APPP – a Python Implementation of APJP

Important! Encryption in APJP and APPP (and by extension other proxy software that make use of these) is incorrectly implemented. Do NOT use these with vital private info, or at the very least use these over HTTPS.


Latest version is 0.1.3

 

What?

APJP is a proxy (originally) written in PHP and JAVA. It uses PHP/Python/JAVA application deployed on remote server as server-side, JAVA application installed on local computer/mobile device as client-side, and ARC4 encryption in-between.

APPP is a Python implementation of APJP. Currently, APPP only offers client-side application, but it should work with any APJP server-side application regardless of the language used by the latter.

Why?

There have been only JAVA-based client-side applications for Linux, Windows and Android. Some people may be troubled by the following issues:

  • JAVA is not available in their OS of choice, or not freely available, or not freely available under a ‘free’ license, or they are simply not happy about the dismaying JAVA vulnerabilities;
  • Memory footprint of JAVA applications precludes their use in embedded devices, such as routers;
  • It’s cumbersome to configure and run multiple JAVA-based APJP clients simultaneously.

APPP was intended to address these issues. Over time, new functionalities have also been added.

How?

For instructions on deployment of server-side APJP applications, please visit APJP wiki.

APPP requires Python 2.6 and above, and pyOpenSSL. These are available by default on most desktop and server distros of Linux. For Windows, either install Python and pyOpenSSL manually or use the precompiled Win32 application in the package linked below. APPP is compatible with Python3.

Download the APPP python script and packaged Win32 application here, define an APPP server in APPP.ini to match server-side deployment, and from within the appp python folder type ‘/path/to/python appp.py servername’ or for Win32 application, type ‘appp servername’ to start.

To disable certificate warnings prompted by browsers when visiting https sites through APPP, import ‘APPP.pem’ (generated after the first run) in appp folder into your browser as Trusted Root Certification Authorities (CA).

Tips and Tricks

Security versus Performance

APJP/APPP encrypts entire proxied traffic using the key shared by the client and server. As long as the key is not compromised (do NOT use a key that might be known to someone else!), it is very, very, very difficult for the proxied traffic to be decrypted if the connection is being eavesdropped on or under man-in-the-middle attacks. But that is not to say decryption is not possible. If this possibility really concerns you, one way to make the connection slightly more secure and decryption more difficult is to run APJP server over https to add an extra layer of protection.

Two considerations need to be addressed before going the https way. First, additional encryption and decryption introduced by https will cause extra CPU, memory and network usage, possibly resulting in slower performance. Second, a valid certificate is required for APJP over https to make actual sense security-wise. APPP checks certificate of APJP server running https against Mozilla’s root ca bundle and by default, refuses to connect if certificate is invalid. This behavior could be overridden in the config file, but the appropriate solution if a self-signed certificate need to be used is to add the self-generated root ca to the cacert.pem file.

Transparent Proxy

Not all internet-connecting applications support proxies, especially on mobile and embedded devices. The only way around this is to use DNS or firewall tricks to redirect the traffic to a transparent proxy server. APPP works as both normal proxy and transparent proxy, without any special setting. APPP could also work as a dedicated transparent https proxy if TRANSPARENT_HTTPS is set to yes. Here ‘dedicated’ means only normal https requests could be handled and all other types of requests will fail. Fortunately, it is most trivial to run multiple APPP proxies simultaneously in a single process to handle all types of http/https requests. Unfortunately, visiting https sites through transparent proxy will prompt invalid certificate warnings. To minimize the inconveniences, specify all frequently visited domains in the TRANSPARENT_HTTPS_DOMAINS setting.

Problems?

Append ‘-d’ option when starting APPP to get detailed debugging messages. Post the messages here if still at a loss.

Changelog

20130310: 0.1.3

Allow specifying alternative config file using ‘-c’ option;

Handle normal http requests (as transparent http proxy);

Add support for APJP server running over https;

Handle normal https requests (as transparent https proxy only).

20120519: 0.1.2

Add TIMEOUT configuration; better timeout handling.

20120519: 0.1.1

Fix compatibility with APJP_REMOTE_PHP > 0.8.2.

20120515: 0.1

Initial release.

DISCLAIMER

ABSOLUTELY NO WARRANTY. USE IT AT YOUR OWN RISK.

48 Responses to APPP – a Python Implementation of APJP

  1. johny says:

    Hi
    I want to APPP with OpenVPN but it wont allow to connect due to certificate
    Is there anyhow to work around this or any solution?

    • farter says:

      That happens at server side (APJP). Try disabling certificate verification or enabling trusting your self-signed CA at server side.

  2. Bigfan says:

    Helloļ¼ŒR u Create the site on sf?
    That Is all public & Transparent folder.
    All people can find WP Database password.
    This is my painful experiences of, Careful!!!

  3. s673 says:

    how to automatically deleted /crt/*.pem ?

  4. Good Job says:

    This is a very pleasantly software, but i d n why ..
    it can’t support like “HTTPS://URL” server.

  5. yourfans says:

    0.1.3 high CPU usage up to 50% when downloading files such as watching Youtube.
    CPU:Intel(R) Atom(TM) CPU N270 @ 1.60GHz
    OS:Archlinux
    Kernel:3.8.4
    Python:2.7.3
    OpenSSL:1.0.1e

    • farter says:

      try using HTTP for everything

      • yourfans says:

        All I need is HTTPS that can help to connect to GAE in mainland China, otherwise I will not update to 0.1.3 and you did not need to add https support.
        I’m comfused that why APJP supported https too can use low CPU but APPP can not?

        • farter says:

          well, if java version costs less CPU on your atom, why not just use java version instead. There should be no functional differences.

          • nowhy says:

            well, why u develop python version? someone reports u an issue, why u don’t check it but just ask him to change setting?

          • farter says:

            Why I developed APPP is already stated in the post and APPP serves me well in all aspects.

            APPP is provided as is and I’m not under any obligation to do anything requested by anyone about it.

            I’m certainly not going to do anything about an ‘issue’ reported by someone not willing to perform basic troubleshooting as suggested.

Comments are closed.