good option (only readable by owner). The user running the Node application should be able to read them, though. - if your server runs behind a (software or hardware) firewall, you may need to open your port 443 to incoming traffic
- depending on your SSL certificate provider, you might need to convert the files it will provide you to the PEM format
- if needed, node-http-proxy supports additional options such as adding headers when a request is proxied
- the script I presented above assumes you have
ssl-key.pem
andssl-cert.pem
in the same directory as it
Hope that helps! And just ask if something looks unclear to you
Related Topics
R, Python: Install Packages on Rpy2
Python VS Groovy VS Ruby? (Based on Criteria Listed in Question)
How to Import a JSON from a File on Cloud Storage to Bigquery
How to Add Title to Subplots in Matplotlib
How to Override the Copy/Deepcopy Operations for a Python Object
How to Round a Floating Point Number Up to a Certain Decimal Place
How to Implement Custom Indentation When Pretty-Printing with the JSON Module
How to Change the Name of a Django App
Convert a Timedelta to Days, Hours and Minutes
Python Urllib2, Basic Http Authentication, and Tr.Im
Trouble Installing Rpy2 on Win7 (R 2.12, Python 2.5)
Ruby Equivalent of Python's "Dir"
What Does Blazeds Livecycle Data Services Do, That Something Like Pyamf or Rubyamf Not Do
How to Increment Datetime by Custom Months in Python Without Using Library
What Is the Cause of the Bad Request Error When Submitting Form in Flask Application