a web proxy in a single PHP page

by Aaron Wells, copyright 2005

What is Yoctoprox(y)?

Yoctoprox(y) is a forward web proxy, implemented in one PHP file. This makes it extremely portable and easy to install. Unlike most other proxy software, it requires little more than FTP access to a PHP-enabled web host to install and use Yoctoprox(y).

What does Yoctoprox(y) do?

It lets you see what the web looks like from the machine that Yoctoprox(y) is installed on. This has a number of uses in network administration. For instance, at my work I'm often configuring web software which I have to be sure will behave properly from outside our local network. I can just drop a copy of Yoctoprox(y) on my $3/month cheap commercial web host (which of course lies outside our local network), and using it I can easily perform this verification.

What is a forward proxy?

See the Wikipedia article about proxies. In general, web proxies can be divided into reverse proxies, and forward proxies. Reverse proxies run in the vicinity of a web server or servers, and handle all incoming requests to those servers. Forward proxies run in the vicinity of a web client, and handle all outgoing requests from that client. Yoctoprox(y) falls somewhere between these two, since it doesn't have to be running on the same machine as the web client or the destination web server, but I think it's closer to a forward proxy than a reverse proxy.

How do I use Yoctoprox(y)?

  1. Download yoctoprox.php from here: http://sourceforge.net/projects/yoctoprox/.
  2. Open it in a text editor and scroll down to the "CONFIGURATION OPTIONS" section. Edit the following line to define an access password:
    • define('C_PASSWORD', '');
  3. Upload yoctoprox.php to your PHP-enabled web server.
  4. Load up http://www.yourdomain.com/yoctoprox.php in your web browser. You'll be prompted for your password. Enter it. Then you'll see a screen asking you for a URL to load up. Enter one. Browse away. All links you click on will be translated into links back to yoctoprox.php, ensuring that your browsing is proxied through the server.
  5. To switch to a new web address, return to http://www.yourdomain.com/yoctoprox.php. (One of these days, maybe I'll add a frame with an address bar in it, but for now you'll have to use your browser's address bar).

Do I need to alter my browser's proxy settings?

No. You do not need to alter your web browser's proxy settings or perform any other configuration to your web browser. Yoctoprox(y) works through normal web requests from your browser to the server you put Yoctoprox(y) on. Your browser does need to support cookies, though.

What are the system requirements?

Your web browser must support cookies. Your web server must have the following:

Does Yoctoprox(y) work perfectly?

No. It's still very much alpha software. It displays perhaps 70% of web pages correctly. It has problems with the CSS on some sites (for instance, Wikipedia), and with form submissions to other sites. It doesn't support the HTML <base> tag, which means that the Yahoo Directory doesn't work. It has no cookie support. There are still some bugs in the HTTP authentication support. AJAX sites almost certainly won't work through Yoctoprox(y), and probably never will.

I clicked on a link while browsing with Yoctoprox(y), and I wound up on a non-Yoctoprox(y) address. What gives?

Yoctoprox(y) functions as a proxy by rewriting the pages it loads, so that all links are links back through Yoctoprox(y). But there are some links that it misses. There probably always will be some that it misses, because HTML is a crazy mess, and browsers are very tolerant of mistakes.

Is Yoctoprox(y) secure?

Probably not, which means that it poses a real risk of being used as an open proxy. It requires a password to log in, and the password is scrambled using Paul Johnston's Javascript MD5 implementation (if the browser has Javascript), which provides some security. However, all Yoctoprox does is "bless" the user's session cookie after they log in. If someone in the middle intercepts the session cookie, they can steal it and use it for access. To mitigate this danger, be sure to set the session's server-side expiration time to be short (the default is 10 minutes, and this is configurable in the script), and be sure to use Yoctoprox's "log out" link to de-bless your session when you're done.

The server Yoctoprox is installed on also needs to be secure. Obviously, someone with filesystem access could open up yoctoprox.php and read the password stored there in plaintext. Less obviously, if they have access to the location where PHP stores session information, that could be a security problem as well. Yoctoprox(y) will probably store information about received cookies in the PHP session, once cookie support is implemented, so access to the PHP session store would allow an attacker to read and steal your cookies.

Lastly, I've focused more on getting the proxy functionality of Yoctoprox(y) to work, and less on security, so far. This means that the program is not as rigorous as it could be on things like scrubbing user input, so there's probably a few gaping security flaws in there somewhere.

Are there similar programs that do the same thing?

Yes, several. The best is probably CGIProxy, which runs as a Perl CGI script. It's very mature, fully featured, widely used, and the setup is only slightly more complex than Yoctoprox(y). It's not distributed under an open license, but it is free for non-commercial use.

Other web proxies written in PHP include PHProxy (which is used on many public proxy sites), PHP-Proxy, phpWebPROXY, and Arbitroweb.

If you don't feel compelled to run your own proxy software, there are many web sites out there that host free publically accessible CGI proxies (almost always running CGIProxy). Plug "CGI Proxy" in your favorite search engine to get as many lists of these sites as you could want.

So, there are many alternatives out there. I'm mostly writing Yoctoprox(y) for personal education, and because when I needed a tool like Yoctoprox(y) I wasn't able to find any of the above programs.

What's up with the name "Yoctoprox(y)"?

Yocto is the smallest SI metric prefix. It's 10^15 times smaller than nano. I initially wanted to call my one-file web proxy "Miniproxy" or "Microproxy", but I found that those names were taken. So I went smaller. I thought that the word "Yoctoproxy" sound too much like "Octopussy", a word I have never liked, so I made the "y" silent.