About CGIProxy

INTRODUCTION:

This CGI script acts as an HTTP or FTP proxy. Through it, you can can
retrieve any resource that is accessible from the server this runs on.
This is useful when your own access is limited, but you can reach a server
that can in turn reach others that you can't. By default, no user info
(except browser type) is sent to the target server, so you can set up your
own anonymous proxy like The Anonymizer (http://www.anonymizer.com/).

Whenever an HTML resource is retrieved, it's modified so that all links
in it point back through the same proxy, including images, form submissions,
and everything else. Once you're using the proxy, you can browse normally
and (almost) forget it's there.

Configurable options include cookie support, text-only proxying (to save
bandwidth), simple ad filtering, script removal, custom encoding of target
URLs, and more. See the complete list of configuration options below.

Requires Perl 5.004 or later.

The original seed for this was a program I wrote for Rich Morin's
article in the June 1996 issue of Unix Review, online at


IMPORTANT NOTE ABOUT ANONYMOUS BROWSING:

CGIProxy was originally made for indirect browsing more than anonymity,
but since people are using it for anonymity, I've tried to make it as
anonymous as possible. Suggestions welcome. For best anonymity, browse
with JavaScript turned off, or configure CGIProxy to remove script
content (see the options below). In fact, that's the only reliable way,
in spite of what certain anonymity vendors claim.

Anonymity is pretty good, but may not be bulletproof. For example, if
even a single JavaScript statement can be run, your anonymity can be
compromised. I've tried to remove JS from every place it can exist, but
please tell me if I missed any. Also, browser plugins or other executable
extensions may be able to reveal you to a server.


LEGAL DISCLAIMER:

Censorship is a controversial subject, and some governments and companies
have rules about what information you should have access to. If you use
my software to bypass rules that have been imposed on you, you assume all
legal risks and responsibilities involved. I'm providing the software as
a demonstration and teaching tool, and for when legitimate access is
needed to non-accessible servers. I won't encourage you to break any
rules, because I would get in trouble if I did. I can't prevent you from
using this software in illegitimate ways, but I believe the value of it as
a teaching tool is far too great to let a few miscreants ruin it for
everybody.


INSTALLATION:

To run this, your server must support Non-Parsed Header (NPH) CGI scripts.
Most servers do, but not all. (Starting in version 1.3.2, there may be a
way to run this script without NPH support; see the $NOT_RUNNING_AS_NPH
option below and read the warnings where it is set in the source code.)

Quick answer: Put nph-proxy.cgi on a Web server and call it. Really, that's
all most people need to do. To add SSL support, see the "SSL SUPPORT:"
section below.

Longer answer:

1) Unpack the distribution.
2) Set any desired options in nph-proxy.cgi by editing the file. See all
the options below; the defaults are probably fine if you don't feel like
messing with it. If you have special server or network issues, like an
SSL server on a non-standard port or an HTTP or SSL proxy you must use,
then see the section "OPTIONS RELATED TO YOUR SERVER/NETWORK ENVIRONMENT".
If you don't know Perl, you can guess how to set a value by emulating
the examples already in there. Variables starting with "$" hold single
values, and variables starting with "@" hold lists of values. Lines
beginning with "#" are comments and are ignored when the program runs.
As in most programming languages, 1 means true and 0 means false.
The reason all the options don't go in a separate configuration file
is because that would require the script to open and read that file
with every call, which would put a major load on the CPU.

3) Install the script like any other CGI script (set permissions and path
to the Perl interpreter). Be sure it's installed as an NPH script. In
Apache and related servers, do this by starting the filename with "nph-".
If you've never installed a CGI script before, then I recommend finding
a simple one somewhere to install first, so you can become familiar with
the process. Then install CGIProxy.

If you prefer, Zoltan Milosevic has made an automatic installer for CGIProxy,
at http://www.xav.com/cgi-sys/cgiwrap/xav/install.cgi?p=cgiproxy . Give it
your server and account information, and it places the script for you.

To add SSL support (lets you access secure servers), see the section
"SSL SUPPORT:" below. You need to install a couple more packages. Once
these packages are installed, CGIProxy will automatically detect them and
support SSL. If the packages aren't present, then CGIProxy will still
work fine for everything else except access to secure servers. If you need
to use an SSL proxy, be sure to set $SSL_PROXY (and possibly $SSL_PROXY_AUTH).

If heavy use of this proxy strains your server's CPU, see "NOTES ON
PERFORMANCE" in the source code.


SSL SUPPORT:

To retrieve pages from secure servers, you need to install two separate
packages on the server in addition to nph-proxy.cgi:

1) OpenSSL, a freely-available library of SSL and cryptography tools
2) Net::SSLeay, a Perl module to interface with OpenSSL

OpenSSL is already installed on many servers. You can usually tell which
version you have (if any) by entering "openssl version" at a Unix prompt.
The Net::SSLeay module is not as common, but you can check whether it's
installed and which version you have with:

perl -MNet::SSLeay -e 'print "$Net::SSLeay::VERSION\n"'
Either you get a version number, or it fails if Net::SSLeay isn't installed.
If you need to install either package, they're at, respectively:

http://www.openssl.org/
http://symlabs.com/Net_SSLeay/

Installing these packages is "beyond the scope of this README", but usually
they both install easily with no problems. If you don't have root access on
your server, you may need to change the default installation directory, maybe
by manually editing the PREFIX setting in Makefile or something like that.
Once these packages are correctly installed where nph-proxy.cgi can find
them, the script will automatically detect them and support SSL; no changes
to nph-proxy.cgi are needed. If you have to install Net::SSLeay somewhere
that's not on the standard Perl module path (i.e. @INC), then add a
"use lib" command to nph-proxy.cgi to tell the script where to find
Net::SSLeay, e.g. "use lib 'path/to/your/modules'".

Note that these two packages are completely unaffiliated with CGIProxy, and
may have their own terms of use.

If you need to use an SSL proxy e.g. to get through a firewall, then be sure
to set $SSL_PROXY and $SSL_PROXY_AUTH as needed.

IMPORTANT NOTE: It is HIGHLY RECOMMENDED that if you install SSL support
for CGIProxy, then CGIProxy itself should be running on a secure server
(i.e. accessed with a URL starting with "https://")! Otherwise, you open a
serious security hole: any secure data sent to or from a target server will
be transmitted insecurely between CGIProxy and the browser, undermining the
whole purpose of secure servers.