Important! Encryption in APJP and APPP (and by extension other proxy software that make use of these) is incorrectly implemented. Do NOT use these with vital private info, or at the very least use these over HTTPS.
Latest version is 0.1.3
APJP is a proxy (originally) written in PHP and JAVA. It uses PHP/Python/JAVA application deployed on remote server as server-side, JAVA application installed on local computer/mobile device as client-side, and ARC4 encryption in-between.
APPP is a Python implementation of APJP. Currently, APPP only offers client-side application, but it should work with any APJP server-side application regardless of the language used by the latter.
There have been only JAVA-based client-side applications for Linux, Windows and Android. Some people may be troubled by the following issues:
- JAVA is not available in their OS of choice, or not freely available, or not freely available under a ‘free’ license, or they are simply not happy about the dismaying JAVA vulnerabilities;
- Memory footprint of JAVA applications precludes their use in embedded devices, such as routers;
- It’s cumbersome to configure and run multiple JAVA-based APJP clients simultaneously.
was intended to address these issues. Over time, new functionalities have also been added.
For instructions on deployment of server-side APJP applications, please visit APJP wiki.
APPP requires Python 2.6 and above, and pyOpenSSL. These are available by default on most desktop and server distros of Linux. For Windows, either install Python and pyOpenSSL manually or use the precompiled Win32 application in the package linked below. APPP is compatible with Python3.
Download the APPP python script and packaged Win32 application here, define an APPP server in APPP.ini to match server-side deployment, and from within the appp python folder type ‘/path/to/python appp.py servername’ or for Win32 application, type ‘appp servername’ to start.
To disable certificate warnings prompted by browsers when visiting https sites through APPP, import ‘APPP.pem’ (generated after the first run) in appp folder into your browser as Trusted Root Certification Authorities (CA).
Tips and Tricks
Security versus Performance
APJP/APPP encrypts entire proxied traffic using the key shared by the client and server. As long as the key is not compromised (do NOT use a key that might be known to someone else!), it is very, very, very difficult for the proxied traffic to be decrypted if the connection is being eavesdropped on or under man-in-the-middle attacks. But that is not to say decryption is not possible. If this possibility really concerns you, one way to make the connection slightly more secure and decryption more difficult is to run APJP server over https to add an extra layer of protection.
Two considerations need to be addressed before going the https way. First, additional encryption and decryption introduced by https will cause extra CPU, memory and network usage, possibly resulting in slower performance. Second, a valid certificate is required for APJP over https to make actual sense security-wise. APPP checks certificate of APJP server running https against Mozilla’s root ca bundle and by default, refuses to connect if certificate is invalid. This behavior could be overridden in the config file, but the appropriate solution if a self-signed certificate need to be used is to add the self-generated root ca to the cacert.pem file.
Not all internet-connecting applications support proxies, especially on mobile and embedded devices. The only way around this is to use DNS or firewall tricks to redirect the traffic to a transparent proxy server. APPP works as both normal proxy and transparent proxy, without any special setting. APPP could also work as a dedicated transparent https proxy if TRANSPARENT_HTTPS is set to yes. Here ‘dedicated’ means only normal https requests could be handled and all other types of requests will fail. Fortunately, it is most trivial to run multiple APPP proxies simultaneously in a single process to handle all types of http/https requests. Unfortunately, visiting https sites through transparent proxy will prompt invalid certificate warnings. To minimize the inconveniences, specify all frequently visited domains in the TRANSPARENT_HTTPS_DOMAINS setting.
Append ‘-d’ option when starting APPP to get detailed debugging messages. Post the messages here if still at a loss.
Allow specifying alternative config file using ‘-c’ option;
Handle normal http requests (as transparent http proxy);
Add support for APJP server running over https;
Handle normal https requests (as transparent https proxy only).
Add TIMEOUT configuration; better timeout handling.
Fix compatibility with APJP_REMOTE_PHP > 0.8.2.
ABSOLUTELY NO WARRANTY. USE IT AT YOUR OWN RISK.