Spin up secure HTTPS proxy in less than 10 minutes

This guide explains deployment of secure (HTTP-over-TLS) proxy server on any mainstream Linux distro using dumbproxy. This guide only assumes curl utility is present on server and you have a root shell. Make sure no errors reported on each step before proceeding to next one.

HTTPS proxy here is a HTTP proxy exposed via TLS-secured connections, not just "unencrypted" HTTP proxy which can forward HTTPS-connections as well. That is such HTTPS proxy introduces additional TLS layer between proxy client and proxy server, ensuring confidentiality of connection with proxy. Such proxies are suitable for immediate use in browser and other software. So-called "VPN-extensions" for browsers in fact use such TLS-secured proxies.

Why and what for?

Why choose HTTPS proxy?

• Good for accessing blocked content without re-routing whole system traffic. Can be used selectively for chosen applications, sites, domains, etc.
• Standard protocol which looks like HTTPS because it is HTTPS. Good for bypassing firewalls and other kinds of walls.
• Other solutions like shadowsocks quite often end up being hidden inside TLS connections (e.g. using plugins simple-tls or v2ray-plugin). In that case there is not so much sense in use of shadowsocks to hide connections - it's more straightforward to use regular HTTP proxy inside TLS outright.
• Supported by major browsers without additional software. Other software supporting just plain HTTP proxies can be connected using plaintext-to-TLS adapter like this one.

Why use dumbproxy for that?

It's a quite simple proxy server, which designed for today's realities. It works on a lot of various platforms and can be deployed with just one binary file.

On the other hand dumbproxy has a number of advantages:

• Can hide 407 HTTP response in order to hide proxy from detection by active probes (disabled by default).
• Lightweight threads enable it to serve quite large amount of connections simultaneously with default configuration, which is advantage compared to 3proxy and tinyproxy. In conjunction with modest memory usage per connection, it allows dumbproxy to provide good service even on low spec virtual machines.
• Simple access management: user and password database file gets reloaded automatically when changes are detected.
• HTTP/2 support.
• Supports authentication with TLS certificates (likely it will be more practical to use it with steady-tun on the client side).
• Server will take care of TLS certificates, issuing them by ACME protocol (e.g. using Let's Encrypt or BuyPass).

Step 1. Attach the domain name

Domain is needed for smooth TLS operation. You can either get (buy) some domain and attach it to IP address of your VPS, or use some free domain service. In later case, parent domain of your domain has to be listed in the public suffix list. Otherwise there may be problems with Let's Encrypt rate limits for top domain of that service. This guide we use free domain service freemyip.com, which gives free domain to user without any registration.

1. Visit page https://freemyip.com/.
2. Pick some nice-looking domain name and claim it.
3. Save that URL which you'll get back.
4. Issue following command on your server: curl 'URL' where URL is that url you've got from freemyip. Note that single quotes around URL!

You may check if this step was a success: ping domain name, it should resolve to IP address of your VPS. If it's not happening, wait couple of minutes and retry.

Step 2. Install dumbproxy

Assuming amd64 processor architecture, for other cases get binary here. Run command:

curl -Lo /usr/local/bin/dumbproxy 'https://github.com/Snawoot/dumbproxy/releases/download/v1.6.1/dumbproxy.linux-amd64' && chmod +x /usr/local/bin/dumbproxy

Check if installation was successful. Command /usr/local/bin/dumbproxy -version should output v1.6.1.

Step 3. Configure dumbproxy

Create password file. Run following command, replacing USERNAME and PASSWORD with actual desired values:

dumbproxy -passwd /etc/dumbproxy.htpasswd USERNAME PASSWORD

Configure dumbproxy. Create file /etc/default/dumbproxy with following content:

OPTIONS=-auth basicfile://?path=/etc/dumbproxy.htpasswd -autocert -bind-address :443

Place following content info file /etc/systemd/system/dumbproxy.service:

[Unit]
Description=Dumb Proxy
Documentation=https://github.com/Snawoot/dumbproxy/
After=network.target network-online.target
Requires=network-online.target

[Service]
EnvironmentFile=/etc/default/dumbproxy
User=root
Group=root
ExecStart=/usr/local/bin/dumbproxy $OPTIONS
TimeoutStopSec=5s
PrivateTmp=true
ProtectSystem=full
LimitNOFILE=20000

[Install]
WantedBy=default.target

Finally, apply systemd configuration:

systemctl daemon-reload

Step 4. Run dumbproxy

Enable autostart:

systemctl enable dumbproxy

Start service:

systemctl start dumbproxy

You can test if proxy is operational using this command:

curl -x https://USERNAME:PASSWORD@DOMAIN http://ifconfig.co

It should output server's IP address.

Done!

---

Configuring clients

It's quite trivial to set up program which supports proxies to use dumbproxy in plain HTTP mode. However, using HTTP proxy over TLS connection with browsers is little bit tricky.

Routing all browsers on Windows via HTTPS proxy

Open proxy settings in system's network settings:

Turn on setup script option and set script address:

data:,function FindProxyForURL(u, h){return "HTTPS example.com:443";}

where instead of example.com:443 you should use actual address of your HTTPS proxy.

Note: this method will not work with MS Edge Legacy.

Using with Firefox

Option 1. Inline PAC file in settings.

Open Firefox proxy settings, switch proxy mode to "Automatic proxy configuration URL". Specify URL:

data:,function FindProxyForURL(u, h){return "HTTPS example.com:443";}

Option 2. Browser extension.

Use any proxy switching browser extension which supports HTTPS proxies like this one.

Using with Chrome

Option 1. CLI option.

Specify proxy via command line:

chromium-browser --proxy-server='https://example.com:443'

where instead of example.com you should specify your proxy domain name.

Option 2. Browser extension.

Use any proxy switching browser extension which supports HTTPS proxies like this one.

Using with other applications

It is possible to expose remote HTTPS proxy as a local plaintext HTTP proxy with help of external application which performs remote communication via TLS and exposes local plaintext socket. steady-tun appears to be most suitable for this because it supports connection pooling to hide connection delay.

Using with Android

1. Install Adguard on your Android: Guide.
2. Follow this guide, skipping server configuration. Use proxy type HTTPS if you set up TLS-enabled server or else use HTTP type.

---