Spin up secure HTTPS proxy in less than 10 minutes
Snawoot
Posted on September 13, 2022
This guide explains deployment of secure (HTTP-over-TLS) proxy server on any mainstream Linux distro using dumbproxy. This guide only assumes curl utility is present on server and you have a root shell. Make sure no errors reported on each step before proceeding to next one.
HTTPS proxy here is a HTTP proxy exposed via TLS-secured connections, not just "unencrypted" HTTP proxy which can forward HTTPS-connections as well. That is such HTTPS proxy introduces additional TLS layer between proxy client and proxy server, ensuring confidentiality of connection with proxy. Such proxies are suitable for immediate use in browser and other software. So-called "VPN-extensions" for browsers in fact use such TLS-secured proxies.
It's a quite simple proxy server, which designed for today's realities. It works on a lot of various platforms and can be deployed with just one binary file. On the other hand dumbproxy has a number of advantages:Why and what for?
Why choose HTTPS proxy?
Why use dumbproxy for that?
Step 1. Attach the domain name
Domain is needed for smooth TLS operation. You can either get (buy) some domain and attach it to IP address of your VPS, or use some free domain service. In later case, parent domain of your domain has to be listed in the public suffix list. Otherwise there may be problems with Let's Encrypt rate limits for top domain of that service. This guide we use free domain service freemyip.com, which gives free domain to user without any registration.
- Visit page https://freemyip.com/.
- Pick some nice-looking domain name and claim it.
- Save that URL which you'll get back.
- Issue following command on your server:
curl 'URL'
whereURL
is that url you've got from freemyip. Note that single quotes around URL!
You may check if this step was a success: ping domain name, it should resolve to IP address of your VPS. If it's not happening, wait couple of minutes and retry.
Step 2. Install dumbproxy
Assuming amd64
processor architecture, for other cases get binary here. Run command:
curl -Lo /usr/local/bin/dumbproxy 'https://github.com/SenseUnit/dumbproxy/releases/download/v1.13.1/dumbproxy.linux-amd64' && chmod +x /usr/local/bin/dumbproxy
Check if installation was successful. Command /usr/local/bin/dumbproxy -version
should output v1.13.1
.
Step 3. Configure dumbproxy
Create password file. Run following command, replacing USERNAME
and PASSWORD
with actual desired values:
dumbproxy -passwd /etc/dumbproxy.htpasswd USERNAME PASSWORD
Configure dumbproxy. Create file /etc/default/dumbproxy
with following content:
OPTIONS=-auth basicfile://?path=/etc/dumbproxy.htpasswd -autocert -bind-address :443
Place following content info file /etc/systemd/system/dumbproxy.service
:
[Unit]
Description=Dumb Proxy
Documentation=https://github.com/Snawoot/dumbproxy/
After=network.target network-online.target
Requires=network-online.target
[Service]
EnvironmentFile=/etc/default/dumbproxy
User=root
Group=root
ExecStart=/usr/local/bin/dumbproxy $OPTIONS
TimeoutStopSec=5s
PrivateTmp=true
ProtectSystem=full
LimitNOFILE=20000
[Install]
WantedBy=default.target
Finally, apply systemd configuration:
systemctl daemon-reload
Step 4. Run dumbproxy
Enable autostart:
systemctl enable dumbproxy
Start service:
systemctl start dumbproxy
You can test if proxy is operational using this command:
curl -x https://USERNAME:PASSWORD@DOMAIN http://ifconfig.co
It should output server's IP address.
Done!
Configuring clients
It's quite trivial to set up program which supports proxies to use dumbproxy in plain HTTP mode. However, using HTTP proxy over TLS connection with browsers is little bit tricky.
Routing all browsers on Windows via HTTPS proxy
Open proxy settings in system's network settings:
Turn on setup script option and set script address:
data:,function FindProxyForURL(u, h){return "HTTPS example.com:443";}
where instead of example.com:443
you should use actual address of your HTTPS proxy.
Note: this method will not work with MS Edge Legacy.
Using with Firefox
Option 1. Inline PAC file in settings.
Open Firefox proxy settings, switch proxy mode to "Automatic proxy configuration URL". Specify URL:
data:,function FindProxyForURL(u, h){return "HTTPS example.com:443";}
Option 2. Browser extension.
Use any proxy switching browser extension which supports HTTPS proxies like this one.
Using with Chrome
Option 1. CLI option.
Specify proxy via command line:
chromium-browser --proxy-server='https://example.com:443'
where instead of example.com
you should specify your proxy domain name.
Option 2. Browser extension.
Use any proxy switching browser extension which supports HTTPS proxies like this one.
Using with other applications
It is possible to expose remote HTTPS proxy as a local plaintext HTTP proxy with help of external application which performs remote communication via TLS and exposes local plaintext socket. steady-tun appears to be most suitable for this because it supports connection pooling to hide connection delay.
Using with Android
- Install Adguard on your Android: Guide.
- Follow this guide, skipping server configuration. Use proxy type HTTPS if you set up TLS-enabled server or else use HTTP type.
Posted on September 13, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.